Merge pull request #265 from raja-grewal/mmap_min_addr

Set `sysctl vm.mmap_min_addr=65536`
2025-05-02 12:36:04 -04:00 · 2024-09-04 10:11:48 -04:00 · 2024-09-04 10:11:48 -04:00 · 563a898013
commit 563a898013
parent 175945ec9a e61027a40e
2 changed files with 17 additions and 0 deletions
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@ -274,6 +274,20 @@ fs.protected_regular=2
 ##
 kernel.randomize_va_space=2

+## Raise the minimum address a process can request for memory mapping to 64KB as a form of defense-in-depth.
+## Prevents kernel null pointer dereference vulnerabilities which may trigger kernel panics.
+## Protects against local unprivileged users gaining root privileges by mapping data to low memory pages.
+## Some legacy applications may still depend on low virtual memory addresses for proper functionality.
+##
+## https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html
+## https://access.redhat.com/articles/20484
+## https://wiki.debian.org/mmap_min_addr
+##
+## KSPP=yes
+## KSPP sets CONFIG_DEFAULT_MMAP_MIN_ADDR=65536.
+##
+vm.mmap_min_addr=65536
+
 ## Increase the maximum number of memory map areas a process is permitted to utilize.
 ## Addresses performance, crash, and start-up issues for some memory-intensive applications.
 ## Required to accommodate the very large number of guard pages created by hardened_malloc.