Page 1 of 1
2.6.24.3 patch seems broken
Posted:
Tue Mar 11, 2008 1:48 amby samadei
I tried to use the 2.1.11-26.24.3-200803101831 patch... and i got some nonsense about "CONFIG_PAX enabled, but no PaX options are enabled"... I looked in include/linux/grsecurity.h on line 18, and noted references to CONFIG_ALSR and CONFIG_NOEXEC... which were not in my .config... but CONFIG_PAX_ASLR and CONFIG_PAX_NOEXEC were... so I fixed these and I got a good kernel.
Looks like a minor typo.
Stephen
Re: 2.6.24.3 patch seems broken
Posted:
Tue Mar 11, 2008 4:33 amby forsaken
Same problem here.
Re: 2.6.24.3 patch seems broken
Posted:
Wed Mar 12, 2008 12:42 amby spender
The patches have been fixed and updated.
-Brad
Re: 2.6.24.3 patch seems broken
Posted:
Thu Mar 13, 2008 5:28 pmby fed.linuxgossip
I recieve the followoing error:
In file included from arch/x86/kernel/ioport_32.c:17:
include/linux/grsecurity.h:18:2: #error "CONFIG_PAX enabled, but no PaX options are enabled."
make[1]: *** [arch/x86/kernel/ioport_32.o] Error 1
make: *** [arch/x86/kernel] Error 2
[root@server linux-2.6.24.3]# head -20 arch/x86/kernel/ioport_32.c
/*
* This contains the io-permission bitmap code - written by obz, with changes
* by Linus.
*/
#include <linux/sched.h>
#include <linux/kernel.h>
#include <linux/capability.h>
#include <linux/errno.h>
#include <linux/types.h>
#include <linux/ioport.h>
#include <linux/smp.h>
#include <linux/stddef.h>
#include <linux/slab.h>
#include <linux/thread_info.h>
#include <linux/syscalls.h>
#include <linux/grsecurity.h>
/* Set EXTENT bits starting at BASE in BITMAP to value TURN_ON. */
static void set_bitmap(unsigned long *bitmap, unsigned int base, unsigned int extent, int new_value)
[root@server linux-2.6.24.3]#
Please advise
Re: 2.6.24.3 patch seems broken
Posted:
Thu Mar 13, 2008 7:10 pmby spender
I updated the patch about an hour ago or so. Please use that one for now.
-Brad
Re: 2.6.24.3 patch seems broken
Posted:
Thu Mar 13, 2008 11:23 pmby fed.linuxgossip
Even with the latest path I found the same error on a fresh kernel compilation. The only solution I found was to enable each pax options in menuconfig , which allowed the process to complete successfully. Are there any specific options in PAX which has to be selected for sure.
Re: 2.6.24.3 patch seems broken
Posted:
Fri Mar 14, 2008 9:12 amby spender
In that case, you were hitting the intended purpose of the change: to inform people who compile kernel with configs that won't give them the additional security they possibly expected. In your case, you enabled the CONFIG_PAX option, but didn't enable anything inside of it that would have provided security (namely, enabling either options in the ASLR menu or enabling either SEGMEXEC/PAGEEXEC).
-Brad