Do not allow mmap with the MAP_FIXED argument to map at address zero.

This is done to make it harder to exploit kernel NULL pointer security
vulnerabilities.  While this of course does not fix vulnerabilities,
it does mitigate their impact.

Note that this may break some applications, most likely emulators or
similar, which for one reason or another require mapping memory at
zero.

This restriction can be disabled with the security.bsd.mmap_zero
sysctl variable.

Discussed with:	rwatson, bz
Tested by:	bz (Wine), simon (VirtualBox)
Submitted by:	jhb

sys/vm/vm_mmap.c

@@ -96,6 +96,14 @@ static int max_proc_mmap;
 SYSCTL_INT(_vm, OID_AUTO, max_proc_mmap, CTLFLAG_RW, &max_proc_mmap, 0,
     "Maximum number of memory-mapped files per process");
 
+/*
+ * 'mmap_zero' determines whether or not MAP_FIXED mmap() requests for
+ * virtual address zero are permitted.
+ */
+static int mmap_zero;
+SYSCTL_INT(_security_bsd, OID_AUTO, mmap_zero, CTLFLAG_RW, &mmap_zero, 0,
+    "Processes may map an object at virtual address zero");
+
 /*
  * Set the maximum number of vm_map_entry structures per process.  Roughly
  * speaking vm_map_entry structures are tiny, so allowing them to eat 1/100
@@ -229,7 +237,8 @@ mmap(td, uap)
 	pos = uap->pos;
 
 	fp = NULL;
-	/* make sure mapping fits into numeric range etc */
+
+	/* Make sure mapping fits into numeric range, etc. */
 	if ((uap->len == 0 && !SV_CURPROC_FLAG(SV_AOUT) &&
 	     curproc->p_osrel >= 800104) ||
 	    ((flags & MAP_ANON) && uap->fd != -1))
@@ -267,6 +276,14 @@ mmap(td, uap)
 		addr -= pageoff;
 		if (addr & PAGE_MASK)
 			return (EINVAL);
+
+		/*
+		 * Mapping to address zero is only permitted if
+		 * mmap_zero is enabled.
+		 */
+		if (addr == 0 && !mmap_zero)
+			return (EINVAL);
+
 		/* Address range must be all in user VM space. */
 		if (addr < vm_map_min(&vms->vm_map) ||
 		    addr + size > vm_map_max(&vms->vm_map))