Detect stack corruption on calls to schedule()

An XCCDF Rule

Description

This option checks for a stack overrun on calls to schedule(). If the stack end location is found to be overwritten always panic as the content of the corrupted region can no longer be trusted. This configuration is available from kernel 3.18. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_SCHED_STACK_END_CHECK, run the following command: grep CONFIG_SCHED_STACK_END_CHECK /boot/config-* For each kernel installed, a line with value "y" should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

This ensures no erroneous behaviour occurs which could result in data corruption or a sporadic crash at a later stage once the region is examined.

ID: xccdf_org.ssgproject.content_rule_kernel_config_sched_stack_end_check
Severity: Medium
References: BP28(R15)

CCE-88041-9
Updated: about 1 year ago