Bug#852620: linux: activate CONFIG_LEGACY_VSYSCALL_NONE ?
Package: linux
Version: 4.9.2-2
Severity: wishlist
Hi,
current Linux kernels in Debian are compiled with CONFIG_LEGACY_VSYSCALL_EMULATE:
$ grep LEGACY_VSYSCALL /boot/config-4.9.0-1-*
/boot/config-4.9.0-1-amd64:# CONFIG_LEGACY_VSYSCALL_NATIVE is not set
/boot/config-4.9.0-1-amd64:CONFIG_LEGACY_VSYSCALL_EMULATE=y
/boot/config-4.9.0-1-amd64:# CONFIG_LEGACY_VSYSCALL_NONE is not set
/boot/config-4.9.0-1-rt-amd64:# CONFIG_LEGACY_VSYSCALL_NATIVE is not set
/boot/config-4.9.0-1-rt-amd64:CONFIG_LEGACY_VSYSCALL_EMULATE=y
/boot/config-4.9.0-1-rt-amd64:# CONFIG_LEGACY_VSYSCALL_NONE is not set
According to this post:
https://outflux.net/blog/archives/2016/09/27/security-things-in-linux-v4-4/
this option weakens the kernel, details here:
https://googleprojectzero.blogspot.fr/2015/08/three-bypasses-and-fix-for-one-of.html
Since Debian has a recent enough glibc since at least jessie, could you please activate the CONFIG_LEGACY_VSYSCALL_NONE option ?
I am running a test system with the vsyscall=none kernel parameter and saw no problem.
See also this page:
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
Thanks,
--
Laurent.
Reply to: