Merge pull request #265 from raja-grewal/mmap_min_addr

Set `sysctl vm.mmap_min_addr=65536`

README.md

@@ -68,6 +68,9 @@ User space:
 
 - Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
 
+- Raise the minimum address a process can request for memory mapping to 64KB to
+  protect against kernel null pointer dereference vulnerabilities.
+
 - Increase the maximum number of memory map areas a process is able to utilize.
 
 - Optional - Disallow registering interpreters for various (miscellaneous) binary formats based

usr/lib/sysctl.d/990-security-misc.conf

@@ -274,6 +274,20 @@ fs.protected_regular=2
 ##
 kernel.randomize_va_space=2
 
+## Raise the minimum address a process can request for memory mapping to 64KB as a form of defense-in-depth.
+## Prevents kernel null pointer dereference vulnerabilities which may trigger kernel panics.
+## Protects against local unprivileged users gaining root privileges by mapping data to low memory pages.
+## Some legacy applications may still depend on low virtual memory addresses for proper functionality.
+##
+## https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html
+## https://access.redhat.com/articles/20484
+## https://wiki.debian.org/mmap_min_addr
+##
+## KSPP=yes
+## KSPP sets CONFIG_DEFAULT_MMAP_MIN_ADDR=65536.
+##
+vm.mmap_min_addr=65536
+
 ## Increase the maximum number of memory map areas a process is permitted to utilize.
 ## Addresses performance, crash, and start-up issues for some memory-intensive applications.
 ## Required to accommodate the very large number of guard pages created by hardened_malloc.