On Fri, Aug 14, 2009 at 01:10:21PM +0200, Florian Weimer wrote: > I wonder if it makes sense to set vm.mmap_min_addr to 4096 (instead of > 0) for lenny. It seems to me that unstable already made this switch, > and given the apparently neverending sequence of kernel NULL > dereferences, this might be quite helpful.
I didn't do this for the pending security update (which added some other protections), but I don't think it's a bad idea. The kernel currently recommends 65536 for x86/ia64/ppc64 and 32768 for "arm and other archs". Though, 4096-for-all seems like a good solution to me. I was thinking that in the pending DSA[1] we could warn users that this default will change in the next point release, and provide instructions for making a local configuration change now. Maybe link to a wiki page w/ instructions, so that we can clarify/tweak later? As for packages that need a low min_mmap_addr, should we ask them to somehow start setting this tunable themselves (e.g., by dropping in an /etc/sysctl.d file)? Anyone know what Ubuntu is doing here? [1] http://svn.debian.org/wsvn/kernel-sec/dsa-texts/2.6.26-19lenny1 (currently awaiting 1 more arch build) -- dann frazier -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org