Setting vm.mmap_min_addr for lenny?

Florian Weimer · External Since: Nov 10, 2004 Posts: 648

I wonder if it makes sense to set vm.mmap_min_addr to 4096 (instead of
0) for lenny. It seems to me that unstable already made this switch,
and given the apparently neverending sequence of kernel NULL
dereferences, this might be quite helpful.

--
To UNSUBSCRIBE, email to debian-kernel-REQUEST.RemoveThis@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.RemoveThis@lists.debian.org

Bastian Blank · External Since: Nov 21, 2004 Posts: 774

Package: linux-2.6
Version: 2.6.26-18
Severity: important
Tags: security

On Fri, Aug 14, 2009 at 01:10:21PM +0200, Florian Weimer wrote:
> I wonder if it makes sense to set vm.mmap_min_addr to 4096 (instead of
> 0) for lenny. It seems to me that unstable already made this switch,
> and given the apparently neverending sequence of kernel NULL
> dereferences, this might be quite helpful.

The value of 4096 should be safe. We disabled it again, because the
proposed value of 64k just breaks arm. But this needs to be properly
checked. I'm opening a bug to handle this.

Bastian

--
"Beauty is transitory."
"Beauty survives."
-- Spock and Kirk, "That Which Survives", stardate unknown

--
To UNSUBSCRIBE, email to debian-kernel-REQUEST.TakeThisOut@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.TakeThisOut@lists.debian.org

dann frazier · External Since: Dec 09, 2004 Posts: 208

On Fri, Aug 14, 2009 at 01:10:21PM +0200, Florian Weimer wrote:
> I wonder if it makes sense to set vm.mmap_min_addr to 4096 (instead of
> 0) for lenny. It seems to me that unstable already made this switch,
> and given the apparently neverending sequence of kernel NULL
> dereferences, this might be quite helpful.

I didn't do this for the pending security update (which added some
other protections), but I don't think it's a bad idea. The kernel
currently recommends 65536 for x86/ia64/ppc64 and 32768 for "arm and
other archs". Though, 4096-for-all seems like a good solution to me.

I was thinking that in the pending DSA[1] we could warn users that this
default will change in the next point release, and provide
instructions for making a local configuration change now. Maybe link
to a wiki page w/ instructions, so that we can clarify/tweak later?

As for packages that need a low min_mmap_addr, should we ask them to
somehow start setting this tunable themselves (e.g., by dropping in an
/etc/sysctl.d file)? Anyone know what Ubuntu is doing here?

[1] http://svn.debian.org/wsvn/kernel-sec/dsa-texts/2.6.26-19lenny1
(currently awaiting 1 more arch build)
--
dann frazier

--
To UNSUBSCRIBE, email to debian-kernel-REQUEST DeleteThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster DeleteThis @lists.debian.org

Moritz Muehlenhoff · External Since: Dec 04, 2004 Posts: 297

On 2009-10-21, dann frazier <dannf.TakeThisOut@dannf.org> wrote:
> I was thinking that in the pending DSA[1] we could warn users that this
> default will change in the next point release, and provide
> instructions for making a local configuration change now. Maybe link
> to a wiki page w/ instructions, so that we can clarify/tweak later?

Sounds like a good idea.

Cheers,
Moritz

--
To UNSUBSCRIBE, email to debian-kernel-REQUEST.TakeThisOut@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.TakeThisOut@lists.debian.org