valgrind partially broken by current hardy-proposed kernel?

Kees Cook kees at canonical.com
Wed Jun 4 16:11:48 UTC 2008


On Wed, Jun 04, 2008 at 11:33:00AM -0400, Ben Collins wrote:
> On Wed, 2008-06-04 at 08:12 -0700, Kees Cook wrote:
> > On Wed, Jun 04, 2008 at 01:30:55PM +0100, Matthew Garrett wrote:
> > > On Mon, Jun 02, 2008 at 03:07:10PM -0700, Kees Cook wrote:
> > > 
> > > > True, but the mmap_min_addr setting only affects MAP_FIXED, in which
> > > > you really want address 0.  (And yes, that's valid, but not common.)
> > > > The common use-case of use NULL to just get an arbitrary mapping is done
> > > > without MAP_FIXED.
> > > 
> > > vbetool needs to map address 0 with MAP_FIXED in order to get the IDT.
> > 
> > Yes, but it (and usplash) run as root, which is exempt from this check.
> > (Wine and dosemu use this area as well, and for those use cases, people
> > have been advised to change the limit back to 0.  For the default use-cases,
> > there is no problem.)
> 
> So what danger is imposed by the non-root use case being able to mmap
> below 64k?

Since user-space and kernel-space share the same virtual memory maps, if
there is a future kernel bug that does dereferenced NULL-to-function
call junk again (there have been at least two in the past) the user can
first map the region, set up their own kernel functions, and then tweak
the bug[1].

Like some of the other hardening bits, it's a preventative measure.

-Kees

[1] http://www.phrack.com/issues.html?issue=64&id=6#article (see 2.1)

-- 
Kees Cook
Ubuntu Security Team




More information about the kernel-team mailing list