From 8559079312adb4ed92e5f478120b408dfe7a1124 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 5 Aug 2024 15:10:02 +1000 Subject: [PATCH] Enable `vdso32=0` --- README.md | 2 +- etc/default/grub.d/40_kernel_hardening.cfg | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index a187056..8b12b71 100644 --- a/README.md +++ b/README.md @@ -151,7 +151,7 @@ configuration file. safety error detector which can identify heap out-of-bounds access, use-after-free, and invalid-free errors. -- Provide the option to disable 32 bit vDSO mappings. +- Disable 32-bit vDSO mappings as they are a legacy compatibility feature. - Provide the option to use kCFI as the default CFI implementation since it may be slightly more resilient to attacks that are able to write arbitrary executables diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index fab54cf..7e92bdb 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -136,13 +136,13 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" -## Disable x86 Virtual Dynamic Shared Object (vDSO) mappings. +## Disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings. +## Legacy compatibility feature for superseded glibc versions. ## -## https://en.wikipedia.org/wiki/VDSO +## https://lore.kernel.org/lkml/20080409082927.BD59E26F992@magilla.localdomain/T/ +## https://lists.openwall.net/linux-kernel/2014/03/11/3 ## -## The use of 32 bit vDSO mappings is currently enabled. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. ## The default implementation is FIneIBT as of Linux kernel 6.2.