Maverick pull request for cs-limit nx-emulation refresh

Kees Cook kees.cook at
Tue May 25 22:43:14 UTC 2010


On Tue, May 25, 2010 at 06:32:35PM -0400, Chase Douglas wrote:
> I'm just curious, what's the process for upstreaming security patches
> like these? Are they sauce patches at first while we work with upstream
> to get them merged there?

The nx-emulation stack is a little weird.  My intention is to try
to upstream them again, but they have long been rejected as too much
of a hack (even though almost every distro carries some form of it).
At present, I and Kyle (at RedHat) try to share the patch (though I'm
still waiting for him to review and merge the "brk away from exec rand
area" patch, and I have to resend the "more tightly confine cs-limit
nx-emulation to ia32 only" bits too).

In general, though, I usually try to get these kinds of hardening patches
into upstream first (as I did with mmap_min_addr fix-ups, /proc/$pid/maps
protection, and AT_RANDOM).  That way they flow into Ubuntu naturally.
In this case, Tim asked me at UDS to get the symlink, hardlink, and
ptrace stuff into Ubuntu immediately so it could get maximal exposure
from Alpha-1.


Kees Cook
Ubuntu Security Team

More information about the kernel-team mailing list