Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-28 16:40:32 -05:00
Code Issues Projects Releases Packages Wiki Activity

Add docs on slab_debug

Browse source
This commit is contained in:
raja-grewal 2025-10-20 05:36:54 +00:00 committed by GitHub
parent 9f7480e20a
commit 8f78269949
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 8 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

4
README.md
View file

@ -298,8 +298,8 @@ feasible due to compatibility issues with Firefox.
3. Kernel boot parameter `hash_pointers=always` 3. Kernel boot parameter `hash_pointers=always`
Forces all exposed pointers to be hashed and must be used in combination with already enabled Force all exposed pointers to be hashed and must be used in combination with the already enabled
kernel boot parameter `slab_debug=FZ`. Currently not possible as requires Linux kernel >= 6.17. `slab_debug=FZ` kernel boot parameter. Currently is not possible as requires Linux kernel >= 6.17.
* [security-misc issue #253](https://github.com/Kicksecure/security-misc/issues/253) * [security-misc issue #253](https://github.com/Kicksecure/security-misc/issues/253)
* [security-misc pull request #325](https://github.com/Kicksecure/security-misc/pull/325) * [security-misc pull request #325](https://github.com/Kicksecure/security-misc/pull/325)

8
etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
View file

@ -38,13 +38,17 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru
## ##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
## Enable sanity checks and red zoning of slabs via debugging options to detect corruption. ## Enable sanity checks and red zoning of slabs via debugging options to detect memory corruption.
## Sanity checks force additional verification steps on every memory allocation and free operation.
## Red zoning adds extra metadata to each object to detect writes beyond the object's boundaries.
## As a by product of debugging, this will implicitly disabling kernel pointer hashing unless manually re-enabled. ## As a by product of debugging, this will implicitly disabling kernel pointer hashing unless manually re-enabled.
## Enabling this (for now) will therefore leak exact and all kernel memory addresses to root. ## Enabling this (for now) will therefore leak exact and all kernel memory addresses to root.
## Has the potential to cause a noticeable performance decrease. ## Introduces a noticeable performance overhead during all memory allocation and deallocation operations.
## ##
## https://www.kernel.org/doc/html/latest/mm/slub.html ## https://www.kernel.org/doc/html/latest/mm/slub.html
## https://www.kernel.org/doc/Documentation/vm/slub.txt
## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u ## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u
## https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-2
## https://gitlab.tails.boum.org/tails/tails/-/issues/19613 ## https://gitlab.tails.boum.org/tails/tails/-/issues/19613
## https://github.com/Kicksecure/security-misc/issues/253 ## https://github.com/Kicksecure/security-misc/issues/253
## ##