<html> <head> <base href="https://bugs.freedesktop.org/" /> </head> <body> <div> <a class="bz_bug_link bz_status_NEW " title="NEW --- - Potential crash bug in src/gallium/auxiliary/rtasm/rtasm_execmem.c" href="https://bugs.freedesktop.org/show_bug.cgi?id=73473#c8">Comment # 8</a> on <a class="bz_bug_link bz_status_NEW " title="NEW --- - Potential crash bug in src/gallium/auxiliary/rtasm/rtasm_execmem.c" href="https://bugs.freedesktop.org/show_bug.cgi?id=73473">bug 73473</a> from <a class="email" href="mailto:amade@asmblr.net" title="Amadeusz <amade@asmblr.net>"> Amadeusz</a> <pre>Created <a href="attachment.cgi?id=92300" name="attach_92300" title="patch adding check for PaX mprotect">attachment 92300</a> <a href="attachment.cgi?id=92300&action=edit" title="patch adding check for PaX mprotect">[details]</a> <a href='page.cgi?id=splinter.html&bug=73473&attachment=92300'>[review]</a> patch adding check for PaX mprotect As I said on #gentoo-hardened channel, I wouldn't like to see the SELinux part of this patch to be merged. Provided SELinux check effectively requires allowing all applications to be allowed access to write|exec memory regardless of if it is needed or not. I tested patch without the SELinux part and it worked fine on my PaX & SELinux enabled system. Starting glxgears didn't bring down whole X server as was the case before applying patch ;) . If one wants to avoid "grsec: denied RWX mmap" messages probably something along the lines of patch I attached (based on checks from the SELinux one and <a href="http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/dev-libs/libffi/files/libffi-3.0.13-emutramp_pax_proc.patch?revision=1.2&view=markup">http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/dev-libs/libffi/files/libffi-3.0.13-emutramp_pax_proc.patch?revision=1.2&view=markup</a>) would be needed.</pre> </div> <hr> You are receiving this mail because: <ul> <li>You are the assignee for the bug.</li> </ul> </body> </html>