Bug#852620: linux: activate CONFIG_LEGACY_VSYSCALL_NONE ?

To: Debian BTS submission <submit@bugs.debian.org>
Subject: Bug#852620: linux: activate CONFIG_LEGACY_VSYSCALL_NONE ?
From: Laurent Bonnaud <L.Bonnaud@laposte.net>
Date: Wed, 25 Jan 2017 18:08:26 +0100
Message-id: <[🔎] 21d33184-06fb-5523-9aa1-cc3f00124db5@laposte.net>
Reply-to: Laurent Bonnaud <L.Bonnaud@laposte.net>, 852620@bugs.debian.org

Package: linux
Version: 4.9.2-2
Severity: wishlist

Hi,

current Linux kernels in Debian are compiled with CONFIG_LEGACY_VSYSCALL_EMULATE:

$ grep LEGACY_VSYSCALL /boot/config-4.9.0-1-*
/boot/config-4.9.0-1-amd64:# CONFIG_LEGACY_VSYSCALL_NATIVE is not set
/boot/config-4.9.0-1-amd64:CONFIG_LEGACY_VSYSCALL_EMULATE=y
/boot/config-4.9.0-1-amd64:# CONFIG_LEGACY_VSYSCALL_NONE is not set
/boot/config-4.9.0-1-rt-amd64:# CONFIG_LEGACY_VSYSCALL_NATIVE is not set
/boot/config-4.9.0-1-rt-amd64:CONFIG_LEGACY_VSYSCALL_EMULATE=y
/boot/config-4.9.0-1-rt-amd64:# CONFIG_LEGACY_VSYSCALL_NONE is not set

According to this post:
  https://outflux.net/blog/archives/2016/09/27/security-things-in-linux-v4-4/

this option weakens the kernel, details here:
  https://googleprojectzero.blogspot.fr/2015/08/three-bypasses-and-fix-for-one-of.html

Since Debian has a recent enough glibc since at least jessie, could you please activate the CONFIG_LEGACY_VSYSCALL_NONE option ?

I am running a test system with the vsyscall=none kernel parameter and saw no problem.

See also this page:
  https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project

Thanks,

-- 
Laurent.

Reply to:

Follow-Ups:
- Bug#852620: linux: activate CONFIG_LEGACY_VSYSCALL_NONE ?
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Bug#852612: linux-image-4.9.0-1-amd64: kernel 4.9.2-2 panics on boot
Next by Date: Bug#852620: linux: activate CONFIG_LEGACY_VSYSCALL_NONE ?
Previous by thread: Bug#852612: marked as done (linux-image-4.9.0-1-amd64: kernel 4.9.2-2 panics on boot)
Next by thread: Bug#852620: linux: activate CONFIG_LEGACY_VSYSCALL_NONE ?
Index(es):
- Date
- Thread