Opened 17 months ago

Closed 17 months ago

Last modified 3 months ago

#14911 closed bug (fixed)

[VM] Block userland from mmap'ing the first page (NULL to B_PAGE_SIZE)

Reported by: waddlesplash Owned by: waddlesplash
Priority: normal Milestone: R1/beta2
Component: System/Kernel Version: R1/Development
Keywords: Cc:
Blocked By: Blocking:
Platform: All


This is for security reasons, as then if the kernel tries to dereference NULL, it will always cause a page fault, instead of being potentially exploitable by a malicious application.

The only possible concern is BeOS compatibility. Did any applications do this intentionally? Do we care?

Attachments (1)

mmap.c (310 bytes ) - added by waddlesplash 17 months ago.
test program showing 0x0 can be mapped

Download all attachments as: .zip

Change History (9)

comment:1 by waddlesplash, 17 months ago

Owner: changed from nobody to waddlesplash
Status: newassigned

comment:2 by pulkomandy, 17 months ago

Is this even possible currently? I thought our userspace already reserved the first 1MB of RAM and did not allow mapping anything there.

by waddlesplash, 17 months ago

Attachment: mmap.c added

test program showing 0x0 can be mapped

comment:4 by waddlesplash, 17 months ago

Added a test program (reported at showing that 0x0 can be mapped.

Looks like the problem is here: -- other functions in that file obey USER_BASE_ANY, this one ignores it.

Actually this looks like it was previously intentional: ("Furthermore no areas are placed in the lower 1Mb unless the application explicitly requests it to find null pointer references.")

So, we would have to update USER_BASE to get the wanted behavior. I think Linux et al. do the same, so, that shouldn't be an issue, I guess?

comment:5 by waddlesplash, 17 months ago

Aha, seems this was introduced with VM86 mode:

And VM86 mode was killed off in 2012, probably as part of x86_64 work:

So, we can safely remove this distinction now.

comment:6 by pulkomandy, 17 months ago

Yes, VM86 was removed because it isn't available on x86_64, so we now run the VESA BIOS in an emulated x86 CPU. This has the additionnal advantage of being possible also on other architectures, making it possible to use standard PCI graphics card on non-x86 devices.

We can remove B_USER_BASE_ANY and revert to a single, simpler, B_USER_BASE. Yay!

comment:7 by waddlesplash, 17 months ago

Resolution: fixed
Status: assignedclosed

Fixed in hrev52905. I kept USER_BASE_ANY because it might still be a useful distinction on some architectures, but for now it's just defined to USER_BASE on x86.

comment:8 by nielx, 3 months ago

Milestone: UnscheduledR1/beta2

Assign tickets with status=closed and resolution=fixed within the R1/beta2 development window to the R1/beta2 Milestone

Note: See TracTickets for help on using tickets.