{"description": "To enable poisoning of SLUB/SLAB objects,\ncheck that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>\nincluded in its options.<br />\nTo ensure that new kernels and boot entries continue to enable poisoning of SLUB/SLAB objects,\nadd <tt>slub_debug=P</tt> to <tt>/etc/kernel/cmdline</tt>.", "rationale": "Poisoning writes an arbitrary value to freed objects, so any modification or\nreference to that object after being freed or before being initialized will be\ndetected and prevented.\nThis prevents many types of use-after-free vulnerabilities at little performance cost.\nAlso prevents leak of data and detection of corrupted memory.", "severity": "medium", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "SLUB/SLAB poisoning is not enabled", "ocil": "To check that SLUB/SLAB poisoning is enabled, check all boot entries with following command;\n<pre>sudo grep -L \"^options\\s+.*\\bslub_debug=P\\b\" /boot/loader/entries/*.conf</pre>\nNo line should be returned, each line returned is a boot entry that does not enable poisoning.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "machine", "platforms": ["machine"], "sce_metadata": {}, "inherited_platforms": ["s390x_arch"], "cpe_platform_names": ["machine"], "inherited_cpe_platform_names": ["s390x_arch"], "bash_conditional": null, "fixes": {}, "title": "Enable SLUB/SLAB allocator poisoning in zIPL", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml", "template": {"name": "zipl_bls_entries_option", "vars": {"arg_name": "slub_debug", "arg_value": "P"}, "backends": {}}}