{"description": "While the kernel is built with warnings enabled for any missed stack variable initializations,\nthis warning is silenced for anything passed by reference to another function, under the\noccasionally misguided assumption that the function will do the initialization. As this\nregularly leads to exploitable flaws, this plugin is available to identify and zero-initialize\nsuch variables, depending on the chosen level of coverage.\nThis configuration is available from kernel 4.11, but may be available if backported\nby distros.\n\nThe configuration that was used to build kernel is available at <tt>/boot/config-*</tt>.\n    To check the configuration value for <tt>CONFIG_GCC_PLUGIN_STRUCTLEAK</tt>, run the following command:\n    <tt>grep CONFIG_GCC_PLUGIN_STRUCTLEAK /boot/config-*</tt>\n    \n    For each kernel installed, a line with value \"y\" should be returned.\n    ", "rationale": "Initializing structures from userspace can prevent some classes of information exposure.", "severity": "medium", "references": {"anssi": ["R21"]}, "control_references": {"anssi": ["R21"]}, "components": [], "identifiers": {}, "ocil_clause": "the kernel was not built with the required value", "ocil": "To determine the config value the kernel was built with, run the following command:\n    <pre>$ grep CONFIG_GCC_PLUGIN_STRUCTLEAK /boot/config.*</pre>\n    \n    For each kernel installed, a line with value \"y\" should be returned.\n    ", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Force initialization of variables containing userspace addresses", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_structleak/rule.yml", "template": {"name": "kernel_build_config", "vars": {"config": "CONFIG_GCC_PLUGIN_STRUCTLEAK", "value": "y"}, "backends": {}}}