Diffstat (limited to '4.8.12/4470_disable-compat_vdso.patch')
1 files changed, 58 insertions, 0 deletions
diff --git a/4.8.12/4470_disable-compat_vdso.patch b/4.8.12/4470_disable-compat_vdso.patch
new file mode 100644
@@ -0,0 +1,58 @@
+No need to wrap vdso calls as gentoo does not use any version of
+From: Gordon Malm <firstname.lastname@example.org>
+From: Kerin Millar <email@example.com>
+From: Jory A. Pratt <firstname.lastname@example.org>
+COMPAT_VDSO is inappropriate for any modern Hardened Gentoo system. It
+conflicts with various parts of PaX, crashing the system if enabled
+while PaX's NOEXEC or UDEREF features are active. Moreover, it prevents
+a number of important PaX options from appearing in the configuration
+menu, including all PaX NOEXEC implementations. Unfortunately, the
+reason for the disappearance of these PaX configuration options is
+often far from obvious to inexperienced users.
+Therefore, we disable the COMPAT_VDSO menu entry entirely. However,
+COMPAT_VDSO operation can still be enabled via bootparam and sysctl
+interfaces. Consequently, we must also disable the ability to select
+COMPAT_VDSO operation at boot or runtime. Here we patch the kernel so
+that selecting COMPAT_VDSO operation at boot/runtime has no effect if
+conflicting PaX options are enabled, leaving VDSO_ENABLED operation
+Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138
+diff -urp a/arch/x86/Kconfig b/arch/x86/Kconfig
+--- a/arch/x86/Kconfig 2009-07-31 01:36:57.323857684 +0100
++++ b/arch/x86/Kconfig 2009-07-31 01:51:39.395749681 +0100
+@@ -2087,29 +2087,8 @@
+ config COMPAT_VDSO
+ def_bool n
+- prompt "Disable the 32-bit vDSO (needed for glibc 2.3.3)"
+ depends on X86_32 || IA32_EMULATION
+ depends on !PAX_PAGEEXEC && !PAX_SEGMEXEC && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF
+- Certain buggy versions of glibc will crash if they are
+- presented with a 32-bit vDSO that is not mapped at the address
+- indicated in its segment table.
+- The bug was introduced by f866314b89d56845f55e6f365e18b31ec978ec3a
+- and fixed by 3b3ddb4f7db98ec9e912ccdf54d35df4aa30e04a and
+- 49ad572a70b8aeb91e57483a11dd1b77e31c4468. Glibc 2.3.3 is
+- the only released version with the bug, but OpenSUSE 9
+- contains a buggy "glibc 2.3.2".
+- The symptom of the bug is that everything crashes on startup, saying:
+- dl_main: Assertion `(void *) ph->p_vaddr == _rtld_local._dl_sysinfo_dso' failed!
+- Saying Y here changes the default value of the vdso32 boot
+- option from 1 to 0, which turns off the 32-bit vDSO entirely.
+- This works around the glibc bug but hurts performance.
+- If unsure, say N: if you are compiling your own kernel, you
+- are unlikely to be using a buggy version of glibc.
+ prompt "vsyscall table for legacy applications"