Harden memory copies between kernel and userspace

An XCCDF Rule

Description

This option checks for obviously wrong memory regions when copying memory to/from the kernel (via copy_to_user() and copy_from_user() functions) by rejecting memory ranges that are larger than the specified heap object, span multiple separately allocated pages, are not on the process stack, or are part of the kernel text. This configuration is available from kernel 4.8, and may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_HARDENED_USERCOPY, run the following command: grep CONFIG_HARDENED_USERCOPY /boot/config-* For each kernel installed, a line with value "y" should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

This config prevents entire classes of heap overflow exploits and similar kernel memory exposures.

ID: xccdf_org.ssgproject.content_rule_kernel_config_hardened_usercopy
Severity: High
References: BP28(R15)
Updated: about 1 year ago