Merge pull request #265 from raja-grewal/mmap_min_addr

Set `sysctl vm.mmap_min_addr=65536`
This commit is contained in:
Patrick Schleizer 2024-09-04 10:11:48 -04:00 committed by GitHub
commit 563a898013
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 17 additions and 0 deletions

View File

@ -68,6 +68,9 @@ User space:
- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. - Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
- Raise the minimum address a process can request for memory mapping to 64KB to
protect against kernel null pointer dereference vulnerabilities.
- Increase the maximum number of memory map areas a process is able to utilize. - Increase the maximum number of memory map areas a process is able to utilize.
- Optional - Disallow registering interpreters for various (miscellaneous) binary formats based - Optional - Disallow registering interpreters for various (miscellaneous) binary formats based

View File

@ -274,6 +274,20 @@ fs.protected_regular=2
## ##
kernel.randomize_va_space=2 kernel.randomize_va_space=2
## Raise the minimum address a process can request for memory mapping to 64KB as a form of defense-in-depth.
## Prevents kernel null pointer dereference vulnerabilities which may trigger kernel panics.
## Protects against local unprivileged users gaining root privileges by mapping data to low memory pages.
## Some legacy applications may still depend on low virtual memory addresses for proper functionality.
##
## https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html
## https://access.redhat.com/articles/20484
## https://wiki.debian.org/mmap_min_addr
##
## KSPP=yes
## KSPP sets CONFIG_DEFAULT_MMAP_MIN_ADDR=65536.
##
vm.mmap_min_addr=65536
## Increase the maximum number of memory map areas a process is permitted to utilize. ## Increase the maximum number of memory map areas a process is permitted to utilize.
## Addresses performance, crash, and start-up issues for some memory-intensive applications. ## Addresses performance, crash, and start-up issues for some memory-intensive applications.
## Required to accommodate the very large number of guard pages created by hardened_malloc. ## Required to accommodate the very large number of guard pages created by hardened_malloc.