Opened 6 months ago

Closed 6 months ago

#14911 closed bug (fixed)

[VM] Block userland from mmap'ing the first page (NULL to B_PAGE_SIZE)

Reported by: waddlesplash Owned by: waddlesplash
Priority: normal Milestone: Unscheduled
Component: System/Kernel Version: R1/Development
Keywords: Cc:
Blocked By: Blocking:
Has a Patch: no Platform: All

Description

This is for security reasons, as then if the kernel tries to dereference NULL, it will always cause a page fault, instead of being potentially exploitable by a malicious application.

The only possible concern is BeOS compatibility. Did any applications do this intentionally? Do we care?

Attachments (1)

mmap.c (310 bytes ) - added by waddlesplash 6 months ago.
test program showing 0x0 can be mapped

Download all attachments as: .zip

Change History (8)

comment:1 by waddlesplash, 6 months ago

Owner: changed from nobody to waddlesplash
Status: newassigned

comment:2 by pulkomandy, 6 months ago

Is this even possible currently? I thought our userspace already reserved the first 1MB of RAM and did not allow mapping anything there.

by waddlesplash, 6 months ago

Attachment: mmap.c added

test program showing 0x0 can be mapped

comment:4 by waddlesplash, 6 months ago

Added a test program (reported at https://twitter.com/jensensec/status/1097713585495728128) showing that 0x0 can be mapped.

Looks like the problem is here: http://xref.plausible.coop/source/xref/haiku/src/system/kernel/vm/VMUserAddressSpace.cpp#765 -- other functions in that file obey USER_BASE_ANY, this one ignores it.

Actually this looks like it was previously intentional: http://xref.plausible.coop/source/xref/haiku/headers/private/kernel/arch/x86/arch_kernel.h#83 ("Furthermore no areas are placed in the lower 1Mb unless the application explicitly requests it to find null pointer references.")

So, we would have to update USER_BASE to get the wanted behavior. I think Linux et al. do the same, so, that shouldn't be an issue, I guess?

comment:5 by waddlesplash, 6 months ago

Aha, seems this was introduced with VM86 mode: https://github.com/haiku/haiku/commit/7cbf8fdd5a22f56b50ce28270e0f867401dd6c0f

And VM86 mode was killed off in 2012, probably as part of x86_64 work: https://github.com/haiku/haiku/commit/74bda98cb236130b1d4f84795f7fafd5c8e540a9

So, we can safely remove this distinction now.

comment:6 by pulkomandy, 6 months ago

Yes, VM86 was removed because it isn't available on x86_64, so we now run the VESA BIOS in an emulated x86 CPU. This has the additionnal advantage of being possible also on other architectures, making it possible to use standard PCI graphics card on non-x86 devices.

We can remove B_USER_BASE_ANY and revert to a single, simpler, B_USER_BASE. Yay!

comment:7 by waddlesplash, 6 months ago

Resolution: fixed
Status: assignedclosed

Fixed in hrev52905. I kept USER_BASE_ANY because it might still be a useful distinction on some architectures, but for now it's just defined to USER_BASE on x86.

Note: See TracTickets for help on using tickets.