1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
|
No need to wrap vdso calls as gentoo does not use any version of
glibc <=2.3.3
---
From: Gordon Malm <gengor@gentoo.org>
From: Kerin Millar <kerframil@gmail.com>
From: Jory A. Pratt <anarchy@gentoo.org>
COMPAT_VDSO is inappropriate for any modern Hardened Gentoo system. It
conflicts with various parts of PaX, crashing the system if enabled
while PaX's NOEXEC or UDEREF features are active. Moreover, it prevents
a number of important PaX options from appearing in the configuration
menu, including all PaX NOEXEC implementations. Unfortunately, the
reason for the disappearance of these PaX configuration options is
often far from obvious to inexperienced users.
Therefore, we disable the COMPAT_VDSO menu entry entirely. However,
COMPAT_VDSO operation can still be enabled via bootparam and sysctl
interfaces. Consequently, we must also disable the ability to select
COMPAT_VDSO operation at boot or runtime. Here we patch the kernel so
that selecting COMPAT_VDSO operation at boot/runtime has no effect if
conflicting PaX options are enabled, leaving VDSO_ENABLED operation
intact.
Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138
diff -urp a/arch/x86/Kconfig b/arch/x86/Kconfig
--- a/arch/x86/Kconfig 2009-07-31 01:36:57.323857684 +0100
+++ b/arch/x86/Kconfig 2009-07-31 01:51:39.395749681 +0100
@@ -2099,29 +2099,8 @@
config COMPAT_VDSO
def_bool n
- prompt "Disable the 32-bit vDSO (needed for glibc 2.3.3)"
depends on X86_32 || IA32_EMULATION
depends on !PAX_PAGEEXEC && !PAX_SEGMEXEC && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF
- ---help---
- Certain buggy versions of glibc will crash if they are
- presented with a 32-bit vDSO that is not mapped at the address
- indicated in its segment table.
-
- The bug was introduced by f866314b89d56845f55e6f365e18b31ec978ec3a
- and fixed by 3b3ddb4f7db98ec9e912ccdf54d35df4aa30e04a and
- 49ad572a70b8aeb91e57483a11dd1b77e31c4468. Glibc 2.3.3 is
- the only released version with the bug, but OpenSUSE 9
- contains a buggy "glibc 2.3.2".
-
- The symptom of the bug is that everything crashes on startup, saying:
- dl_main: Assertion `(void *) ph->p_vaddr == _rtld_local._dl_sysinfo_dso' failed!
-
- Saying Y here changes the default value of the vdso32 boot
- option from 1 to 0, which turns off the 32-bit vDSO entirely.
- This works around the glibc bug but hurts performance.
-
- If unsure, say N: if you are compiling your own kernel, you
- are unlikely to be using a buggy version of glibc.
choice
prompt "vsyscall table for legacy applications"
|