Configure Low Address Space To Protect From User Allocation

An XCCDF Rule

Description

This is the portion of low virtual memory which should be protected from userspace allocation. This configuration is available from kernel 3.14, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_DEFAULT_MMAP_MIN_ADDR, run the following command: grep CONFIG_DEFAULT_MMAP_MIN_ADDR /boot/config-* For each kernel installed, a line with value should be returned. If the system architecture is x86_64, the value should be 65536. If the system architecture is aarch64, the value should be 32768.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

Keeping a user from writing to low pages can help reduce the impact of kernel NULL pointer bugs.

ID: xccdf_org.ssgproject.content_rule_kernel_config_default_mmap_min_addr
Severity: Medium
References: CCE-88160-7

R25 R27
Updated: 5 days ago