{"description": "This option makes the kernel erase the kernel stack before returning from system calls.\nThis has the effect of leaving the stack initialized to the poison value, which both reduces\nthe lifetime of any sensitive stack contents and reduces potential for uninitialized stack\nvariable exploits or information exposures (it does not cover functions reaching the same\nstack depth as prior functions during the same syscall).\n\nThis configuration is available from kernel 4.20, but may be available if backported\nby distros.\n\nThe configuration that was used to build kernel is available at <tt>/boot/config-*</tt>.\n    To check the configuration value for <tt>CONFIG_GCC_PLUGIN_STACKLEAK</tt>, run the following command:\n    <tt>grep CONFIG_GCC_PLUGIN_STACKLEAK /boot/config-*</tt>\n    \n    For each kernel installed, a line with value \"y\" should be returned.\n    ", "rationale": "This blocks most uninitialized stack variable attacks, with the performance impact being\ndriven by the depth of the stack usage, rather than the function calling complexity.", "severity": "medium", "references": {"anssi": ["R21"]}, "control_references": {"anssi": ["R21"]}, "components": [], "identifiers": {}, "ocil_clause": "the kernel was not built with the required value", "ocil": "To determine the config value the kernel was built with, run the following command:\n    <pre>$ grep CONFIG_GCC_PLUGIN_STACKLEAK /boot/config.*</pre>\n    \n    For each kernel installed, a line with value \"y\" should be returned.\n    ", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config."}, {"performance": "The performance impact on a single CPU system kernel is of 1% slowdown."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Poison kernel stack before returning from syscalls", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/kernel_build_config/gcc_plugin/kernel_config_gcc_plugin_stackleak/rule.yml", "template": {"name": "kernel_build_config", "vars": {"config": "CONFIG_GCC_PLUGIN_STACKLEAK", "value": "y"}, "backends": {}}}