{"description": "To enable poisoning of free pages,\nadd the argument <tt>page_poison=1</tt> to the default\nGRUB 2 command line for the Linux operating system.\nTo ensure that <tt>page_poison=1</tt> is added as a kernel command line\nargument to newly installed kernels, add <tt>page_poison=1</tt> to the\ndefault Grub2 command line for Linux operating systems. Modify the line within\n<tt>/etc/default/grub</tt> as shown below:\n<pre>GRUB_CMDLINE_LINUX=\"... page_poison=1 ...\"</pre>\nRun the following command to update command line for already installed kernels:<pre># update-grub</pre>", "rationale": "Poisoning writes an arbitrary value to freed pages, so any modification or\nreference to that page after being freed or before being initialized will be\ndetected and prevented.\nThis prevents many types of use-after-free vulnerabilities at little performance cost.\nAlso prevents leak of data and detection of corrupted memory.", "severity": "medium", "references": {"nist": ["CM-6(a)"], "srg": ["SRG-OS-000480-GPOS-00227", "SRG-OS-000134-GPOS-00068"], "anssi": ["R8"]}, "control_references": {"anssi": ["R8"]}, "components": [], "identifiers": {}, "ocil_clause": "page allocator poisoning is not enabled", "ocil": "Inspect the form of default GRUB 2 command line for the Linux operating system\nin <tt>/etc/default/grub</tt>. If it includes <tt>page_poison=1</tt>,\nthen the parameter will be configured for newly installed kernels.\nFirst check if the GRUB recovery is enabled:\n<pre>$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub</pre>\nIf this option is set to true, then check that a line is output by the following command:\n<pre>$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*page_poison=1.*' /etc/default/grub</pre>\nIf the recovery is disabled, check the line with\n<pre>$ sudo grep 'GRUB_CMDLINE_LINUX.*page_poison=1.*' /etc/default/grub</pre>.Moreover, current Grub config file <tt>grub.cfg</tt> must be checked. The file can be found\neither in <tt>/boot/grub</tt> in case of legacy BIOS systems, or in <tt>/boot/grub</tt> in case of UEFI systems.\nIf they include <tt>page_poison=1</tt>, then the parameter\nis configured at boot time.\n<pre>$ sudo grep vmlinuz GRUB_CFG_FILE_PATH | grep -v 'page_poison=1'</pre>\nFill in <tt>GRUB_CFG_FILE_PATH</tt> based on information above.\nThis command should not return any output.", "oval_external_content": null, "fixtext": "To ensure that <tt>page_poison=1</tt> is added as a kernel command line\nargument to newly installed kernels, add <tt>page_poison=1</tt> to the\ndefault Grub2 command line for Linux operating systems. Modify the line within\n<tt>/etc/default/grub</tt> as shown below:\n<pre>GRUB_CMDLINE_LINUX=\"... page_poison=1 ...\"</pre>\nRun the following command to update command line for already installed kernels:<pre># update-grub</pre>", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must clear the page allocator to prevent use-after-free attacks.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must clear the page allocator to prevent use-after-free attacks.", "vuldiscussion": "Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.", "checktext": "Verify that GRUB 2 is configured to enable page poisoning to mitigate use-after-free vulnerabilities.\n\nCheck that the current GRUB 2 configuration has page poisoning enabled  with the following command:\n\n$ sudo grubby --info=ALL | grep args | grep -v 'page_poison=1'\n\nIf any output is returned, this is a finding.\n\nCheck that page poisoning is enabled by default to persist in kernel updates with the following command:\n\n$ sudo grep page_poison /etc/default/grub\n\nGRUB_CMDLINE_LINUX=\"page_poison=1\"\n\nIf \"page_poison\" is not set to \"1\", is missing or commented out, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to enable page poisoning with the following commands:\n\n$ sudo grubby --update-kernel=ALL --args=\"page_poison=1\"\n\nAdd or modify the following line in \"/etc/default/grub\" to ensure the configuration survives kernel updates:\n\nGRUB_CMDLINE_LINUX=\"page_poison=1\""}}, "platform": "grub2", "platforms": ["grub2"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["grub2"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Enable page allocator poisoning", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml", "template": {"name": "grub2_bootloader_argument", "vars": {"arg_name": "page_poison", "arg_value": "1"}, "backends": {}}}