grsecurity forums

Hi,
due to compilation problems with grsecurity I tried to use only the newer pax-patches.

Kernel: 2.6.22.1
Pax test6
LD GNU ld (GNU Binutils for Debian) 2.17.50.20070718
Hardware; Epia M10000 (VIA C3-II with 256 MB)

First test: compiling vanilla kernel... OK
Second test: patching kernel with pax-patch
make oldconfig NNN
make bzImage

Result:
...
CC init/version.o
LD init/built-in.o
LD .tmp_vmlinux1
ld: .tmp_vmlinux1: section `.data.percpu' can't be allocated in segment 0
ld: final link failed: Bad value
make: *** [.tmp_vmlinux1] Error 1

I'd conclude that pax is incompatible with the ld provided in debian unstable.
Also I'd conclude that without one option turned on the patch makes the compilation process fail. In other words: without choosing an option pax already changes the kernel-sources in a way that makes it incompatible with ld.

Any comments?
Patching ld to bypass sanity-checks does not sound like a good idea to me.
Provided the sanity checks are being executed in a just way.

specs wrote:Hi,
due to compilation problems with grsecurity I tried to use only the newer pax-patches.

can you give -test9 a try please?

Also I'd conclude that without one option turned on the patch makes the compilation process fail. In other words: without choosing an option pax already changes the kernel-sources in a way that makes it incompatible with ld.

it was my rewrite of the per-cpu variable handling (vanilla is insecure as it creates a full 4GB segment when it's only a few pages worth, this in turn would be bad for UDEREF). also KERNEXEC runs afoul of the new sanity checks, hopefully i managed to fix them all.

PaX Team wrote:can you give -test9 a try please?

Currently (02-08-2007) only test8 is available.
I hope I can reproduce the error using a serial console.

[edit]
I found the test9 patch using the links via the pax-homepage.
I'll try to get results ASAP.

Linux-2.6.22.1 compiled with pax-linux-2.6.22-test9.patch with the standard ld from Debian unstable.

Pax-settings:
#
# PaX
#
CONFIG_PAX=y

#
# PaX Control
#
CONFIG_PAX_SOFTMODE=y
# CONFIG_PAX_EI_PAX is not set
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
CONFIG_PAX_HOOK_ACL_FLAGS=y

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_SEGMEXEC=y
# CONFIG_PAX_EMUTRAMP is not set
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_NOELFRELOCS=y

#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y

#
# Miscellaneous hardening features
#
CONFIG_PAX_MEMORY_SANITIZE=y
CONFIG_PAX_MEMORY_UDEREF=y
# CONFIG_KEYS is not set
# CONFIG_SECURITY is not set


With a small change however the build process failed:
< CONFIG_PAX_HAVE_ACL_FLAGS=y
< # CONFIG_PAX_HOOK_ACL_FLAGS is not set
---
> # CONFIG_PAX_HAVE_ACL_FLAGS is not set
> CONFIG_PAX_HOOK_ACL_FLAGS=y

Produces:
$ make bzImage
CHK include/linux/version.h
CHK include/linux/utsrelease.h
CALL scripts/checksyscalls.sh
CHK include/linux/compile.h
GEN .version
CHK include/linux/compile.h
UPD include/linux/compile.h
CC init/version.o
LD init/built-in.o
LD .tmp_vmlinux1
fs/built-in.o: In function `load_elf_binary':
binfmt_elf.c: (.text+0x283c1): undefined reference to `pax_set_initial_flags'
make: *** [.tmp_vmlinux1] Error 1

Could not reproduce the kernel panic with test9.

specs wrote:With a small change however the build process failed:
< CONFIG_PAX_HAVE_ACL_FLAGS=y
< # CONFIG_PAX_HOOK_ACL_FLAGS is not set
---
> # CONFIG_PAX_HAVE_ACL_FLAGS is not set
> CONFIG_PAX_HOOK_ACL_FLAGS=y

at times it pays to read the configure help to see what does what .

PaX Team wrote:see what does what .

Yeah, help would surely be apreciated. The available help does not help me much:
| There is no help available for this kernel option.

The help for the 2.4.xx-options does tell a little more:
CONFIG_PAX_NO_ACL_FLAGS:
|
| Mandatory Access Control systems have the option of controlling
| PaX flags on a per executable basis, choose the method supported
| by your particular system.
|
| - "none": if your MAC system does not interact with PaX,
| - "direct": if your MAC system defines pax_set_flags() itself,
| - "hook": if your MAC system uses the pax_set_flags_func callback.
|
| NOTE: this option is for developers/integrators only.



BTW, I saw test13 compiling as easily as test9.

specs wrote:Yeah, help would surely be apreciated. The available help does not help me much:
| There is no help available for this kernel option.

hmm, that's a bug somewhere, i swear it used to show properly in 2.6 as well , i'll fix it.