Source: linux Version: 6.12.48-1 Severity: important X-Debbugs-Cc: adrelanos@whonix.org, arraybolt3@gmail.com One of the debugging options the kernel provide, `slab_debug`, is used as a hardening mechanism by multiple security-conscious Linux distributions, namely Tails and Kicksecure, as it makes some forms of memory management bugs more difficult to exploit. It is recommended by the Kernel Self Protection Project for users who want to set up a "particularly paranoid" system. (See https://kspp.github.io/Recommended_Settings) Unfortunately, due to upstream apparently previously considering this feature as only a debugging feature, setting the kernel parameter `slab_debug=FZ` (or similar) results in unhashed kernel addresses being exposed in areas such as the kernel logs, making it easier to bypass KASLR when this option is enabled. Users with high security requirements are therefore left with a bit of a catch-22 - either enable `slab_debug` and hope that making KASLR easy to bypass isn't going to ultimately be a problem, or leave `slab_debug` disabled and live without the additional memory safety benefits it provides. Linux 6.17 introduced a new boot option, `hash_pointers`, which allows one to configure whether pointer values exposed to userspace are hashed or unhashed independently of the `slab_debug` setting. Users who are interested in using `slab_debug` for hardening but don't need the debugging capabilities it provides can thus boot with something like `slab_debug=FZ hash_pointers=always`, giving the best of both worlds. The patch that introduces this option can be seen at https://github.com/torvalds/linux/commit/de1c831a7898f164c1c2703c6b2b9e4fb4bebefc This patch indicates that the use of `slab_debug` as a hardening option and not just a debugging option is explicitly supported by Linux, this is not an abuse of the feature. The additional boot option does virtually nothing functionally, it simply allows setting this new combination of options that the kernel didn't previously expose. At least to me, the patch appears small, safe, and it arguably is a kind of bugfix even though technically it is presented as a new feature. I would like if the kernel team could consider backporting this patch into Debian Trixie's stable kernel. Thank you.
Attachment:
pgpsgamRgi9Oc.pgp
Description: OpenPGP digital signature