On Sun, Dec 5, 2010 at 01:40, Eric Smith <eric@brouhaha.com> wrote:
Hi Eric!
This is a specific security feature designed to reduce the security
impact of a kernel NULL-pointer dereference. Specifically, the most
obvious vulnerability occurs if kernel code accidentally calls a NULL
function pointer or calls a function pointer through a NULL structure
pointer, but there are other ways to exploit it. The actual exploit
is to map a page with code at address zero and then trigger the kernel
NULL-pointer-dereference, resulting in privileged execution of your
unprivileged code.
There is a sysctl tunable "vm.mmap_min_addr" that you can change to
modify this behavior, and SELinux-enabled systems can loosen this
behavior a bit, but it's not normally something you want to give to
unprivileged processes.
Since you're performing binary translation of a microcontroller, it
may be better to perform some kind of minimal memory-map translation
as a part of that. For example, you should be able to introduce an
addition into each memory dereference operation without too much
overhead (IE: treat all microcontroller addresses as relative to a
particular "memory base address").
The Debian wiki has a pretty decent page describing the security
feature in more detail:
http://wiki.debian.org/mmap_min_addr
Cheers,
Kyle Moffett
--
