[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PaX on Debian



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Andres Salomon wrote:
| On Sun, 25 Jul 2004 12:57:29 -0400, John Richard Moser wrote:
|
|
| I'm interested in discussing the viability of PaX on Debian.  I'd like
| to discuss the changes to the base system that would be made, the costs
| in terms of overhead and compatibility, the gains in terms of security,
| and the mutability (elimination) of the costs.
|
|
|
|
|> I think debian-kernel would be a better place to discuss this (at least,
|> the PAX stuff). I have used PAX/grsec for a while now, on 2.4, and have
|> been very pleased with it.  I would love to be able to include it in
|> debian 2.6 kernels, but we need to make sure that:
|
|> a) it's stable (currently, we have a glibc bug that breaks PAX; #245563.
|> I've also heard reports of various grsec problems on 2.6; I don't
know how
|> many of those are PAX issues)

Did some digging.  pipacs said that PAGEEXEC force-enables the 'disable
vsyscall' option, so you'd be forced to use SEGMEXEC on x86 to avoid
#245563, if I'm reading this right.  On amd64, it should be fine; he
said that vsyscall is force disabled because having a high page
executable area will cause PAGEEXEC performance to fall through the
ground, due to the workings of the recent speed-up (which follows the
same method Exec Shield uses as a speed boost, and falls back to the old
way when that fails).  Because amd64 has hardware NX, there's no
emulation issue, thus I'm supposing no breakage due to vsyscall.

:  Tags added: fixed-upstream Request was from GOTO Masanori
:  <gotom@debian.or.jp> to control@bugs.debian.org. Full text available.

Fixed in upstream.  Either use an updated glibc in the next debian
release (I know there's no way you're going to suddenly shift STABLE to
PaX/pie/ssp, and I'm even going to recommend AGAINST that due to
Debian's development model), or backport the changes to whatever glibc
you use.

- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitely stated.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBBU97hDd4aOud5P8RAjRuAJ9k3EiS+zVnEFmLoCM8KnTOZehe8ACgh7FC
a9PyG2GbEkpMi17HlrUcyTY=
=3Mtk
-----END PGP SIGNATURE-----



Reply to: