Differences between revisions 8 and 9
Revision 8 as of 2009-11-09 22:30:17
Size: 3353
Editor: DannFrazier
Comment:
Revision 9 as of 2009-11-09 23:46:41
Size: 3483
Editor: FranklinPiat
Comment: minor formating improvements
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= Overview =
mmap_min_addr is a kernel tunable that specifies the minimum virtual address that a process is allowed to mmap.
== Overview ==
{{{mmap_min_addr}}} is a kernel tunable that specifies the minimum virtual address that a process is allowed to mmap.
Line 7: Line 7:
= Current status =
Debian 5.0.3 ships with a default mmap_min_addr of '0'. This means that the Debian system, by default, is susceptible to these NULL-pointer privilege escalation techniques. Unless you know that you have applications that require this functionality, it is recommended that you increase the value of mmap_min_addr on your system.
== Current status ==
Debian 5.0.3 ships with a {{{default mmap_min_addr}}} of '{{{0}}}'. This means that the Debian system, by default, is susceptible to these NULL-pointer privilege escalation techniques. Unless you know that you have applications that require this functionality, it is recommended that you increase the value of {{{mmap_min_addr}}} on your system.
Line 18: Line 18:
= Future plans =
Starting with Debian 5.0.4, the default value of mmap_min_addr will be increased to 4096. If you find this prevents you from running certain applications, you can remove this restriction using the following commands:
== Future plans ==
Starting with Debian 5.0.4, the default value of {{{mmap_min_addr}}} will be increased to {{{4096}}}. If you find this prevents you from running certain applications, you can remove this restriction using the following commands:
Line 33: Line 33:
= Application specific information =
== bitbake ==
== Application specific information ==
=== bitbake ===
Line 36: Line 36:
''BitBake might complain that there is a problem with the setting in /proc/sys/vm/mmap_min_addr, which needs to be set to zero.''
== dosemu ==
dosemu must run with vm.mmap_min_addr set to 0, or be executed as root. The maintainers are investigating ways of dealing with this issue in packaging, see: DebianBug:505247
== wine ==
Only Win16 binaries require the ability to mmap low addresses, Win32 binaries do not. It is recommended that you test your application with the increase mmap_min_addr setting. If the application starts up without issue, then you should not need to remove the mmap_min_addr restriction.
== qemu ==
qemu, as shipped in Debian 5.0, requires low virtual memory mmaps. mmap_min_addr must be set to 0 to run qemu as a non-root user. This limitation has been removed upstream, so qemu should work with an increase mmap_min_addr starting with Debian squeeze.
''DebianPkg:bitbake might complain that there is a problem with the setting in {{{/proc/sys/vm/mmap_min_addr}}}, which needs to be set to zero.''
=== dosemu ===
DebianPkg:dosemu must run with {{{vm.mmap_min_addr}}} set to {{{0}}}, or be executed as root. The maintainers are investigating ways of dealing with this issue in packaging, see: DebianBug:505247
=== wine ===
Only Win16 binaries require the ability to mmap low addresses, Win32 binaries do not. It is recommended that you test your application with the increase {{{mmap_min_addr}}} setting. If the application starts up without issue, then you should not need to remove the {{{mmap_min_addr}}} restriction.
=== qemu ===
DebianPkg:qemu, as shipped in Debian 5.0, requires low virtual memory mmaps. {{{mmap_min_addr}}} must be set to {{{0}}} to run qemu as a non-root user. This limitation has been removed upstream, so qemu should work with an increase {{{mmap_min_addr}}} starting with Debian squeeze.

Overview

mmap_min_addr is a kernel tunable that specifies the minimum virtual address that a process is allowed to mmap. Allowing processes to map low values increases the security implications of a class of defects known as "kernel NULL pointer dereference" defects. If a malicious local user finds a way to trigger one of these NULL pointer defects, they can exploit it to cause system hangs, crashes, or otherwise make parts of the system unusable. If this user is also able to map low portions of virtual memory, they can often further exploit this issue to gain increased privileges.

The downside to preventing applications from mmap'ing low virtual memory addresses is that certain applications depend on this functionality. dosemu, qemu and wine are three such applications that exist in Debian 5.0 ('lenny'). See the application specific information below.

Current status

Debian 5.0.3 ships with a default mmap_min_addr of '0'. This means that the Debian system, by default, is susceptible to these NULL-pointer privilege escalation techniques. Unless you know that you have applications that require this functionality, it is recommended that you increase the value of mmap_min_addr on your system.

To do this, you can cut & paste the following commands:

# echo "vm.mmap_min_addr = 4096" > /etc/sysctl.d/mmap_min_addr.conf
# /etc/init.d/procps restart

The 2.6.18 kernel in Debian 4.0 ('etch') does not support this kernel tunable. To obtain this safeguard, it is recommended that users install the 2.6.24 "EtchAndAHalf" kernel, or upgrade your systems to Debian 5.0 ('lenny').

Future plans

Starting with Debian 5.0.4, the default value of mmap_min_addr will be increased to 4096. If you find this prevents you from running certain applications, you can remove this restriction using the following commands:

# echo "vm.mmap_min_addr = 0" > /etc/sysctl.d/mmap_min_addr.conf
# /etc/init.d/procps restart

If you only need to run the affected application infrequently, you can temporarily decrease the value using the following command:

# sysctl -w vm.mmap_min_addr="0"

You can then reactivate the restriction by running the following command:

# sysctl -w vm.mmap_min_addr="4096"

Application specific information

bitbake

From the OpenEmbedded User Manual: bitbake might complain that there is a problem with the setting in /proc/sys/vm/mmap_min_addr, which needs to be set to zero.

dosemu

dosemu must run with vm.mmap_min_addr set to 0, or be executed as root. The maintainers are investigating ways of dealing with this issue in packaging, see: 505247

wine

Only Win16 binaries require the ability to mmap low addresses, Win32 binaries do not. It is recommended that you test your application with the increase mmap_min_addr setting. If the application starts up without issue, then you should not need to remove the mmap_min_addr restriction.

qemu

qemu, as shipped in Debian 5.0, requires low virtual memory mmaps. mmap_min_addr must be set to 0 to run qemu as a non-root user. This limitation has been removed upstream, so qemu should work with an increase mmap_min_addr starting with Debian squeeze.