Configure low address space to protect from user allocation

An XCCDF Rule

Details
Profiles
Prose

Description

This is the portion of low virtual memory which should be protected from userspace allocation. This configuration is available from kernel 3.14, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_DEFAULT_MMAP_MIN_ADDR, run the following command: grep CONFIG_DEFAULT_MMAP_MIN_ADDR /boot/config-* For each kernel installed, a line with value "65536" should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

Keeping a user from writing to low pages can help reduce the impact of kernel NULL pointer bugs.

ID: xccdf_org.ssgproject.content_rule_kernel_config_default_mmap_min_addr
Severity: Medium
References: BP28(R25)
Updated: about 1 year ago