Disable the 32-bit vDSO

An XCCDF Rule

Details
Profiles
Prose

Description

Certain buggy versions of glibc (2.3.3) will crash if they are presented with a 32-bit vDSO that is not mapped at the address indicated in its segment table. Setting CONFIG_COMPAT_VDSO to y turns off the 32-bit VDSO and works aroud the glibc bug. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_COMPAT_VDSO, run the following command: grep CONFIG_COMPAT_VDSO /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

Enabling VDSO compatibility hurts performance and disables ASLR.

ID: xccdf_org.ssgproject.content_rule_kernel_config_compat_vdso
Severity: Low
References: BP28(R15)
Updated: about 1 year ago