On Wed, Feb 19, 2025 at 06:04:31PM +0100, Yves-Alexis Perez wrote:
> On Wed, 2025-02-19 at 16:09 +0100, Lee Garrett wrote:
> > Hi,
> >
> > after installing this package an rebooting, I get the following:
> >
> > Feb 19 15:55:06 hopper kernel:
> > **********************************************************
> > Feb 19 15:55:06 hopper kernel: ** NOTICE NOTICE NOTICE NOTICE NOTICE
> > NOTICE NOTICE **
> > Feb 19 15:55:06 hopper kernel: **
> > **
> > Feb 19 15:55:06 hopper kernel: ** This system shows unhashed kernel memory
> > addresses **
> > Feb 19 15:55:06 hopper kernel: ** via the console, logs, and other
> > interfaces. This **
> > Feb 19 15:55:06 hopper kernel: ** might reduce the security of your system.
> > **
> > Feb 19 15:55:06 hopper kernel: **
> > **
> > Feb 19 15:55:06 hopper kernel: ** If you see this message and you are not
> > debugging **
> > Feb 19 15:55:06 hopper kernel: ** the kernel, report this immediately to
> > your system **
> > Feb 19 15:55:06 hopper kernel: ** administrator!
> > **
> > Feb 19 15:55:06 hopper kernel: **
> > **
> > Feb 19 15:55:06 hopper kernel: ** NOTICE NOTICE NOTICE NOTICE NOTICE
> > NOTICE NOTICE **
> > Feb 19 15:55:06 hopper kernel:
> > **********************************************************
> >
> > This is caused by the "slub_debug=FPZ" in
> > /etc/default/grub.d/01_hardening.cfg.
>
> Hey Lee,
>
> I'm confused because I had the feeling someone had already reported a bug, but
> apparently not, although there's a merge request on Salsa
> (https://salsa.debian.org/corsac/hardening-runtime/-/merge_requests/7 ).
>
> I tried to contact Kees Cook on Mastodon about that
> (https://mastodon.social/@corsac/111811338805308373 ) but it didn't go
> anywhere.
>
> Adding Kees to the CC: list as it might be a better way to reach him :)
Hi! Sorry, I missed that mastodon post. :)
The source of the problem is commit
792702911f58 ("slub: force on no_hash_pointers when slub_debug is enabled")
I objected at the time:
https://lore.kernel.org/all/202109200726.2EFEDC5@keescook/
But it was never reverted.
If someone could send a patch that would decouple these again, I'd
appreciate it. I think it would be best to refactor the boot param
"no_hash_pointers" into "hash_pointers={auto,always,never}", with the
old setting meaning "hash_pointers=never", but the default being "=auto"
that falls back to this case where slub debug turns it off. But that
would allow for "slub_debug=FZ hash_pointers=always" and we could have
the best of both worlds.
I've opened https://github.com/KSPP/linux/issues/368 to track this.
-Kees
--
Kees Cook
