grsecurity forums

[specs]

Sorry, I don't have much time now.

Below the diff between a working kernel (my standard kernel with PAX) and the above mentioned kernel.

I was planning on first trying all GRSEC features like in the crashing kernel then all PAX-features.
Then narrowing it down to trigger the bug. But I can't do anything before tonight.

Code: Select all

$ diff config-2.6.29.6 /var/www/grsec/config-2.6.29.6-bugtest
4c4
< # Mon Jul 20 23:08:04 2009
---
> # Mon Jul 20 21:41:49 2009
127a128
> # CONFIG_SLABINFO is not set
295a297
> # CONFIG_COMPAT_VDSO is not set
2024a2027
> # CONFIG_PROC_KCORE is not set
2198d2200
< CONFIG_GRKERNSEC_PROC_MEMMAP=y
2216,2218c2218
< CONFIG_GRKERNSEC_PROC_USERGROUP=y
< CONFIG_GRKERNSEC_PROC_GID=2001
< CONFIG_GRKERNSEC_PROC_ADD=y
---
> # CONFIG_GRKERNSEC_PROC_USERGROUP is not set
2229c2229
< CONFIG_GRKERNSEC_CHROOT_SHMAT=y
---
> # CONFIG_GRKERNSEC_CHROOT_SHMAT is not set
2239,2244c2239,2243
< CONFIG_GRKERNSEC_AUDIT_GROUP=y
< CONFIG_GRKERNSEC_AUDIT_GID=2007
< CONFIG_GRKERNSEC_EXECLOG=y
< CONFIG_GRKERNSEC_RESLOG=y
< CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
< CONFIG_GRKERNSEC_AUDIT_CHDIR=y
---
> # CONFIG_GRKERNSEC_AUDIT_GROUP is not set
> # CONFIG_GRKERNSEC_EXECLOG is not set
> # CONFIG_GRKERNSEC_RESLOG is not set
> # CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
> # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
2246,2247c2245,2246
< CONFIG_GRKERNSEC_AUDIT_IPC=y
< CONFIG_GRKERNSEC_SIGNAL=y
---
> # CONFIG_GRKERNSEC_AUDIT_IPC is not set
> # CONFIG_GRKERNSEC_SIGNAL is not set
2251d2249
< # CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set
2256c2254
< CONFIG_GRKERNSEC_EXECVE=y
---
> # CONFIG_GRKERNSEC_EXECVE is not set
2258,2261c2256
< CONFIG_GRKERNSEC_TPE=y
< CONFIG_GRKERNSEC_TPE_ALL=y
< CONFIG_GRKERNSEC_TPE_INVERT=y
< CONFIG_GRKERNSEC_TPE_GID=2005
---
> # CONFIG_GRKERNSEC_TPE is not set
2267,2274c2262,2263
< CONFIG_GRKERNSEC_BLACKHOLE=y
< CONFIG_GRKERNSEC_SOCKET=y
< CONFIG_GRKERNSEC_SOCKET_ALL=y
< CONFIG_GRKERNSEC_SOCKET_ALL_GID=2004
< CONFIG_GRKERNSEC_SOCKET_CLIENT=y
< CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=2003
< CONFIG_GRKERNSEC_SOCKET_SERVER=y
< CONFIG_GRKERNSEC_SOCKET_SERVER_GID=2002
---
> # CONFIG_GRKERNSEC_BLACKHOLE is not set
> # CONFIG_GRKERNSEC_SOCKET is not set
2291,2318c2280
< CONFIG_PAX=y
<
< #
< # PaX Control
< #
< CONFIG_PAX_SOFTMODE=y
< CONFIG_PAX_EI_PAX=y
< CONFIG_PAX_PT_PAX_FLAGS=y
< CONFIG_PAX_NO_ACL_FLAGS=y
< # CONFIG_PAX_HAVE_ACL_FLAGS is not set
< # CONFIG_PAX_HOOK_ACL_FLAGS is not set
<
< #
< # Non-executable pages
< #
< CONFIG_PAX_NOEXEC=y
< CONFIG_PAX_PAGEEXEC=y
< # CONFIG_PAX_EMUTRAMP is not set
< CONFIG_PAX_MPROTECT=y
< # CONFIG_PAX_NOELFRELOCS is not set
< CONFIG_PAX_KERNEXEC=y
<
< #
< # Address Space Layout Randomization
< #
< CONFIG_PAX_ASLR=y
< CONFIG_PAX_RANDUSTACK=y
< CONFIG_PAX_RANDMMAP=y
---
> # CONFIG_PAX is not set
2323,2326c2285,2288
< CONFIG_PAX_MEMORY_SANITIZE=y
< CONFIG_PAX_REFCOUNT=y
< CONFIG_PAX_USERCOPY=y
< CONFIG_PAX_SECURE_VSYSCALL=y
---
> # CONFIG_PAX_MEMORY_SANITIZE is not set
> # CONFIG_PAX_REFCOUNT is not set
> # CONFIG_PAX_USERCOPY is not set
> # CONFIG_PAX_SECURE_VSYSCALL is not set


[specs]

I compiled a few kernels again.

The kernel with grsec and pax-settings from elahaase you saw yesterday (test0).
The kernel with grsec-settings from elahaase and my pax-settings booted fine (test1).
The same kernel with "# CONFIG_PAX_SECURE_VSYSCALL is not set" crashed (test2).

The configurations and vmlinux of test0 and test2 are available at http://www.aoi-karin.net/grsec if necessary.

[spender]

Please try the latest test patch -- the problem you were experiencing should be resolved. Let us know if you continue to have the issue though.

-Brad

[specs]

As far as I can see this issue is resolved.

I have been testing a little more, but not much worth reporting. The PAX VSYS-feature was AMD64 only so testing on i386 architecture would have been pointless. Tracing the bug I also came in the area where kernels won't compile due to no selected pax-options.

Currently my AMD64 and my desktop are running 2.6.29.6-grsec-200907231934 without problems.

Off-topic:
The upgrade would have been without glitches if an xorg-update wouldn't have caused trouble. Not only the intel 910gm but also the 945gc is not useable with a recent version of X. It cost me little time to find older versions of grsec were also affected and only the 2.6.27-versions of grsec still worked. It seems the problem with 2.6.28.xx and 2.6.29.xx-kernelversions has expanded to more intel igp solutions. The solution, off course, would be using the vesa-driver (and some ugly resolution), upgrading the kernel to 2.6.30.xx, downgrading to 2.6.27.xx or downgrading X.org to 1:7.3. The last option is the one I prefer since it combines with the latest grsec-patch.

This problem has however not been caused by grsecurity or pax.

[PaX Team]

Tracing the bug I also came in the area where kernels won't compile due to no selected pax-options.

whenever you run into compilation problems, feel free to send me the details, i'll fix them, it's just that i don't have the resources to test every possible configuration .

[specs]

And I thought you lacked the time

Normally I find time to upgrade 3 different pc's at least once every 3 months, each with it's own customized kernel.
If there is a problem with a certain type of architecture you can ask me to test some specific configuration.
I can't say I've always got time, but I'll try as my time permits.

I do wonder if elahaase's problem has been solved though.