Skip to content

Disable merging of slabs with similar size

An XCCDF Rule

Description

The kernel may merge similar slabs together to reduce overhead and increase cache hotness of objects. Disabling merging of slabs keeps the slabs separate and reduces the risk of kernel heap overflows overwriting objects in merged caches. To disable merging of slabs in the Kernel add the argument slab_nomerge=yes to the default GRUB 2 command line for the Linux operating system. To ensure that slab_nomerge=yes is added as a kernel command line argument to newly installed kernels, add slab_nomerge=yes to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:

GRUB_CMDLINE_LINUX="... slab_nomerge=yes ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="slab_nomerge=yes"

warning alert: Performance Warning

Disabling merge of slabs will slightly increase kernel memory utilization.

Rationale

Disabling the merge of slabs of similar sizes prevents the kernel from merging a seemingly useless but vulnerable slab with a useful and valuable slab. This increase the risk that a heap overflow could overwrite objects from merged caches, with unmerged caches the heap overflow would only affect the objects in the same cache. Overall, this reduces the kernel attack surface area by isolating slabs from each other.

ID
xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument
Severity
Medium
References
Updated



Remediation - OS Build Blueprint

[customizations.kernel]
append = "slab_nomerge=yes"

Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-87770-4
  - grub2_slab_nomerge_argument

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

grubby --update-kernel=ALL --args=slab_nomerge=yes

else