Enable page allocator poisoning

An XCCDF Rule

Details
Profiles
Prose

Description

To enable poisoning of free pages, add the argument page_poison=1 to all BLS (Boot Loader Specification) entries ('options' line) for the Linux operating system in /boot/loader/entries/*.conf.

Rationale

Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.

ID: xccdf_org.ssgproject.content_rule_coreos_page_poison_kernel_argument
Severity: Medium
References: CM-6(a)

SRG-APP-000243-CTR-000600

CCE-82673-5
Updated: about 1 year ago


apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:      version: 3.1.0
  kernelArguments:
    - page_poison=1

Enable page allocator poisoning

Description

Rationale

Remediation - Kubernetes Patch