Package: src:linux Version: 4.14-1~exp1 Severity: wishlist User: tails-...@boum.org Usertags: hardening
Hi! (sorry if that's a duplicate, the BTS web interface has been unable to show me the list of src:linux bugs since a few days so I gave up and decided to report this.) As usual when a new upstream kernel is released I went through Kees Cook's post [0] to look for things we might want to opt-in for in Debian. Besides new GCC plugins (CONFIG_GCC_PLUGINS is disabled in Debian "Until we work out how to package them"), the only candidate that requires opt-in seems to be CONFIG_SLAB_FREELIST_HARDENED, which "should render blind heap overflow bugs much more difficult to exploit" + adds a naive detection of double free or corruption: config SLAB_FREELIST_HARDENED bool "Harden slab freelist metadata" depends on SLUB help Many kernel heap attacks try to target slab cache metadata and other infrastructure. This options makes minor performance sacrifies to harden the kernel slab allocator against common freelist exploit methods. Do you think this could be an acceptable performance/security trade-off for Debian? If it helps making a decision I could hunt for benchmark results (the KSPP people tend to attach these to their pull requests when it matters). [0] https://outflux.net/blog/archives/2017/11/14/security-things-in-linux-v4-14/ Cheers, -- intrigeri