mmap_min_addr
来源:互联网 发布:笔记本电脑测评软件 编辑:程序博客网 时间:2024/04/30 04:55
Overview
mmap_min_addr is a kernel tunable that specifies the minimum virtual address that a process is allowed to mmap.Allowing processes to map low values increases the security implications of a class of defects known as "kernel NULL pointer dereference" defects. If a malicious local user finds a way to trigger one of these NULL pointer defects, they can exploit it to cause system hangs, crashes, or otherwise make parts of the system unusable. If this user is also able to map low portions of virtual memory, they can often further exploit this issue to gain increased privileges.
The downside to preventing applications from mmap'ing low virtual memory addresses is that certain applications depend on this functionality. dosemu, qemu and wine are three such applications that exist in Debian. See theapplication specific information below.
Current status
Starting with Debian 5.0.4, the 2.6.26 kernel is configured with a defaultmmap_min_addr of '4096'. If you find this prevents you from running certain applications, you can remove this restriction using the following commands:
# echo "vm.mmap_min_addr = 0" > /etc/sysctl.d/mmap_min_addr.conf# /etc/init.d/procps restart
If you only need to run the affected application infrequently, you can temporarily decrease the value using the following command:
# sysctl -w vm.mmap_min_addr="0"
You can then reactivate the restriction by running the following command:
# sysctl -w vm.mmap_min_addr="4096"
In Debian 5.0.0 through 5.0.3 inclusive, the 2.6.26 kernel is shipped with a defaultmmap_min_addr of '0'. This means that the Debian system, by default, is susceptible to these NULL-pointer privilege escalation techniques. It is recommended that you increase the value ofmmap_min_addr on your system by upgrading to 5.0.4, see the update announcement.
Application specific information
bitbake
From the OpenEmbedded User Manual: bitbake might complain that there is a problem with the setting in/proc/sys/vm/mmap_min_addr, which needs to be set to zero.
dosemu
dosemu, as shipped in Debian 5.0, must run withvm.mmap_min_addr set to 0 or be executed as root. This limitation has been removed upstream (505247), so dosemu should work with an increasedmmap_min_addr starting with Debian squeeze.
qemu
qemu, as shipped in Debian 5.0, requires low virtual memory mmaps.mmap_min_addr must be set to 0 to run qemu as a non-root user. This limitation has been removed upstream, so qemu should work with an increasedmmap_min_addr starting with Debian squeeze.
wine
Only Win16 binaries require the ability to mmap low addresses, Win32 binaries do not. It is recommended that you test your application with the increasemmap_min_addr setting. If the application starts up without issue, then you should not need to remove themmap_min_addr restriction.
- mmap_min_addr
- Android 多页面左右滑动
- 并发 生产者/消费者 读者/写者 哲学家进餐的理解
- Hive创建表时使用Unicode字符作为字段分隔符(hive unicode character as delimiter)
- 动态规划 UVA - 562 Dividing coins
- POJ-1364 King
- mmap_min_addr
- Linux下网卡phy状态检测与控制
- adc 采样 校准
- 不错的安全书籍
- Camel路由构建过程
- Android EditText中添图片(Spanned)后的定位问题
- Android高薪面试题集
- UVA - 11774 Doom's Day (规律)
- 用MySQL创建数据库和数据库表