Zachary Amsden <zach@xxxxxxxxxx> wrote: > > Jakub Jelinek wrote: > > > > That's known bug in early glibcs short after adding vDSO support. > > The vDSO support has been added in May 2003 to CVS glibc (i.e. post glibc > > 2.3.2) and the problems have been fixed when they were discovered, in > > February 2004: > > http://sources.redhat.com/ml/libc-hacker/2004-02/msg00053.html > > http://sources.redhat.com/ml/libc-hacker/2004-02/msg00059.html > > > > I strongly believe we want randomized vDSOs, people are already abusing the > > fix mapped vDSO for attacks, and I think the unfortunate 10 months of broken > > glibc shouldn't stop that forever. Anyone using such glibc can still use > > vdso=0, or do that just once and upgrade to somewhat more recent glibc. > > > > While I'm now inclined to agree with randomization, I think the default > should be off. You can quite easily "echo 1 > > /proc/sys/kernel/vdso_randomization" in the RC scripts, which allows you > to maintain compatibility for everyone and get randomization turned on > early enough to thwart attacks against any vulnerable daemons. > It kinda sucks but yes, that's obviously least-breakage approach. It does mean that many people won't benefit from (and won't test!) the new feature though. Unless there's some sneaky way of auto-detecting a modern userspace, perhaps (something which mounts /sys?). All very sad.
