linux_mitigations.md
May 20, 2024 ยท View on GitHub
We list mitigations added in all Linux versions.
| Version (and date) | Mitigation | References |
|---|---|---|
| (optional patch) | grsecurity/PaX | 1 2 |
| Linux ? (2013) | remove %n support in vsprintf() | 61 62 |
| Linux 2.4.21-rc1 | Exec-Shield | 3 |
| Linux 2.6.8 | Non-Executable Memory (NX) / DEP | 4 |
| Linux 2.6.12 | kernel.randomize_va_space. Address Space Layout Randomization (ASLR). | 5 |
| Linux 2.6.12 for i386 / Linux 2.6.23 for x86_64 | virtual syscalls (vsyscall) replaced by virtual Dynamic Shared Object (vDSO) | 72 |
| Linux 2.6.23 | (ineffective until 2019) kernel.mmap_min_addr. NULL page mitigation. Ineffective and easily bypassable (CVE-2019-9213) until 2019. | 6 7 8 |
| Linux 2.6.28 | kernel.kptr_restrict | 9 10 11 |
| Linux 2.6.37 | kernel.dmesg_restrict | 12 13 14 |
| Linux 3.0 + hardware needs support (>= Ivy Bridge architecture) | Supervisor Mode Execution Prevention (SMEP) for x86 / x86_64 architectures. | 15 16 17 18 |
| Linux 3.7 + hardware needs support | Supervisor Mode Access Prevention (SMAP) for x86 / x86_64 architectures. | 19 20 |
| Linux 3.7 + hardware needs support | PXN (Privileged Execute-Never). Effectively SMEP (Supervisor Mode Execution Prevention) for ARM architectures. | 21 22 23 |
| Linux 3.14 (supported, but not enabled by default until kernel 4.12) | Kernel ASLR (KASLR) | 24 25 |
| >= clang 3.7 | Control Flow Integrity (CFI) | 26 |
| Linux 4.0 (optional kernel module) | Linux Kernel Runtime Guard (LKRG). Loadable kernel module that performs runtime integrity checking. | 27 |
| Linux 4.0 | pagemap: do not leak physical addresses to non-privileged userspace | 91 |
| Linux 4.3 + hardware needs support | PAN (Privileged Access Never). Effectively SMAP (Supervisor Mode Access Prevention) for ARM architectures. | 28 |
| Linux 4.4 | kmem accounting (SLAB_ACCOUNT) added to cred_jar cache | 93 |
| Linux 4.8 | CONFIG_SLAB_FREELIST_RANDOM - freelist order randomized during initialization of a new slab (new set of pages for that region) | 83 85 93 |
| Linux 4.11 | CONFIG_STATIC_USERMODEHELPER - prevents the overwrite of modprobe_path (read-only) | 79 |
| Linux 4.11 | structleak plugin enforcing __user annotated struct zeroing | 92 |
| Linux 4.13 | Compile-time and run-time protectino for finding overflows (CONFIG_FORTIFY_SOURCE) | 29 |
| Linux 4.13 | Forced NULL-prefixed stack canary on 64-bit | 29 |
| Linux 4.13 | randomized structure layout (manual mode only) (randstruct gcc plugin) | 29 |
| Linux 4.13 | lower ELF_ET_DYN_BASE (32-bit only) | 29 |
| Linux 4.13 | kill iovec exploitation trick | 86 87 88 |
| Linux 4.14 | CONFIG_SLAB_FREELIST_HARDENED - encoded freelist next pointers | 84 |
| Linux 4.14 (optional patch) | Kernel Address Isolation to have Side-channels Efficiently Removed (KAISER) | 30 31 |
| Linux 4.15 | Kernel Page Table Isolation (KPTI or PTI) (formerly KAISER) | 32 33 34 35 |
| Linux 4.4.144 | Spectre v1 fix | 36 37 38 |
