On the Gentoo Hardened project one of the things we try to do is to build apps with BIND_NOW set and RELRO, so that the GOT can be marked read-only by the loader, especially for suid executables. In particular the cirrus and ati drivers cause difficulty as they are mutually dependent on their sub-modules, so loading them manually from the bottom up as it were doesn't work. To follow are simple patches to the cirrus and ati drivers that remove the mutual dependencies by using LoaderSymbol() to obtain the references needed rather than having the symbols referenced directly. These patches are against CVS HEAD as of today. https://bugs.gentoo.org/show_bug.cgi?id=110506#c30 is my bug submission to Gentoo, for reference (patches attached there are against 7.0). I've chosen Driver/cirrus as component, obviously Driver/Radeon, Driver/rage128 and Drivers/other (for atimisc) are also relevant; if you want separate bugs for each driver let me know.
Created attachment 5775 [details] [review] Patch to remove mutual symbol reference depencies between cirrus driver and submodules
Created attachment 5776 [details] [review] Patch to remove mutual symbol reference depencies between ati driver and submodules
Sorry about the phenomenal bug spam, guys. Adding xorg-team@ to the QA contact so bugs don't get lost in future.
Reading the upstream bug, it would seem that this is no longer a problem. Can always be re-opened if necessary. Closing.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.