Minimal supplement to upstream Kernel Self Protection Project changes. Features already provided by SELinux + Yama and archs other than multiarch arm64 / x86_64 aren't in scope. Only tags have stable history. Shared IRC channel with KSPP: irc.libera.chat #linux-hardening
Other
554
stars
55
forks
source link
Exposed unhashed kernel memory addresses with slub_debug kernel parameter #73
Usualy hashed kernel memory addresses are exposed unhashed when the slub_debug kernel parameter or the CONFIG_SLUB_DEBUG_ON option are enabled since v5.14.
This is an issue for those who use the slub_debug command line option as a slub sanitizing security feature as recommended by CLIP OS or KSPP.
We should have a way to disable exposure of dumped memory chunks and unhashed kernel adresses when using slub_debug as a security option.
Usualy hashed kernel memory addresses are exposed unhashed when the
slub_debugkernel parameter or theCONFIG_SLUB_DEBUG_ONoption are enabled since v5.14. This is an issue for those who use theslub_debugcommand line option as a slub sanitizing security feature as recommended by CLIP OS or KSPP.We should have a way to disable exposure of dumped memory chunks and unhashed kernel adresses when using
slub_debugas a security option.