On Wed, Apr 6, 2016 at 11:52 AM, Christian Kujau <li...@nerdbynature.de> wrote: > On Wed, 6 Apr 2016, e...@abdsec.com wrote: >> First, I wrote your attached patch, but then I thought zeroing other >> /proc/iomem values would be better. So I changed it. > > On my systems, /proc/iomem, /proc/ioports and others get their > world-readable bits removed during bootup - I guess that would mitigate > this issue too?
Yeah, I think that'd be sufficient (that's the first patch I suggested). It's not a strong as kptr_restrict since kptr_restrict has mode "2", but ... I think that's some diminishing returns... -Kees -- Kees Cook Chrome OS & Brillo Security
