{"description": "This option checks for obviously wrong memory regions when copying memory to/from the kernel\n(via copy_to_user() and copy_from_user() functions) by rejecting memory ranges that are larger\nthan the specified heap object, span multiple separately allocated pages, are not on the\nprocess stack, or are part of the kernel text.\nThis configuration is available from kernel 4.8, and may be available if backported by distros.\n\nThe configuration that was used to build kernel is available at <tt>/boot/config-*</tt>.\n    To check the configuration value for <tt>CONFIG_HARDENED_USERCOPY</tt>, run the following command:\n    <tt>grep CONFIG_HARDENED_USERCOPY /boot/config-*</tt>\n    \n    For each kernel installed, a line with value \"y\" should be returned.\n    ", "rationale": "This config prevents entire classes of heap overflow exploits and similar kernel memory exposures.\n", "severity": "high", "references": {"anssi": ["R15"]}, "control_references": {"anssi": ["R15"]}, "components": [], "identifiers": {}, "ocil_clause": "the kernel was not built with the required value", "ocil": "To determine the config value the kernel was built with, run the following command:\n    <pre>$ grep CONFIG_HARDENED_USERCOPY /boot/config.*</pre>\n    \n    For each kernel installed, a line with value \"y\" should be returned.\n    ", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Harden memory copies between kernel and userspace", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/kernel_build_config/kernel_config_hardened_usercopy/rule.yml", "template": {"name": "kernel_build_config", "vars": {"config": "CONFIG_HARDENED_USERCOPY", "value": "y"}, "backends": {}}}