#14911 closed bug (fixed)
[VM] Block userland from mmap'ing the first page (NULL to B_PAGE_SIZE)
| Reported by: | waddlesplash | Owned by: | waddlesplash |
|---|---|---|---|
| Priority: | normal | Milestone: | R1/beta2 |
| Component: | System/Kernel | Version: | R1/Development |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: | ||
| Platform: | All |
Description
This is for security reasons, as then if the kernel tries to dereference NULL, it will always cause a page fault, instead of being potentially exploitable by a malicious application.
The only possible concern is BeOS compatibility. Did any applications do this intentionally? Do we care?
Attachments (1)
Change History (9)
comment:1 by , 6 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 6 years ago
comment:3 by , 6 years ago
See comment and definition of USER_BASE_ANY here: https://git.haiku-os.org/haiku/tree/headers/private/kernel/arch/x86/arch_kernel.h#n48
comment:4 by , 6 years ago
Added a test program (reported at https://twitter.com/jensensec/status/1097713585495728128) showing that 0x0 can be mapped.
Looks like the problem is here: http://xref.plausible.coop/source/xref/haiku/src/system/kernel/vm/VMUserAddressSpace.cpp#765 -- other functions in that file obey USER_BASE_ANY, this one ignores it.
Actually this looks like it was previously intentional: http://xref.plausible.coop/source/xref/haiku/headers/private/kernel/arch/x86/arch_kernel.h#83 ("Furthermore no areas are placed in the lower 1Mb unless the application explicitly requests it to find null pointer references.")
So, we would have to update USER_BASE to get the wanted behavior. I think Linux et al. do the same, so, that shouldn't be an issue, I guess?
comment:5 by , 6 years ago
Aha, seems this was introduced with VM86 mode: https://github.com/haiku/haiku/commit/7cbf8fdd5a22f56b50ce28270e0f867401dd6c0f
And VM86 mode was killed off in 2012, probably as part of x86_64 work: https://github.com/haiku/haiku/commit/74bda98cb236130b1d4f84795f7fafd5c8e540a9
So, we can safely remove this distinction now.
comment:6 by , 6 years ago
Yes, VM86 was removed because it isn't available on x86_64, so we now run the VESA BIOS in an emulated x86 CPU. This has the additionnal advantage of being possible also on other architectures, making it possible to use standard PCI graphics card on non-x86 devices.
We can remove B_USER_BASE_ANY and revert to a single, simpler, B_USER_BASE. Yay!
comment:7 by , 6 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed in hrev52905. I kept USER_BASE_ANY because it might still be a useful distinction on some architectures, but for now it's just defined to USER_BASE on x86.
comment:8 by , 5 years ago
| Milestone: | Unscheduled → R1/beta2 |
|---|
Assign tickets with status=closed and resolution=fixed within the R1/beta2 development window to the R1/beta2 Milestone
Is this even possible currently? I thought our userspace already reserved the first 1MB of RAM and did not allow mapping anything there.