Enable poison of pages after freeing

An XCCDF Rule

Details
Profiles
Prose

Description

Fill the pages with poison patterns after free_pages() and verify the patterns before alloc_pages. This does have a potential performance impact if enabled with the "page_poison=1" kernel boot option. This configuration is available from kernel 4.6. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_PAGE_POISONING, run the following command: grep CONFIG_PAGE_POISONING /boot/config-* For each kernel installed, a line with value "y" should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

The filling of the memory helps reduce the risk of information leaks from freed data.

ID: xccdf_org.ssgproject.content_rule_kernel_config_page_poisoning
Severity: Medium
References: BP28(R17)

CCE-88426-2
Updated: about 1 year ago