mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-22 20:33:35 +07:00
Merge pull request #265 from raja-grewal/mmap_min_addr
Set `sysctl vm.mmap_min_addr=65536`
This commit is contained in:
commit
563a898013
@ -68,6 +68,9 @@ User space:
|
||||
|
||||
- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
|
||||
|
||||
- Raise the minimum address a process can request for memory mapping to 64KB to
|
||||
protect against kernel null pointer dereference vulnerabilities.
|
||||
|
||||
- Increase the maximum number of memory map areas a process is able to utilize.
|
||||
|
||||
- Optional - Disallow registering interpreters for various (miscellaneous) binary formats based
|
||||
|
@ -274,6 +274,20 @@ fs.protected_regular=2
|
||||
##
|
||||
kernel.randomize_va_space=2
|
||||
|
||||
## Raise the minimum address a process can request for memory mapping to 64KB as a form of defense-in-depth.
|
||||
## Prevents kernel null pointer dereference vulnerabilities which may trigger kernel panics.
|
||||
## Protects against local unprivileged users gaining root privileges by mapping data to low memory pages.
|
||||
## Some legacy applications may still depend on low virtual memory addresses for proper functionality.
|
||||
##
|
||||
## https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html
|
||||
## https://access.redhat.com/articles/20484
|
||||
## https://wiki.debian.org/mmap_min_addr
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets CONFIG_DEFAULT_MMAP_MIN_ADDR=65536.
|
||||
##
|
||||
vm.mmap_min_addr=65536
|
||||
|
||||
## Increase the maximum number of memory map areas a process is permitted to utilize.
|
||||
## Addresses performance, crash, and start-up issues for some memory-intensive applications.
|
||||
## Required to accommodate the very large number of guard pages created by hardened_malloc.
|
||||
|
Loading…
Reference in New Issue
Block a user