Index Home About Blog
From: Linus Torvalds <torvalds@linux-foundation.org>
Newsgroups: fa.linux.kernel
Subject: Re: Security fix for remapping of page 0 (was [PATCH] Change
Date: Wed, 03 Jun 2009 15:08:52 UTC
Message-ID: <fa.KTGzEOLON4iMwM7Le/G/y2O3kF4@ifi.uio.no>

On Wed, 3 Jun 2009, Christoph Lameter wrote:
>
> Ok. So what we need to do is stop this toying around with remapping of
> page 0. The following patch contains a fix and a test program that
> demonstrates the issue.

No, we _need_ to be able to map to address zero.

It may not be very common, but things like vm86 require it - vm86 mode
always starts at virtual address zero.

For similar reasons, some other emulation environments will want it too,
simply because they want to emulate another environment that has an
address space starting at 0, and don't want to add a base to all address
calculations.

There are historically even some crazy optimizing compilers that decided
that they need to be able to optimize accesses of a pointer across a NULL
pointer check, so that they can turn code like

	if (!ptr)
		return;
	val = ptr->member;

into doing the load early. In order to support that optimization, they
have a runtime that always maps some garbage at virtual address zero.

(I don't remember who did this, but my dim memory wants to say it was some
HP-UX compiler. Scheduling loads early can be a big deal on especially
in-order machines with nonblocking cache accesses).

The point being that we do need to support mmap at zero. Not necessarily
universally, but it can't be some fixed "we don't allow that".

		Linus


From: Linus Torvalds <torvalds@linux-foundation.org>
Newsgroups: fa.linux.kernel
Subject: Re: Security fix for remapping of page 0 (was [PATCH] Change
Date: Wed, 03 Jun 2009 17:37:07 UTC
Message-ID: <fa.cuuqEqwyBnJWJ49hZHDN5JFKBy8@ifi.uio.no>

On Wed, 3 Jun 2009, Alan Cox wrote:

> One way you could approach this would be to write a security module for
> non SELINUX users - one that did one thing alone - decide whether the app
> being run was permitted to map the low 64K perhaps by checking the
> security label on the file.

Unnecessary. I really think that 99% of all people are perfectly fine with
just the "mmap_min_addr" rule, and no more.

The rest could just use SElinux or set it to zero. It's not like allowing
mmap's at NULL is a huge problem. Sure, it allows a certain kind of attack
vector, but it's by no means an easy or common one - you need to already
have gotten fairly good local access to take advantage of it.

		Linus


From: Linus Torvalds <torvalds@linux-foundation.org>
Newsgroups: fa.linux.kernel
Subject: Re: Security fix for remapping of page 0 (was [PATCH] Change
Date: Wed, 03 Jun 2009 18:13:46 UTC
Message-ID: <fa.I/LkbOXNEIoxWt7MMrcJKSx3nKo@ifi.uio.no>

On Wed, 3 Jun 2009, Larry H. wrote:
>
> Are you saying that a kernel exploit can't be leveraged by means of
> runtime code injection for example?

No. I'm saying that sane people don't get hung up about every little
possibility.

Why are security people always so damn black-and-white? In most other
areas, such people are called "crazy" or "stupid", but the security people
seem to call them "normal".

The fact, the NULL pointer attack is neither easy nor common. It's
perfectly reasonable to say "we'll allow mmap at virtual address zero".

Disallowing NULL pointer mmap's is one small tool in your toolchest, and
not at all all-consumingly important or fundamental. It's just one more
detail.

Get over it. Don't expect everybody to be as extremist as you apparently
are.

			Linus


From: Linus Torvalds <torvalds@linux-foundation.org>
Newsgroups: fa.linux.kernel
Subject: Re: Security fix for remapping of page 0 (was [PATCH] Change
Date: Wed, 03 Jun 2009 18:50:53 UTC
Message-ID: <fa.d+c0nCK5j2rLMuSKyW6gnHjUZLU@ifi.uio.no>

On Wed, 3 Jun 2009, Larry H. wrote:
> >
> > The fact, the NULL pointer attack is neither easy nor common. It's
> > perfectly reasonable to say "we'll allow mmap at virtual address zero".
>
> And how could you calibrate if this attack venue isn't easy to take
> advantage of? Or not commonly abused? What empirical results led you to this
> conclusion?

It's not a primary attack vector. You need to have already broken local
security to get there - you need to be able to execute code.

That means that you've already by-passed all the main security. It's thus
by definition less common than attack vectors like buffer overflows that
give you that capability in the first place.

			Linus


From: Linus Torvalds <torvalds@linux-foundation.org>
Newsgroups: fa.linux.kernel
Subject: Re: Security fix for remapping of page 0 (was [PATCH] Change
Date: Wed, 03 Jun 2009 18:52:12 UTC
Message-ID: <fa.t77TH1xJySCoLwdi8XpxxpkPZoA@ifi.uio.no>

On Wed, 3 Jun 2009, Linus Torvalds wrote:
>
> That means that you've already by-passed all the main security. It's thus
> by definition less common than attack vectors like buffer overflows that
> give you that capability in the first place.

Btw, you obviously need to then _also_ pair it with some as-yet-unknown
case of kernel bug to get to that NULL pointer (or zero-sized-alloc
pointer) problem.

You _also_ seem to be totally ignoring the fact that we already _do_
protect against NULL pointers by default.

So I really don't see why you're making a big deal of this. It's as if you
were talking about us not randomizing the address space - sure, you can
turn it off, but so what? We do it by default.

So it boils down to:

 - NULL pointers already cannot be in mmap memory (unless a distro has
   done something wrong - outside of the kernel)

 - What's your beef? Let it go, man.

			Linus


Index Home About Blog