OL 8 must clear the page allocator to prevent use-after-free attacks.
An XCCDF Rule
Description
<VulnDiscussion>Adversaries may launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-248590r779336_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Configure OL 8 to enable page poisoning with the following commands:
$ sudo grubby --update-kernel=ALL --args="page_poison=1"
Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates: