RHEL 9 must clear the page allocator to prevent use-after-free attacks.

An XCCDF Rule

Description

<VulnDiscussion>Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-257793r925366_rule
Severity: Medium
References: CCI-000366 CCI-001084
Updated: 8 months ago

Configure RHEL 9 to enable page poisoning with the following commands:

$ sudo grubby --update-kernel=ALL --args="page_poison=1"

Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates:
GRUB_CMDLINE_LINUX="page_poison=1"

RHEL 9 must clear the page allocator to prevent use-after-free attacks.

Description

Remediation - Manual Procedure