Mapping an object to vaddress 0
6 views
Skip to first unread message
Dewayne Geraghty
Jul 15, 2025, 1:54:18 AMJul 15
to us...@hardenedbsd.org
While migrating from FreeBSD14.0 to HardnedBSD 14.3S I noticed that one
of the sysctl's that I use (on FBSD) wasn't available,
security.bsd.map_at_zero
I searched /usr/src/UPDATING* and
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/wikis/home but
there were not references to
security.bsd.map_at_zero
So I diff'ed FBSD and HBSD's sys/kern/kern_exec.c. There are a lot of
changes and, unfortunately, the complexity of what is done within the
file is beyond me. Does PAX_HARDENING remove the need, or was it
considered unnecessary, or ?
Thank-you.
of the sysctl's that I use (on FBSD) wasn't available,
security.bsd.map_at_zero
I searched /usr/src/UPDATING* and
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/wikis/home but
there were not references to
security.bsd.map_at_zero
So I diff'ed FBSD and HBSD's sys/kern/kern_exec.c. There are a lot of
changes and, unfortunately, the complexity of what is done within the
file is beyond me. Does PAX_HARDENING remove the need, or was it
considered unnecessary, or ?
Thank-you.
Shawn Webb
Jul 15, 2025, 11:00:29 AMJul 15
to Dewayne Geraghty, us...@hardenedbsd.org
mitigating an entire class of vulnerabilities (NULL pointer deref).
It's also not possible to map the lowest 64KB, either. That helps when
accessing a member of a struct, where a pointer to the structure
points to NULL (so you'd try to address NULL+struct member offset.)
The worst that can happen is the application crashes, creating a DoS,
which is still better than alternative outcomes.
Do you need to map at NULL? If so, I'd be curious to learn the
reason(s) why.
I believe that is indeed missing from the wiki, so I'll update that by
the end of the day today. I'll report back when that's completed.
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
Signal Username: shawn_webb.74
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
Shawn Webb
Jul 15, 2025, 2:52:12 PMJul 15
to Dewayne Geraghty, us...@hardenedbsd.org
On Tue, Jul 15, 2025 at 03:00:25PM +0000, Shawn Webb wrote:
> On Tue, Jul 15, 2025 at 03:51:52PM +1000, Dewayne Geraghty wrote:
> > While migrating from FreeBSD14.0 to HardnedBSD 14.3S I noticed that one of
> > the sysctl's that I use (on FBSD) wasn't available,
> > security.bsd.map_at_zero
> >
> > I searched /usr/src/UPDATING* and
> > https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/wikis/home but there
> > were not references to
> > security.bsd.map_at_zero
> >
> > So I diff'ed FBSD and HBSD's sys/kern/kern_exec.c. There are a lot of
> > changes and, unfortunately, the complexity of what is done within the file
> > is beyond me. Does PAX_HARDENING remove the need, or was it considered
> > unnecessary, or ?
>
> We removed the ability to map at the 0 (NULL) address in userland,
> mitigating an entire class of vulnerabilities (NULL pointer deref).
> It's also not possible to map the lowest 64KB, either. That helps when
> accessing a member of a struct, where a pointer to the structure
> points to NULL (so you'd try to address NULL+struct member offset.)
>
> The worst that can happen is the application crashes, creating a DoS,
> which is still better than alternative outcomes.
>
> Do you need to map at NULL? If so, I'd be curious to learn the
> reason(s) why.
>
> I believe that is indeed missing from the wiki, so I'll update that by
> the end of the day today. I'll report back when that's completed.
The wiki has been updated. Please let me know if further
> On Tue, Jul 15, 2025 at 03:51:52PM +1000, Dewayne Geraghty wrote:
> > While migrating from FreeBSD14.0 to HardnedBSD 14.3S I noticed that one of
> > the sysctl's that I use (on FBSD) wasn't available,
> > security.bsd.map_at_zero
> >
> > I searched /usr/src/UPDATING* and
> > https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/wikis/home but there
> > were not references to
> > security.bsd.map_at_zero
> >
> > So I diff'ed FBSD and HBSD's sys/kern/kern_exec.c. There are a lot of
> > changes and, unfortunately, the complexity of what is done within the file
> > is beyond me. Does PAX_HARDENING remove the need, or was it considered
> > unnecessary, or ?
>
> We removed the ability to map at the 0 (NULL) address in userland,
> mitigating an entire class of vulnerabilities (NULL pointer deref).
> It's also not possible to map the lowest 64KB, either. That helps when
> accessing a member of a struct, where a pointer to the structure
> points to NULL (so you'd try to address NULL+struct member offset.)
>
> The worst that can happen is the application crashes, creating a DoS,
> which is still better than alternative outcomes.
>
> Do you need to map at NULL? If so, I'd be curious to learn the
> reason(s) why.
>
> I believe that is indeed missing from the wiki, so I'll update that by
> the end of the day today. I'll report back when that's completed.
clarifications need to be made.
Dewayne Geraghty
Jul 15, 2025, 7:42:19 PMJul 15
to Shawn Webb, us...@hardenedbsd.org
On 16/07/2025 4:52 am, Shawn Webb wrote:
...
>> We removed the ability to map at the 0 (NULL) address in userland,
>> mitigating an entire class of vulnerabilities (NULL pointer deref).
>> It's also not possible to map the lowest 64KB, either. That helps when
>> accessing a member of a struct, where a pointer to the structure
>> points to NULL (so you'd try to address NULL+struct member offset.)
>>
>> The worst that can happen is the application crashes, creating a DoS,
>> which is still better than alternative outcomes.
>>
>> Do you need to map at NULL? If so, I'd be curious to learn the
>> reason(s) why.
>>
>> I believe that is indeed missing from the wiki, so I'll update that by
>> the end of the day today. I'll report back when that's completed.
>
> The wiki has been updated. Please let me know if further
> clarifications need to be made.
>
> Thanks,
>
Thank-you for your explanation and timeliness. The statement in the
>> mitigating an entire class of vulnerabilities (NULL pointer deref).
>> It's also not possible to map the lowest 64KB, either. That helps when
>> accessing a member of a struct, where a pointer to the structure
>> points to NULL (so you'd try to address NULL+struct member offset.)
>>
>> The worst that can happen is the application crashes, creating a DoS,
>> which is still better than alternative outcomes.
>>
>> Do you need to map at NULL? If so, I'd be curious to learn the
>> reason(s) why.
>>
>> I believe that is indeed missing from the wiki, so I'll update that by
>> the end of the day today. I'll report back when that's completed.
>
> The wiki has been updated. Please let me know if further
> clarifications need to be made.
>
> Thanks,
>
wiki is very useful. Both (the wiki and email response) are helpful for
the insight as to the rationale :)
Actually I have the value set in FBSD sysctl.conf which I migrated to
our HardeneBSD devices and noticed the missing sysctl during boot. I
had set it to zero, as its original value was 1 (somewhere in FBSD 7 or 8).
Kind regards, Dewayne
Reply all
Reply to author
Forward
0 new messages