Print this page
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

@@ -35,10 +35,11 @@
 #include <sys/atomic.h>
 #include <sys/archsystm.h>
 #include <sys/machsystm.h>
 #include <sys/kdi.h>
 #include <sys/cpu_module.h>
+#include <sys/secflags.h>
 
 #include <vm/hat_sfmmu.h>
 
 #include <sys/memnode.h>
 

@@ -362,10 +363,17 @@
 {
         return (valid_va_range_aligned(basep, lenp, minlen, dir, 0, 0, 0));
 }
 
 /*
+ * Default to forbidding the first 64k of address space.  This protects most
+ * reasonably sized structures from dereferences through NULL:
+ *     ((foo_t *)0)->bar
+ */
+uintptr_t forbidden_null_mapping_sz = 0x10000;
+
+/*
  * Determine whether [addr, addr+len] with protections `prot' are valid
  * for a user address space.
  */
 /*ARGSUSED*/
 int

@@ -375,10 +383,14 @@
         caddr_t eaddr = addr + len;
 
         if (eaddr <= addr || addr >= userlimit || eaddr > userlimit)
                 return (RANGE_BADADDR);
 
+        if ((addr <= (caddr_t)forbidden_null_mapping_sz) &&
+            secflag_enabled(as->a_proc, PROC_SEC_FORBIDNULLMAP))
+                return (RANGE_BADADDR);
+
         /*
          * Determine if the address range falls within an illegal
          * range of the MMU.
          */
         if (eaddr > hole_start && addr < hole_end)