Do not allow usercopy whitelist violations to fallback to object size

An XCCDF Rule

Description

This is a temporary option that allows missing usercopy whitelists to be discovered via a WARN() to the kernel log, instead of rejecting the copy, falling back to non-whitelisted hardened usercopy that checks the slab allocation size instead of the whitelist size. This configuration is available from kernel 4.16. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_HARDENED_USERCOPY_FALLBACK, run the following command: grep CONFIG_HARDENED_USERCOPY_FALLBACK /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

This config prevents entire classes of heap overflow exploits and similar kernel memory exposures.

ID: xccdf_org.ssgproject.content_rule_kernel_config_hardened_usercopy_fallback
Severity: High
References: BP28(R15)

CCE-86091-6
Updated: about 1 year ago