diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2017-04-19 11:15:10 -0400 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2017-04-19 11:15:10 -0400 |
| commit | 527de1bcfebd7d0dc4a1ce0143bfcdf552bf11eb (patch) | |
| tree | 6d82e271e0caa1f25787dd8a09c4aabdc4cc47ed /4.9.22/4470_disable-compat_vdso.patch | |
| parent | grsecurity-3.1-4.9.22-201704120836 (diff) | |
| download | hardened-patchset-527de1bcfebd7d0dc4a1ce0143bfcdf552bf11eb.tar.gz hardened-patchset-527de1bcfebd7d0dc4a1ce0143bfcdf552bf11eb.tar.bz2 hardened-patchset-527de1bcfebd7d0dc4a1ce0143bfcdf552bf11eb.zip | |
grsecurity-3.1-4.9.23-201704181901
Diffstat (limited to '4.9.22/4470_disable-compat_vdso.patch')
| -rw-r--r-- | 4.9.22/4470_disable-compat_vdso.patch | 58 |
1 files changed, 0 insertions, 58 deletions
diff --git a/4.9.22/4470_disable-compat_vdso.patch b/4.9.22/4470_disable-compat_vdso.patch deleted file mode 100644 index a1401d8..0000000 --- a/4.9.22/4470_disable-compat_vdso.patch +++ /dev/null @@ -1,58 +0,0 @@ -No need to wrap vdso calls as gentoo does not use any version of -glibc <=2.3.3 ---- -From: Gordon Malm <gengor@gentoo.org> -From: Kerin Millar <kerframil@gmail.com> -From: Jory A. Pratt <anarchy@gentoo.org> - -COMPAT_VDSO is inappropriate for any modern Hardened Gentoo system. It -conflicts with various parts of PaX, crashing the system if enabled -while PaX's NOEXEC or UDEREF features are active. Moreover, it prevents -a number of important PaX options from appearing in the configuration -menu, including all PaX NOEXEC implementations. Unfortunately, the -reason for the disappearance of these PaX configuration options is -often far from obvious to inexperienced users. - -Therefore, we disable the COMPAT_VDSO menu entry entirely. However, -COMPAT_VDSO operation can still be enabled via bootparam and sysctl -interfaces. Consequently, we must also disable the ability to select -COMPAT_VDSO operation at boot or runtime. Here we patch the kernel so -that selecting COMPAT_VDSO operation at boot/runtime has no effect if -conflicting PaX options are enabled, leaving VDSO_ENABLED operation -intact. - -Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138 - -diff -urp a/arch/x86/Kconfig b/arch/x86/Kconfig ---- a/arch/x86/Kconfig 2009-07-31 01:36:57.323857684 +0100 -+++ b/arch/x86/Kconfig 2009-07-31 01:51:39.395749681 +0100 -@@ -2099,29 +2099,8 @@ - - config COMPAT_VDSO - def_bool n -- prompt "Disable the 32-bit vDSO (needed for glibc 2.3.3)" - depends on X86_32 || IA32_EMULATION - depends on !PAX_PAGEEXEC && !PAX_SEGMEXEC && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF -- ---help--- -- Certain buggy versions of glibc will crash if they are -- presented with a 32-bit vDSO that is not mapped at the address -- indicated in its segment table. -- -- The bug was introduced by f866314b89d56845f55e6f365e18b31ec978ec3a -- and fixed by 3b3ddb4f7db98ec9e912ccdf54d35df4aa30e04a and -- 49ad572a70b8aeb91e57483a11dd1b77e31c4468. Glibc 2.3.3 is -- the only released version with the bug, but OpenSUSE 9 -- contains a buggy "glibc 2.3.2". -- -- The symptom of the bug is that everything crashes on startup, saying: -- dl_main: Assertion `(void *) ph->p_vaddr == _rtld_local._dl_sysinfo_dso' failed! -- -- Saying Y here changes the default value of the vdso32 boot -- option from 1 to 0, which turns off the 32-bit vDSO entirely. -- This works around the glibc bug but hurts performance. -- -- If unsure, say N: if you are compiling your own kernel, you -- are unlikely to be using a buggy version of glibc. - - choice - prompt "vsyscall table for legacy applications" |