Force initialization of variables containing userspace addresses

An XCCDF Rule

Description

While the kernel is built with warnings enabled for any missed stack variable initializations, this warning is silenced for anything passed by reference to another function, under the occasionally misguided assumption that the function will do the initialization. As this regularly leads to exploitable flaws, this plugin is available to identify and zero-initialize such variables, depending on the chosen level of coverage. This configuration is available from kernel 4.11, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_GCC_PLUGIN_STRUCTLEAK, run the following command: grep CONFIG_GCC_PLUGIN_STRUCTLEAK /boot/config-* For each kernel installed, a line with value "y" should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

Initializing structures from userspace can prevent some classes of information exposure.

ID: xccdf_org.ssgproject.content_rule_kernel_config_gcc_plugin_structleak
Severity: Medium
References: BP28(R21)

CCE-87046-9
Updated: about 1 year ago