From 11dead9592da00b2946c86aca618661dfc497af6 Mon Sep 17 00:00:00 2001 From: "Anthony G. Basile" Date: Sat, 14 Mar 2015 20:43:24 -0400 Subject: Grsec/PaX: 3.1-{3.2.68,3.14.35,3.19.1}-201503122205 --- 3.19.1/4470_disable-compat_vdso.patch | 58 +++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 3.19.1/4470_disable-compat_vdso.patch (limited to '3.19.1/4470_disable-compat_vdso.patch') diff --git a/3.19.1/4470_disable-compat_vdso.patch b/3.19.1/4470_disable-compat_vdso.patch new file mode 100644 index 0000000..2192180 --- /dev/null +++ b/3.19.1/4470_disable-compat_vdso.patch @@ -0,0 +1,58 @@ +No need to wrap vdso calls as gentoo does not use any version of +glibc <=2.3.3 +--- +From: Gordon Malm +From: Kerin Millar +From: Jory A. Pratt + +COMPAT_VDSO is inappropriate for any modern Hardened Gentoo system. It +conflicts with various parts of PaX, crashing the system if enabled +while PaX's NOEXEC or UDEREF features are active. Moreover, it prevents +a number of important PaX options from appearing in the configuration +menu, including all PaX NOEXEC implementations. Unfortunately, the +reason for the disappearance of these PaX configuration options is +often far from obvious to inexperienced users. + +Therefore, we disable the COMPAT_VDSO menu entry entirely. However, +COMPAT_VDSO operation can still be enabled via bootparam and sysctl +interfaces. Consequently, we must also disable the ability to select +COMPAT_VDSO operation at boot or runtime. Here we patch the kernel so +that selecting COMPAT_VDSO operation at boot/runtime has no effect if +conflicting PaX options are enabled, leaving VDSO_ENABLED operation +intact. + +Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138 + +diff -urp a/arch/x86/Kconfig b/arch/x86/Kconfig +--- a/arch/x86/Kconfig 2009-07-31 01:36:57.323857684 +0100 ++++ b/arch/x86/Kconfig 2009-07-31 01:51:39.395749681 +0100 +@@ -1953,29 +1953,8 @@ + + config COMPAT_VDSO + def_bool n +- prompt "Disable the 32-bit vDSO (needed for glibc 2.3.3)" + depends on X86_32 || IA32_EMULATION + depends on !PAX_PAGEEXEC && !PAX_SEGMEXEC && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF +- ---help--- +- Certain buggy versions of glibc will crash if they are +- presented with a 32-bit vDSO that is not mapped at the address +- indicated in its segment table. +- +- The bug was introduced by f866314b89d56845f55e6f365e18b31ec978ec3a +- and fixed by 3b3ddb4f7db98ec9e912ccdf54d35df4aa30e04a and +- 49ad572a70b8aeb91e57483a11dd1b77e31c4468. Glibc 2.3.3 is +- the only released version with the bug, but OpenSUSE 9 +- contains a buggy "glibc 2.3.2". +- +- The symptom of the bug is that everything crashes on startup, saying: +- dl_main: Assertion `(void *) ph->p_vaddr == _rtld_local._dl_sysinfo_dso' failed! +- +- Saying Y here changes the default value of the vdso32 boot +- option from 1 to 0, which turns off the 32-bit vDSO entirely. +- This works around the glibc bug but hurts performance. +- +- If unsure, say N: if you are compiling your own kernel, you +- are unlikely to be using a buggy version of glibc. + + config CMDLINE_BOOL + bool "Built-in kernel command line" -- cgit v1.2.3-65-gdbad