Bug#852324: Disable CONFIG_DEBUG_WX in order to avoid this issue.

[Helio Loureiro <helio@loureiro.eng.br>]

Hi,

As much it sounds correct to protect systems in this way, you broke compatibility.  I'm back to kernel 3.19 until this is fixed.

So in order to have such parameter enabled, you should at the least provide a bootparam option to toggle enabled or not.

From my point of view as user, you should never break backward compatibility, as bad is sounds in terms of security.  And you should never enforce it to users.

Best Regards,
Helio Loureiro
http://helio.loureiro.eng.br
https://se.linkedin.com/in/helioloureiro
http://twitter.com/helioloureiro

2017-07-26 16:20 GMT+02:00 Ben Hutchings <ben@decadent.org.uk>:

On Mon, 2017-07-24 at 20:18 +0200, Helio Loureiro wrote:
> Hi,
>
> First an errata: I don't see messages since March, not January as I stated
> wrongly before.
>
> And I tracked similar messages on other distros and found a message from
> Linus himself about a way to avoid such error:
>
> https://lkml.org/lkml/2015/12/14/670
>
> Checking standard Debian kernel settings, I can see it is indeed enabled.
>
> # grep CONFIG_DEBUG_WX /boot/config-4.9.0-3-amd64
> CONFIG_DEBUG_WX=y
>
> So is possible to delivery a correction kernel package with such parameter
> disabled?

This check catches a real security weakness in Xen.  We won't disable
checking for it.  Note that I did downgrade the severity of the warning
when running on Xen, since we know about it and don't expect it to be
fixed soon.

Ben.

--
Ben Hutchings
Reality is just a crutch for people who can't handle science fiction.