Message ID | 20190606092651.1135-2-po-hsu.lin@canonical.com |
---|---|
State | New |
Headers | show |
Series | [B/linux-kvm,C/linux-kvm,D/linux-kvm,SRU,1/1] UBUNTU: [Config]: enable SCHED_STACK_END_CHECK | expand |
diff --git a/debian.kvm/config/config.common.ubuntu b/debian.kvm/config/config.common.ubuntu index 965b25a..5f66988 100644 --- a/debian.kvm/config/config.common.ubuntu +++ b/debian.kvm/config/config.common.ubuntu @@ -2013,7 +2013,7 @@ CONFIG_SCHED_MC=y CONFIG_SCHED_MC_PRIO=y # CONFIG_SCHED_OMIT_FRAME_POINTER is not set CONFIG_SCHED_SMT=y -# CONFIG_SCHED_STACK_END_CHECK is not set +CONFIG_SCHED_STACK_END_CHECK=y # CONFIG_SCIF_BUS is not set CONFIG_SCSI=y # CONFIG_SCSI_3W_9XXX is not set
BugLink: https://bugs.launchpad.net/bugs/1812159 Security team requires the SCHED_STACK_END_CHECK config to be enabled on all of our kernel. This option checks for a stack overrun on calls to schedule(). If the stack end location is found to be over written always panic as the content of the corrupted region can no longer be trusted. This is to ensure no erroneous behaviour occurs which could result in data corruption or a sporadic crash at a later stage once the region is examined. The runtime overhead introduced is minimal. Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> --- debian.kvm/config/config.common.ubuntu | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)