Module Name: src
Committed By: maxv
Date: Sat Aug 6 15:13:14 UTC 2016
Modified Files:
src/sys/compat/linux32/common: linux32_exec_elf32.c
src/sys/compat/netbsd32: netbsd32_exec_aout.c netbsd32_exec_elf32.c
src/sys/kern: kern_exec.c
src/sys/sys: exec.h
src/sys/uvm: uvm_map.c
Log Message:
The way the kernel tries to prevent a userland process from allocating page
zero is hugely flawed. It is easy to demonstrate that one can trick UVM
into chosing a NULL hint after the user_va0_disable check from uvm_map.
Such a bypass allows kernel NULL pointer dereferences to be exploitable on
architectures with a shared userland<->kernel VA, like amd64.
Fix this by increasing the limit of the vm space made available for
userland processes. This way, UVM will never chose a NULL hint, since it
would be outside of the vm space.
The user_va0_disable sysctl still controls this feature.
To generate a diff of this commit:
cvs rdiff -u -r1.18 -r1.19 src/sys/compat/linux32/common/linux32_exec_elf32.c
cvs rdiff -u -r1.29 -r1.30 src/sys/compat/netbsd32/netbsd32_exec_aout.c
cvs rdiff -u -r1.39 -r1.40 src/sys/compat/netbsd32/netbsd32_exec_elf32.c
cvs rdiff -u -r1.435 -r1.436 src/sys/kern/kern_exec.c
cvs rdiff -u -r1.150 -r1.151 src/sys/sys/exec.h
cvs rdiff -u -r1.340 -r1.341 src/sys/uvm/uvm_map.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.