Ubuntu
linux package

CONFIG_DEBUG_CREDENTIALS should be enabled

Bug #1855335 reported by Tyler Hicks
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

We should enable CONFIG_DEBUG_CREDENTIALS to perform sanity checks, such as verifying usage counts and proper magic values, when handling cred
structs. If a cred sanity check fails a loud warning is printed to the
logs.

The config option raises the bar on the effort required to implement an
exploit based on cred manipulation. CONFIG_DEBUG_CREDENTIALS will not
prevent the attack but may aide an administrator in discovering such an
attack on the system.

This config option is recommended by the Kernel Self Protection Project[1].

[1] https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

See original description
Tyler Hicks (tyhicks)
description: updated
Seth Forshee (sforshee)
Changed in linux (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Tyler Hicks (tyhicks) wrote :

This change was applied during the Focal development cycle but then reverted pending performance testing results. That performance testing work was never finished and I'm no longer working on this bug.

Changed in linux (Ubuntu):
assignee: Tyler Hicks (tyhicks) → nobody
status: Fix Committed → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.8.0-16.17

---------------
linux (5.8.0-16.17) groovy; urgency=medium

  * groovy/linux: 5.8.0-16.17 -proposed tracker (LP: #1891233)

  * Miscellaneous Ubuntu changes
    - hio -- Update to use bio_{start,end}_io_acct with 5.8+
    - Enable hio driver
    - [Packaging] Temporarily disable building doc package contents

linux (5.8.0-15.16) groovy; urgency=medium

  * groovy/linux: 5.8.0-15.16 -proposed tracker (LP: #1891177)

  * Miscellaneous Ubuntu changes
    - SAUCE: Documentation: import error c_funcptr_sig_re, c_sig_re (sphinx-
      doc/sphinx@0f49e30c)

linux (5.8.0-14.15) groovy; urgency=medium

  * groovy/linux: 5.8.0-14.15 -proposed tracker (LP: #1891085)

  * Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts

  * msg_zerocopy.sh in net from ubuntu_kernel_selftests failed (LP: #1812620)
    - selftests/net: relax cpu affinity requirement in msg_zerocopy test

  * Fix missing HDMI/DP Audio on an HP Desktop (LP: #1890441)
    - ALSA: hda/hdmi: Add quirk to force connectivity

  * Add initial audio support for Lenovo ThinkStation P620 (LP: #1890317)
    - ALSA: usb-audio: Add support for Lenovo ThinkStation P620

  * Fix IOMMU error on AMD Radeon Pro W5700 (LP: #1890306)
    - PCI: Mark AMD Navi10 GPU rev 0x00 ATS as broken

  * Enlarge hisi_sec2 capability (LP: #1890222)
    - crypto: hisilicon - update SEC driver module parameter

  * Miscellaneous Ubuntu changes
    - [Config] Re-enable signing for ppc64el

 -- Seth Forshee <email address hidden> Tue, 11 Aug 2020 15:32:58 -0500

Changed in linux (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.