| Linux ? | hardened usercopy (CONFIG_HARDENED_USERCOPY) | 79 93 |
| Linux 4.16 | usercopy hardened for info leaks (CONFIG_HARDENED_USERCOPY with useroffset and usersize) | 93 |
| Linux 4.16 | special-purpose caches matching sizes of general-purpose caches not mergeable with them when kmem accounting (SLAB_ACCOUNT) used for these special-purpose caches. NOTE: From 5.9 and before 5.14, kmem accounted (SLAB_ACCOUNT) general purpose (kmalloc) caches again mergeable with other special-purpose caches. | 93 94 |
| Linux 4.18 | allocation overflow detection helpers | 39 40 |
| Linux 4.18 | Removing open-coded multiplication from memory allocation arguments | 41 40 |
| Linux 5.1 | CR4 Pinning. Prevents modification of sensitive CR4 bits, preventing SMEP/SMAP bypass via native_write_cr4. | 42 43 |
| Linux 5.3 | Heap auto initialization | 44 45 |
| Linux 5.4 | PAC on arm64: return address signing | 46 47 |
| Linux 5.4 | Lockdown module | 63 64 65 |
| Linux 5.4 | Automatically mitigate X86_BUG_ITLB_MULTIHIT (iTLB Multihit) | 66 67 68 |
| Linux 5.4 | Mitigate TSX Async Abort | 67 69 70 71 |
| Linux ? | kernel stack base offset randomization | 50 51 |
| Linux 5.7 | SLAB free pointer moved to middle of object | |
| Linux 5.9 | seccomp user_notif file descriptor injection | 52 53 |
| Linux 5.9 | zero-initialize stack variables with Clang | 52 53 |
| Linux 5.9 | common syscall entry/exit routines | 52 53 |
| Linux 5.9 | SLAB kfree() hardening | 52 53 |
| Linux 5.9 | new CAP_CHECKPOINT_RESTORE capability | 52 53 |
| Linux 5.9 | debugfs boot-time visibility restriction | 52 53 |
| Linux 5.9 | more seccomp architecture support | 52 53 |
| Linux 5.9 | new tasklet API | 52 53 |
| Linux 5.9 | x86 FSGSBASE implementation | 52 53 |
| Linux 5.9 | filter x86 MSR writes | 52 53 |
| Linux 5.9 | uninitialized_var() macro removed | 52 53 |
| Linux 5.9 | function pointer cast removals | 52 53 |
| Linux 5.9 | flexible array conversions | 52 53 |
| Linux 5.9 | (regression) kmem accounted (SLAB_ACCOUNT) general purpose (kmalloc) caches mergeable (again) with other special-purpose caches. | 93 94 |
| Linux ? | Linux Kernel Runtime Guard (LKRG) | 54 55 73 74 75 |
| Linux XXX | vm.unprivileged_userfaultfd / userfaultfd() forbidden to unprivileged users | 81 82 |
| Linux 5.11 | vm.unprivileged_userfaultfd / userfaultfd() restrict unprivileged users to handle faults in user space | 77 80 |
| Linux 5.13 | randomize #kernel stack offset each syscall | 56 57 |
| Linux 5.13 | /dev/kmem removed entirely | 58 59 60 |
| Linux 5.14 | kmem accounted (SLAB_ACCOUNT) general purpose (kmalloc) caches not mergeable (again) with other special-purpose caches. | 93 94 |
| Linux TDB | Function Granular KASLR (FGKASLR) | 48 49 76 78 89 |
| Linux XXX | SLAB_RANDOM (or slab_rand?) | XXX |
| Linux XXX | SLAB_HARDENED | XXX |
| Linux XXX | CONFIG_SLAB_MERGE_DEFAULT | XXX |
| Linux XXX | CONFIG_SHUFFLE_PAGE_ALLOCATOR | XXX |
| Linux TDB | Randomized slab caches for kmalloc() | 95 |
| Ubuntu 24.04 | Unprivileged user namespace restrictions | 96 97 |