Re: [PATCH] Gerd Hoffman's move-vsyscall-into-user-address-rangepatch

[Zachary Amsden]

Jakub Jelinek wrote:
> That's known bug in early glibcs short after adding vDSO support.
> The vDSO support has been added in May 2003 to CVS glibc (i.e. post glibc
> 2.3.2) and the problems have been fixed when they were discovered, in
> February 2004:
> http://sources.redhat.com/ml/libc-hacker/2004-02/msg00053.html
> http://sources.redhat.com/ml/libc-hacker/2004-02/msg00059.html
>
> I strongly believe we want randomized vDSOs, people are already abusing the
> fix mapped vDSO for attacks, and I think the unfortunate 10 months of broken
> glibc shouldn't stop that forever.  Anyone using such glibc can still use
> vdso=0, or do that just once and upgrade to somewhat more recent glibc.
>   

While I'm now inclined to agree with randomization, I think the default 
should be off.  You can quite easily "echo 1 > 
/proc/sys/kernel/vdso_randomization" in the RC scripts, which allows you 
to maintain compatibility for everyone and get randomization turned on 
early enough to thwart attacks against any vulnerable daemons.

Zach
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/