grsecurity forums

Skip to content

Unable to boot with latest grsec patch (for 3.18.2 kernel)

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.
Topic locked

Unable to boot with latest grsec patch (for 3.18.2 kernel)

Postby rfnx » Mon Jan 12, 2015 7:35 am

Hello,

Yesterday, I tried to update my server with the latest kernel (3.18.2) with latest grsec patch (timestamp 201501111422). All I can say is it doesn't work for me :p . Since this server is "headless", I can only access it via SSH, so it is very hard (impossible ?) to debug. Of course, nothing is written in my system (Archlinux) log because the system doesn't boot. I had no problem with the grsec patch just before this one (for kernel 3.18.1).

This topic may seem useless, but I wanted to warn the developer about that and maybe someone has an idea to help me to debug the boot ?

Some information about my server :
  • CPU Intel Xeon E3 1245v2
  • 3 SSD with Hardware RAID LSI MegaRAID
rfnx
 
Posts: 30
Joined: Sat Dec 20, 2014 8:06 am
Top

Re: Unable to boot with latest grsec patch (for 3.18.2 kerne

Postby spender » Mon Jan 12, 2015 9:26 am

Hi,

It is probably due to a bug in the kernfs fix I wrote, which has been corrected in the patches I just released. Sorry about that!

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Top

Re: Unable to boot with latest grsec patch (for 3.18.2 kerne

Postby KDE » Mon Jan 12, 2015 12:47 pm

I'm also getting panic on my Gentoo ~amd64 PC with grsecurity-3.0-3.18.2-201501120821
3.17.7 grsec and 3.18.2 non-grsec work

photo from my old phone
http://www.imagebam.com/image/9a0562380990817
KDE
 
Posts: 57
Joined: Sat Feb 09, 2008 5:29 am
Top

Re: Unable to boot with latest grsec patch (for 3.18.2 kerne

Postby PaX Team » Mon Jan 12, 2015 6:07 pm

can you enable frame pointers and also capture the kernel logs via netconsole or similar?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm
Top

Re: Unable to boot with latest grsec patch (for 3.18.2 kerne

Postby rfnx » Mon Jan 12, 2015 7:36 pm

The problem is solved for me with grsecurity-3.0-3.18.2-201501120821 ! Thanks for that very quick patch ! :)
rfnx
 
Posts: 30
Joined: Sat Dec 20, 2014 8:06 am
Top

Re: Unable to boot with latest grsec patch (for 3.18.2 kerne

Postby KDE » Tue Jan 13, 2015 3:08 pm

I tried to enable frame pointers - output is similar
qemu - boot now ends with can't find root filesystem
can't try netconsole - have only one usable machine now
KDE
 
Posts: 57
Joined: Sat Feb 09, 2008 5:29 am
Top

Re: Unable to boot with latest grsec patch (for 3.18.2 kerne

Postby PaX Team » Tue Jan 13, 2015 3:27 pm

with frame pointers the backtrace is much cleaner, that's why we need that screenshot.

edit: another thing you could do is resolve the reported RIP value with addr2line (disable KASLR first, e.g., pass nokaslr on the boot command line): addr2line -e vmlinux -fip <RIP value>
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm
Top

Re: Unable to boot with latest grsec patch (for 3.18.2 kerne

Postby PaX Team » Tue Jan 13, 2015 4:08 pm

do you happen to have SCHED_STACK_END_CHECK enabled (new in 3.18)?

edit: and also STACKLEAK?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm
Top

Re: Unable to boot with latest grsec patch (for 3.18.2 kerne

Postby KDE » Tue Jan 13, 2015 4:17 pm

PaX Team wrote:do you happen to have SCHED_STACK_END_CHECK enabled (new in 3.18)?

edit: and also STACKLEAK?

yes
CONFIG_PAX_MEMORY_STACKLEAK=y
CONFIG_SCHED_STACK_END_CHECK=y

I will try with nokaslr tomorrow.
KDE
 
Posts: 57
Joined: Sat Feb 09, 2008 5:29 am
Top

Re: Unable to boot with latest grsec patch (for 3.18.2 kerne

Postby PaX Team » Tue Jan 13, 2015 4:30 pm

no worries, i already know the underlying problem, should be fixed by tomorrow ;).
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm
Top
Topic locked

Return to grsecurity support

Powered by phpBB® Forum Software © phpBB Group