Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-12-12 08:45:12 -05:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #260 from raja-grewal/vdso32

Browse source 
Enable `vdso32=0`
This commit is contained in:
Patrick Schleizer 2024-08-06 09:55:20 -04:00 committed by GitHub
commit a25aaf900a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 6 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -149,7 +149,7 @@ configuration file.
- Enable the kernel Electric-Fence sampling-based memory safety error detector - Enable the kernel Electric-Fence sampling-based memory safety error detector
which can identify heap out-of-bounds access, use-after-free, and invalid-free errors. which can identify heap out-of-bounds access, use-after-free, and invalid-free errors.
- Provide the option to disable 32 bit vDSO mappings. - Disable 32-bit vDSO mappings as they are a legacy compatibility feature.
- Provide the option to use kCFI as the default CFI implementation since it may be - Provide the option to use kCFI as the default CFI implementation since it may be
slightly more resilient to attacks that are able to write arbitrary executables slightly more resilient to attacks that are able to write arbitrary executables

10
etc/default/grub.d/40_kernel_hardening.cfg
View file

@ -134,13 +134,13 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
## ##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"
## Disable x86 Virtual Dynamic Shared Object (vDSO) mappings. ## Disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings.
## Legacy compatibility feature for superseded glibc versions.
## ##
## https://en.wikipedia.org/wiki/VDSO ## https://lore.kernel.org/lkml/20080409082927.BD59E26F992@magilla.localdomain/T/
## https://lists.openwall.net/linux-kernel/2014/03/11/3
## ##
## The use of 32 bit vDSO mappings is currently enabled. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
## The default implementation is FIneIBT as of Linux kernel 6.2. ## The default implementation is FIneIBT as of Linux kernel 6.2.