1
Index: sys/kern/kern_exec.c
2
===================================================================
3
--- sys/kern/kern_exec.c	(revision 197682)
4
+++ sys/kern/kern_exec.c	(working copy)
5
@@ -104,6 +104,13 @@
6
 SYSCTL_ULONG(_kern, OID_AUTO, ps_arg_cache_limit, CTLFLAG_RW, 
7
     &ps_arg_cache_limit, 0, "");
8
 
9
+SYSCTL_DECL(_security_bsd);
10
+
11
+static int map_at_zero = 1;
12
+TUNABLE_INT("security.bsd.map_at_zero", &map_at_zero);
13
+SYSCTL_INT(_security_bsd, OID_AUTO, map_at_zero, CTLFLAG_RW, &map_at_zero, 0,
14
+    "Permit processes to map an object at virtual address 0.");
15
+
16
 static int
17
 sysctl_kern_ps_strings(SYSCTL_HANDLER_ARGS)
18
 {
19
@@ -914,7 +921,7 @@
20
 	int error;
21
 	struct proc *p = imgp->proc;
22
 	struct vmspace *vmspace = p->p_vmspace;
23
-	vm_offset_t stack_addr;
24
+	vm_offset_t sv_minuser, stack_addr;
25
 	vm_map_t map;
26
 
27
 	imgp->vmspace_destroyed = 1;
28
@@ -928,14 +935,18 @@
29
 	 * not disrupted
30
 	 */
31
 	map = &vmspace->vm_map;
32
-	if (vmspace->vm_refcnt == 1 && vm_map_min(map) == sv->sv_minuser &&
33
+	if (map_at_zero)
34
+		sv_minuser = sv->sv_minuser;
35
+	else
36
+		sv_minuser = MAX(sv->sv_minuser, PAGE_SIZE);
37
+	if (vmspace->vm_refcnt == 1 && vm_map_min(map) == sv_minuser &&
38
 	    vm_map_max(map) == sv->sv_maxuser) {
39
 		shmexit(vmspace);
40
 		pmap_remove_pages(vmspace_pmap(vmspace), vm_map_min(map),
41
 		    vm_map_max(map));
42
 		vm_map_remove(map, vm_map_min(map), vm_map_max(map));
43
 	} else {
44
-		vmspace_exec(p, sv->sv_minuser, sv->sv_maxuser);
45
+		vmspace_exec(p, sv_minuser, sv->sv_maxuser);
46
 		vmspace = p->p_vmspace;
47
 		map = &vmspace->vm_map;
48
 	}
49

50