enable CONFIG_SECURITY_MMAP_MIN_ADDR

Dave Jones davej at redhat.com
Thu Feb 14 17:24:22 UTC 2008


On Thu, Feb 14, 2008 at 11:09:52AM -0500, Eric Paris wrote:
 > Looks like rawhide kernels now have the CONFIG_SECURITY_MMAP_MIN_ADDR
 > Kconfig option.  In the past I tried to get this enabled by default
 > using sysctl, a fedora kernel patch, and now I've got the Kconfig option
 > in the upstream kernel.  Lets set this equal to 65536.  I've been
 > running with this setting on my F8 laptop for some time and haven't seen
 > any problems (although I do know that dosemu may be an issue for both of
 > the people in the world who use it, there also may be some virt issues
 > that I don't know about but which can be very quickly and easily sorted
 > out)
 > 
 > This sysctl hardens the kernel against null pointer bugs.  Remember the
 > priv escalation that was all the news last weekend?  Not an issue with
 > this enabled!
 > 
 > http://www.avertlabs.com/research/blog/index.php/2008/02/13/analyzing-the-linux-kernel-vmsplice-exploit/

I'm more concerned about wine than dosemu. That also uses vm86 afaik.
Setting it to !0 on non-x86 builds sounds like it's a safe thing to do however.

	Dave

-- 
http://www.codemonkey.org.uk




More information about the Fedora-kernel-list mailing list