diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2012-08-02 07:40:28 -0400 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2012-08-02 07:40:28 -0400 |
commit | 5c6012a4fec4d07de27741ea0a49592a673720c7 (patch) | |
tree | 62bc83a5f6fd1e1f1b3cdc00fa2b0e6ca276ef2f /3.4.7/4470_disable-compat_vdso.patch | |
parent | Grsec/PaX: 2.9.1-{2.6.32.59,3.2.24,3.4.6}-201208011848 (diff) | |
download | hardened-patchset-5c6012a4fec4d07de27741ea0a49592a673720c7.tar.gz hardened-patchset-5c6012a4fec4d07de27741ea0a49592a673720c7.tar.bz2 hardened-patchset-5c6012a4fec4d07de27741ea0a49592a673720c7.zip |
Grsec/PaX: 2.9.1-3.4.7-201208011848 - fixed20120801
Diffstat (limited to '3.4.7/4470_disable-compat_vdso.patch')
-rw-r--r-- | 3.4.7/4470_disable-compat_vdso.patch | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/3.4.7/4470_disable-compat_vdso.patch b/3.4.7/4470_disable-compat_vdso.patch new file mode 100644 index 0000000..2a637c1 --- /dev/null +++ b/3.4.7/4470_disable-compat_vdso.patch @@ -0,0 +1,46 @@ +No need to wrap vdso calls as gentoo does not use any version of +glibc <=2.3.3 +--- +From: Gordon Malm <gengor@gentoo.org> +From: Kerin Millar <kerframil@gmail.com> +From: Jory A. Pratt <anarchy@gentoo.org> + +COMPAT_VDSO is inappropriate for any modern Hardened Gentoo system. It +conflicts with various parts of PaX, crashing the system if enabled +while PaX's NOEXEC or UDEREF features are active. Moreover, it prevents +a number of important PaX options from appearing in the configuration +menu, including all PaX NOEXEC implementations. Unfortunately, the +reason for the disappearance of these PaX configuration options is +often far from obvious to inexperienced users. + +Therefore, we disable the COMPAT_VDSO menu entry entirely. However, +COMPAT_VDSO operation can still be enabled via bootparam and sysctl +interfaces. Consequently, we must also disable the ability to select +COMPAT_VDSO operation at boot or runtime. Here we patch the kernel so +that selecting COMPAT_VDSO operation at boot/runtime has no effect if +conflicting PaX options are enabled, leaving VDSO_ENABLED operation +intact. + +Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138 + +diff -urp a/arch/x86/Kconfig b/arch/x86/Kconfig +--- a/arch/x86/Kconfig 2009-07-31 01:36:57.323857684 +0100 ++++ b/arch/x86/Kconfig 2009-07-31 01:51:39.395749681 +0100 +@@ -1678,17 +1678,8 @@ + + config COMPAT_VDSO + def_bool n +- prompt "Compat VDSO support" + depends on X86_32 || IA32_EMULATION + depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF +- ---help--- +- Map the 32-bit VDSO to the predictable old-style address too. +- +- Say N here if you are running a sufficiently recent glibc +- version (2.3.3 or later), to remove the high-mapped +- VDSO mapping and to exclusively use the randomized VDSO. +- +- If unsure, say Y. + + config CMDLINE_BOOL + bool "Built-in kernel command line" |