Really good idea to allow mmap(0, FIXED)?

[Michael Buesch]

Hi,

This question has already been discussed here in the past, but
we did not come to a good result. So I want to ask the question again:

Is is really a good idea to allow processes to remap something
to address 0?
I say no, because this can potentially be used to turn rather harmless
kernel bugs into a security vulnerability.

Let's say we have some kernel NULL pointer dereference bug somewhere,
that's rather harmless, if it happens in process context and
does not leak any resources on segfaulting the triggering app.
So the worst thing that happens is a crashing app. Yeah, this bug must
be fixed. But my point is that this bug can probably be used to
manipulate the way the kernel works or even to inject code into
the kernel from userspace.

Attached to this mail is an example. The kernel module represents
the actual "kernel-bug". Its whole purpose in this example is to
introduce a user-triggerable NULL pointer dereference.
Please stop typing now, if you are typing something like
"If you can load a kernel module, you have access to the kernel anyway".
This is different. We always _had_ and most likely _have_ NULL pointer
dereference bugs in the kernel.

The example programm injects a magic value 0xB15B00B2 into the
kernel, which is printk'ed on success.

In my opinion, this should be forbidden by disallowing mmapping
to address 0. A NULL pointer dereference is such a common bug, that
it is worth protecting against.
Besides that, I currently don't see a valid reason to mmap address 0.

Comments?

-- 
Greetings Michael.

Attachment: knulltest.tar.gz
Description: application/tgz