Set sysctl vm.mmap_min_addr=65536

This commit is contained in:
Raja Grewal 2024-08-19 11:32:20 +10:00
parent e962153f84
commit e61027a40e
No known key found for this signature in database
GPG Key ID: 92CA473C156B64C4
2 changed files with 17 additions and 0 deletions

View File

@ -63,6 +63,9 @@ space, user space, core dumps, and swap space.
- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
- Raise the minimum address a process can request for memory mapping to 64KB to
protect against kernel null pointer dereference vulnerabilities.
- Increase the maximum number of memory map areas a process is able to utilize.
- Disallow registering interpreters for various (miscellaneous) binary formats based

View File

@ -207,6 +207,20 @@ fs.protected_regular=2
##
kernel.randomize_va_space=2
## Raise the minimum address a process can request for memory mapping to 64KB as a form of defense-in-depth.
## Prevents kernel null pointer dereference vulnerabilities which may trigger kernel panics.
## Protects against local unprivileged users gaining root privileges by mapping data to low memory pages.
## Some legacy applications may still depend on low virtual memory addresses for proper functionality.
##
## https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html
## https://access.redhat.com/articles/20484
## https://wiki.debian.org/mmap_min_addr
##
## KSPP=yes
## KSPP sets CONFIG_DEFAULT_MMAP_MIN_ADDR=65536.
##
vm.mmap_min_addr=65536
## Increase the maximum number of memory map areas a process is permitted to utilize.
## Addresses performance, crash, and start-up issues for some memory-intensive applications.
## Required to accommodate the very large number of guard pages created by hardened_malloc.