grsecurity forums

[kameo_]

Hi Team,

I tried to compile a GRSEC/PAX kernel based on the following versions :
- Debian 6.0.3
- gcc 4.4.5
- kernel -2.6.38.7
- grsecurity-2.2.2-2.6.38.7-201105222331.patch

I succeed without any noticeable error when using the basic makefile.

The I added the : CFLAGS_KERNEL = -Wformat -Wformat-security -fstack-protector-all --param ssp-buffer-size=4 -D_FORTIFY_SOURCE=2

To harden the kernel and get rid of the strcpy vulnerability reported by paxtest. (see at the end of the post). But I keep on getting a compilation error when LD is trying to link all this :


[...]
LD arch/x86/kernel/acpi/realmode/wakeup.elf
arch/x86/kernel/acpi/realmode/wakemain.o: In function `beep':
/data/kernel/linux-2.6.38.7/arch/x86/kernel/acpi/realmode/wakemain.c:32: undefined reference to `__stack_chk_fail'
arch/x86/kernel/acpi/realmode/wakemain.o: In function `main':
/data/kernel/linux-2.6.38.7/arch/x86/kernel/acpi/realmode/wakemain.c:81: undefined reference to `__stack_chk_fail'
arch/x86/kernel/acpi/realmode/video-mode.o: In function `probe_cards':
/data/kernel/linux-2.6.38.7/arch/x86/kernel/acpi/realmode/../../../boot/video-mode.c:51: undefined reference to `__stack_chk_fail'
arch/x86/kernel/acpi/realmode/video-mode.o: In function `mode_defined':
/data/kernel/linux-2.6.38.7/arch/x86/kernel/acpi/realmode/../../../boot/video-mode.c:69: undefined reference to `__stack_chk_fail'
arch/x86/kernel/acpi/realmode/video-mode.o: In function `set_mode':
/data/kernel/linux-2.6.38.7/arch/x86/kernel/acpi/realmode/../../../boot/video-mode.c:173: undefined reference to `__stack_chk_fail'
arch/x86/kernel/acpi/realmode/regs.o:/data/kernel/linux-2.6.38.7/arch/x86/kernel/acpi/realmode/../../../boot/regs.c:29: more undefined references to `__stack_chk_fail' follow
make[5]: *** [arch/x86/kernel/acpi/realmode/wakeup.elf] Error 1
make[4]: *** [arch/x86/kernel/acpi/realmode/wakeup.bin] Error 2
make[3]: *** [arch/x86/kernel/acpi] Error 2
make[2]: *** [arch/x86/kernel] Error 2
make[1]: *** [arch/x86] Error 2

It seems I'm doing something wrong there. I maybe lack the lib64ssp0 library but it's unfortunately not available on the debian squeeze anymore.
Any idea ? Di I made a mistake somewhere ?
(of course, if I get rid of -fstack-protector-all, everything compile just fine (and boot))

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable shared library bss : Killed
Executable shared library data : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments : Killed
Anonymous mapping randomisation test : 18 bits (guessed)
Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (PIE) : 24 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (PIE) : 16 bits (guessed)
Shared library randomisation test : 18 bits (guessed)
Stack randomisation test (SEGMEXEC) : 24 bits (guessed)
Stack randomisation test (PAGEEXEC) : 24 bits (guessed)
Return to function (strcpy) : Vulnerable
Return to function (memcpy) : Killed
Return to function (strcpy, PIE) : Vulnerable
Return to function (memcpy, PIE) : Killed

[PaX Team]

- kernel -2.6.38.7
- grsecurity-2.2.2-2.6.38.7-201105222331.patch

these are kinda old and no longer supported .

Then I added the : CFLAGS_KERNEL = -Wformat -Wformat-security -fstack-protector-all --param ssp-buffer-size=4 -D_FORTIFY_SOURCE=2

To harden the kernel and get rid of the strcpy vulnerability reported by paxtest.

paxtest reports userland vulnerabilities (and the strcpy/memcpy ones fail by design, the kernel can't prevent them) so you'll need to apply FORTIFY_SOURCE to userland, not the kernel. and ssp as it's currently implemented in the kernel is quite useless, don't use it (and it's not compatible with PaX anyway).

[kameo_]

thank you PaX Team. (for the answer and for the job !)