Package: src:linux
Version: 4.14-1~exp1
Severity: wishlist
User: tails-...@boum.org
Usertags: hardening
Hi!
(sorry if that's a duplicate, the BTS web interface has been unable to
show me the list of src:linux bugs since a few days so I gave up and
decided to report this.)
As usual when a new upstream kernel is released I went through Kees
Cook's post [0] to look for things we might want to opt-in for
in Debian.
Besides new GCC plugins (CONFIG_GCC_PLUGINS is disabled in Debian
"Until we work out how to package them"), the only candidate that
requires opt-in seems to be CONFIG_SLAB_FREELIST_HARDENED, which
"should render blind heap overflow bugs much more difficult to
exploit" + adds a naive detection of double free or corruption:
config SLAB_FREELIST_HARDENED
bool "Harden slab freelist metadata"
depends on SLUB
help
Many kernel heap attacks try to target slab cache metadata and
other infrastructure. This options makes minor performance
sacrifies to harden the kernel slab allocator against common
freelist exploit methods.
Do you think this could be an acceptable performance/security
trade-off for Debian?
If it helps making a decision I could hunt for benchmark results (the
KSPP people tend to attach these to their pull requests when it
matters).
[0] https://outflux.net/blog/archives/2017/11/14/security-things-in-linux-v4-14/
Cheers,
--
intrigeri
