mmap_min_addr setting may mitigate vmsplice exploit

Rafal Wojtczuk of McAfee Avert Labs posted an interesting analysis of the “qaaz” exploit for the recent vmsplice vulnerabilities.

Since 2.6.23, it has been possible to prevent applications from mapping low pages (to prevent null pointer dereferencing in the kernel) via the /proc/sys/vm/mmap_min_addr sysctl, which sets the minimum address allowed for such mappings.

So, if you have a recent kernel still affected by the vmsplice issue, try:

echo 65536 > /proc/sys/vm/mmap_min_addr

(If it is not already set, of course).

If using SELinux, the system must be running in enforcing mode.

Note that there was a bug in the mmap_min_addr code until 2.6.24-rc5, although I do not believe it affects mitigation of this particular exploit.

Generally, it is a good idea to have mmap_min_addr set, although it is disabled by default in the upstream kernel as it can affect a some applications (e.g. users of vm86 mode such as X).

As SELinux is able to selectively enforce the setting via policy, it can be enabled for the general case on recent SELinux systems. If not using SELinux, processes with CAP_SYS_RAWIO are allowed to bypass the setting.