A question about allow_unconfined_mmap_low in f11 amd selinux

[Eric Paris]

On Wed, 2009-11-04 at 08:38 -0800, John Reiser wrote:

> The kernel could remove 99.9% of the vulnerability, with
> no dynamic cost to processes that don't use page 0, by:
> 1. Reduce STACK_TOP by one page, and reserve the corresponding
>     virtual page frame.
> 2. If a process does mmap(0,,,MAP_FIXED,,) then turn on the
>     process status bit which forces "slow path" for kernel entry
>     via system call from that process.  In the slow path, check for
>     a mapping at page 0 and if so then move that mapping to the
>     reserved page at STACK_TOP, and turn off the mapping at page 0.
>     Reverse the substitution when returning from the syscall.
> 3. Add the necessary check in the trap handler for
>     copy_{to,from}_user() to handle intended kernel access to page 0
>     (including I/O) by substituting the reserved page instead.
> 
> This would allow mmap(0,,,MAP_FIXED,,) yet still protect all
> synchronous kernel execution.  The only remaining window of
> vulnerability is interrupt handlers.  If an interrupt handler
> is touching *any* user address space then the problems are more
> serious than mmap(0).

That's an interesting thought, do you think you could code something
like that and post it to lkml?  I certainly might get some traction.

-Eric