On the Gentoo Hardened project one of the things we try to do is to build apps
with BIND_NOW set and RELRO, so that the GOT can be marked read-only by the
loader, especially for suid executables. In particular the cirrus and ati
drivers cause difficulty as they are mutually dependent on their sub-modules, so
loading them manually from the bottom up as it were doesn't work.
To follow are simple patches to the cirrus and ati drivers that remove the
mutual dependencies by using LoaderSymbol() to obtain the references needed
rather than having the symbols referenced directly. These patches are against
CVS HEAD as of today.
https://bugs.gentoo.org/show_bug.cgi?id=110506#c30 is my bug submission to
Gentoo, for reference (patches attached there are against 7.0).
I've chosen Driver/cirrus as component, obviously Driver/Radeon, Driver/rage128
and Drivers/other (for atimisc) are also relevant; if you want separate bugs for
each driver let me know.
Created attachment 5775 [details] [review]
Patch to remove mutual symbol reference depencies between cirrus driver and submodules
Created attachment 5776 [details] [review]
Patch to remove mutual symbol reference depencies between ati driver and submodules
Sorry about the phenomenal bug spam, guys. Adding xorg-team@ to the QA contact so bugs don't get lost in future.
Reading the upstream bug, it would seem that this is no longer a problem. Can always be re-opened if necessary. Closing.