On Wed, 2017-01-25 at 18:08 +0100, Laurent Bonnaud wrote: > Package: linux > Version: 4.9.2-2 > Severity: wishlist > > Hi, > > current Linux kernels in Debian are compiled with CONFIG_LEGACY_VSYSCALL_EMULATE: > > $ grep LEGACY_VSYSCALL /boot/config-4.9.0-1-* > /boot/config-4.9.0-1-amd64:# CONFIG_LEGACY_VSYSCALL_NATIVE is not set > /boot/config-4.9.0-1-amd64:CONFIG_LEGACY_VSYSCALL_EMULATE=y > /boot/config-4.9.0-1-amd64:# CONFIG_LEGACY_VSYSCALL_NONE is not set > /boot/config-4.9.0-1-rt-amd64:# CONFIG_LEGACY_VSYSCALL_NATIVE is not set > /boot/config-4.9.0-1-rt-amd64:CONFIG_LEGACY_VSYSCALL_EMULATE=y > /boot/config-4.9.0-1-rt-amd64:# CONFIG_LEGACY_VSYSCALL_NONE is not set > > According to this post: > https://outflux.net/blog/archives/2016/09/27/security-things-in-linux-v4-4/ > > this option weakens the kernel, details here: > https://googleprojectzero.blogspot.fr/2015/08/three-bypasses-and-fix-for-one-of.html I know, but it is only a minor weakness. > Since Debian has a recent enough glibc since at least jessie, could > you please activate the CONFIG_LEGACY_VSYSCALL_NONE option ? I already did that (search the changelog) but it turned out that dietlibc used vsyscall until more recently, so I reverted the change. I requested a rebuild of all binaries in unstable that had this problem (dietlibc is statically linked) so it will be safe to make this change after the stretch release. > I am running a test system with the vsyscall=none kernel parameter > and saw no problem. So you know that it's not essential to have this enabled in the build config. Ben. > See also this page: > https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project > > Thanks, > -- Ben Hutchings It is easier to write an incorrect program than to understand a correct one.
Attachment:
signature.asc
Description: This is a digitally signed message part