Re: [PATCH] x86-64, vsyscalls: Rename UNSAFE_VSYSCALLS toCOMPAT_VSYSCALLS

From: Ingo Molnar
Date: Tue Jun 07 2011 - 05:57:07 EST



* pageexec@xxxxxxxxxxx <pageexec@xxxxxxxxxxx> wrote:

> On 6 Jun 2011 at 21:12, Ingo Molnar wrote:
>
> > * pageexec@xxxxxxxxxxx <pageexec@xxxxxxxxxxx> wrote:
> > >
> > > and whoever enables them, what do you think they're more likely
> > > to get in return? some random and rare old binaries that still
> > > run for a minuscule subset of users or every run-of-the-mill
> > > exploit working against *every* user, metasploit style (did you
> > > know that it has a specific target for the i386 compat vdso)?
> >
> > That's what binary compatibility means, yes.
>
> so fedora is not binary compatible. did just admit that in real
> life security won out? we're on the right track! ;)

No, you are wrong, and you are really confused about what binary
compatibility of the kernel means.

The kernel itself will try hard to stay binary compatible, so that if
someone with older userspace upgrades to a new kernel old user-space
still works fine.

Fedora was able to disable the fixed-address vdso in its newer 32-bit
distro kernels because it *upgraded glibc*. It has not disabled that
option for its older versions with old glibcs. There was no breakage
of binary compatibility.

So we were able to improve real life security *without* breaking
binary compatibility.

Do you understand this distinction?

Thanks,

Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/