[B/linux-kvm][C/linux-kvm][D/linux-kvm][SRU][PATCH 1/1] UBUNTU: [Config]: enable SCHED_STACK_END_CHECK
Po-Hsu Lin
po-hsu.lin at canonical.com
Thu Jun 6 09:26:50 UTC 2019
BugLink: https://bugs.launchpad.net/bugs/1812159
Security team requires the SCHED_STACK_END_CHECK config to be enabled
on all of our kernel.
This option checks for a stack overrun on calls to schedule(). If the
stack end location is found to be over written always panic as the
content of the corrupted region can no longer be trusted. This is to
ensure no erroneous behaviour occurs which could result in data
corruption or a sporadic crash at a later stage once the region is
examined. The runtime overhead introduced is minimal.
Signed-off-by: Po-Hsu Lin <po-hsu.lin at canonical.com>
---
debian.kvm/config/config.common.ubuntu | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/debian.kvm/config/config.common.ubuntu b/debian.kvm/config/config.common.ubuntu
index 965b25a..5f66988 100644
--- a/debian.kvm/config/config.common.ubuntu
+++ b/debian.kvm/config/config.common.ubuntu
@@ -2013,7 +2013,7 @@ CONFIG_SCHED_MC=y
CONFIG_SCHED_MC_PRIO=y
# CONFIG_SCHED_OMIT_FRAME_POINTER is not set
CONFIG_SCHED_SMT=y
-# CONFIG_SCHED_STACK_END_CHECK is not set
+CONFIG_SCHED_STACK_END_CHECK=y
# CONFIG_SCIF_BUS is not set
CONFIG_SCSI=y
# CONFIG_SCSI_3W_9XXX is not set
--
2.7.4
More information about the kernel-team
mailing list