{"description": "To enable poisoning of free pages,\ncheck that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>page_poison=1</tt>\nincluded in its options.<br />\nTo ensure that new kernels and boot entries continue to enable page poisoning,\nadd <tt>page_poison=1</tt> to <tt>/etc/kernel/cmdline</tt>.", "rationale": "Poisoning writes an arbitrary value to freed pages, so any modification or\nreference to that page after being freed or before being initialized will be\ndetected and prevented.\nThis prevents many types of use-after-free vulnerabilities at little performance cost.\nAlso prevents leak of data and detection of corrupted memory.", "severity": "medium", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "page allocator poisoning is not enabled", "ocil": "To check that page poisoning is enabled at boot time, check all boot entries with following command:\n<pre>sudo grep -L \"^options\\s+.*\\bpage_poison=1\\b\" /boot/loader/entries/*.conf</pre>\nNo line should be returned, each line returned is a boot entry that doesn't enable page poisoning.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "machine", "platforms": ["machine"], "sce_metadata": {}, "inherited_platforms": ["s390x_arch"], "cpe_platform_names": ["machine"], "inherited_cpe_platform_names": ["s390x_arch"], "bash_conditional": null, "fixes": {}, "title": "Enable page allocator poisoning in zIPL", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml", "template": {"name": "zipl_bls_entries_option", "vars": {"arg_name": "page_poison", "arg_value": "1"}, "backends": {}}}