enable CONFIG_SECURITY_MMAP_MIN_ADDR
Dave Jones
davej at redhat.com
Thu Feb 14 17:24:22 UTC 2008
On Thu, Feb 14, 2008 at 11:09:52AM -0500, Eric Paris wrote:
> Looks like rawhide kernels now have the CONFIG_SECURITY_MMAP_MIN_ADDR
> Kconfig option. In the past I tried to get this enabled by default
> using sysctl, a fedora kernel patch, and now I've got the Kconfig option
> in the upstream kernel. Lets set this equal to 65536. I've been
> running with this setting on my F8 laptop for some time and haven't seen
> any problems (although I do know that dosemu may be an issue for both of
> the people in the world who use it, there also may be some virt issues
> that I don't know about but which can be very quickly and easily sorted
> out)
>
> This sysctl hardens the kernel against null pointer bugs. Remember the
> priv escalation that was all the news last weekend? Not an issue with
> this enabled!
>
> http://www.avertlabs.com/research/blog/index.php/2008/02/13/analyzing-the-linux-kernel-vmsplice-exploit/
I'm more concerned about wine than dosemu. That also uses vm86 afaik.
Setting it to !0 on non-x86 builds sounds like it's a safe thing to do however.
Dave
--
http://www.codemonkey.org.uk
More information about the Fedora-kernel-list
mailing list