What happens in OS when we dereference a NULL pointer in C?

by

Short answer: it depends on a lot of factors, including the compiler, processor architecture, specific processor model, and the OS, among others.

Long answer (x86 and x86-64): Let’s go down to the lowest level: the CPU. On x86 and x86-64, that code will typically compile into an instruction or instruction sequence like this:

movl $10, 0x00000000

Which says to “store the constant integer 10 at virtual memory address 0”. The IntelĀ® 64 and IA-32 Architectures Software Developer Manuals describe in detail what happens when this instruction gets executed, so I’m going to summarize it for you.

The CPU can operate in several different modes, several of which are for backwards compatibility with much older CPUs. Modern operating systems run user-level code in a mode called protected mode, which uses paging to convert virtual addresses into physical addresses.

For each process, the OS keeps a page table which dictates how the addresses are mapped. The page table is stored in memory in a specific format (and protected so that they can not be modified by the user code) that the CPU understands. For every memory access that happens, the CPU translates it according to the page table. If the translation succeeds, it performs the corresponding read/write to the physical memory location.

The interesting things happen when the address translation fails. Not all addresses are valid, and if any memory access generates an invalid address, the processor raises a page fault exception. This triggers a transition from user mode (aka current privilege level (CPL) 3 on x86/x86-64) into kernel mode (aka CPL 0) to a specific location in the kernel’s code, as defined by the interrupt descriptor table (IDT).

The kernel regains control and, based on the information from the exception and the process’s page table, figures out what happened. In this case, it realizes that the user-level process accessed an invalid memory location, and then it reacts accordingly. On Windows, it will invoke structured exception handling to allow the user code to handle the exception. On POSIX systems, the OS will deliver a SIGSEGV signal to the process.

In other cases, the OS will handle the page fault internally and restart the process from its current location as if nothing happened. For example, guard pages are placed at the bottom of the stack to allow the stack to grow on demand up to a limit, instead of preallocating a large amount of memory for the stack. Similar mechanisms are used for achieving copy-on-write memory.

In modern OSes, the page tables are usually set up to make the address 0 an invalid virtual address. But sometimes it’s possible to change that, e.g. on Linux by writing 0 to the pseudofile /proc/sys/vm/mmap_min_addr, after which it’s possible to use mmap(2) to map the virtual address 0. In that case, dereferencing a null pointer would not cause a page fault.

The above discussion is all about what happens when the original code is running in user space. But this could also happen inside the kernel. The kernel can (and is certainly much more likely than user code to) map the virtual address 0, so such a memory access would be normal. But if it’s not mapped, then what happens then is largely similar: the CPU raises a page fault error which traps into a predefined point at the kernel, the kernel examines what happened, and reacts accordingly. If the kernel can’t recover from the exception, it will typically panic in some fashion (kernel panic, kernel oops, or a BSOD on Windows, e.g.) by printing out some debug information to the console or serial port and then halting.

See also Much ado about NULL: Exploiting a kernel NULL dereference for an example of how an attacker could exploit a null pointer dereference bug from inside the kernel in order to gain root privileges on a Linux machine.

More Related Contents:

  1. What is the difference between NULL, ‘\0’ and 0?
  2. Is NULL always zero in C?
  3. Does free(ptr) where ptr is NULL corrupt memory?
  4. What is the result of NULL + int?
  5. Is NULL always false?
  6. pointer to string concept in c [closed]
  7. Pointer manipulation inside function
  8. Changing address contained by pointer using function
  9. NULL vs nullptr (Why was it replaced?) [duplicate]
  10. Why is the asterisk before the variable name, rather than after the type?
  11. What’s the difference between a VLA and dynamic memory allocation via malloc?
  12. Why does this implementation of offsetof() work?
  13. Constant pointer vs Pointer to constant [duplicate]
  14. Can a conforming C implementation #define NULL to be something wacky
  15. Is there any reason to check for a NULL pointer before deleting?
  16. Can I use if (pointer) instead of if (pointer != NULL)?
  17. Function to dynamically allocate matrix
  18. Using fseek with a file pointer that points to stdin
  19. C typedef of pointer to structure
  20. Pointers – Difference between Array and Pointer
  21. Are “malloc(sizeof(struct a *))” and “malloc(sizeof(struct a))” the same?
  22. Swapping pointers in C (char, int)
  23. What is double star (eg. NSError **)?
  24. How to include a dynamic array INSIDE a struct in C?
  25. Difference between *ptr[10] and (*ptr)[10]
  26. How are we able to access the pointer after deallocating the memory?
  27. Printing pointers in C
  28. lvalue required as increment operand
  29. pointer default value .?
  30. Is it possible to store the address of a label in a variable and use goto to jump to it?

Leave a Comment