Re: Setting vm.mmap_min_addr for lenny?

To: Florian Weimer <fw@deneb.enyo.de>
Cc: debian-kernel@lists.debian.org
Subject: Re: Setting vm.mmap_min_addr for lenny?
From: dann frazier <dannf@dannf.org>
Date: Wed, 21 Oct 2009 10:26:45 -0600
Message-id: <[🔎] 20091021162644.GB4394@lackof.org>
In-reply-to: <87vdkqabxe.fsf@mid.deneb.enyo.de>
References: <87vdkqabxe.fsf@mid.deneb.enyo.de>

On Fri, Aug 14, 2009 at 01:10:21PM +0200, Florian Weimer wrote:
> I wonder if it makes sense to set vm.mmap_min_addr to 4096 (instead of
> 0) for lenny.  It seems to me that unstable already made this switch,
> and given the apparently neverending sequence of kernel NULL
> dereferences, this might be quite helpful.

I didn't do this for the pending security update (which added some
other protections), but I don't think it's a bad idea. The kernel
currently recommends 65536 for x86/ia64/ppc64 and 32768 for "arm and
other archs". Though, 4096-for-all seems like a good solution to me.

I was thinking that in the pending DSA[1] we could warn users that this
default will change in the next point release, and provide
instructions for making a local configuration change now. Maybe link
to a wiki page w/ instructions, so that we can clarify/tweak later?

As for packages that need a low min_mmap_addr, should we ask them to
somehow start setting this tunable themselves (e.g., by dropping in an
/etc/sysctl.d file)? Anyone know what Ubuntu is doing here?

[1] http://svn.debian.org/wsvn/kernel-sec/dsa-texts/2.6.26-19lenny1
    (currently awaiting 1 more arch build)
-- 
dann frazier

Reply to:

Follow-Ups:
- Re: Setting vm.mmap_min_addr for lenny?
  - From: Moritz Muehlenhoff <jmm@inutil.org>

Prev by Date: Re: Debian Kernel Group Meeting / Xen dom0
Next by Date: Re: Stable update?
Previous by thread: Processed: reopening 551728
Next by thread: Re: Setting vm.mmap_min_addr for lenny?
Index(es):
- Date
- Thread