Public bug reported: Kees Cook is requesting the following be enabled for our Raspi2/3 enabled kernel:
config CPU_SW_DOMAIN_PAN bool "Enable use of CPU domains to implement privileged no-access" depends on MMU && !ARM_LPAE default y help Increase kernel security by ensuring that normal kernel accesses are unable to access userspace addresses. This can help prevent use-after-free bugs becoming an exploitable privilege escalation by ensuring that magic values (such as LIST_POISON) will always fault when dereferenced. CPUs with low-vector mappings use a best-efforts implementation. Their lower 1MB needs to remain accessible for the vectors, but the remainder of userspace will become appropriately inaccessible. ** Affects: linux-raspi2 (Ubuntu) Importance: Undecided Status: New ** Affects: linux-raspi2 (Ubuntu Xenial) Importance: Undecided Status: New ** Affects: linux-raspi2 (Ubuntu Yakkety) Importance: Undecided Status: New ** Affects: linux-raspi2 (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: linux-raspi2 (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux-raspi2 (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: linux-raspi2 (Ubuntu Xenial) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1683505 Title: enable CONFIG_CPU_SW_DOMAIN_PAN for raspi2/raspi3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-raspi2/+bug/1683505/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs