grsecurity forums

Hello.
I applied a grsecurity patch to Xubuntu 11.04 kernel. After I just trying to install a nvidia driver. Installation was successful and I reboot my OS, after that I see a black screen. Xubuntu don't runnig, only black screen.
Anybody knows what is that? Thank you for your answers.

user wrote:I applied a grsecurity patch to Xubuntu 11.04 kernel.

i doubt grsec would cleanly apply to a patched distro kernel, better start with vanilla.

After I just trying to install a nvidia driver. Installation was successful and I reboot my OS, after that I see a black screen. Xubuntu don't runnig, only black screen.
Anybody knows what is that? Thank you for your answers.

what's your kernel config? some PaX features may very well expose problems with the nvidia driver (you would usually get messages about it in your kernel logs).

I download from http://www.kernel.org 2.6.28.4 kernel. Then i patched this kernel with grsecurity for kernel 2.6.38.4. After that i rebuilt kernel and replaced this kernel on standart Xubuntu 10.04.

user wrote:I download from http://www.kernel.org 2.6.28.4 kernel. Then i patched this kernel with grsecurity for kernel 2.6.38.4. After that i rebuilt kernel and replaced this kernel on standart Xubuntu 10.04.

ok, this sounds good, what about your .config then?

I can see this problem on Gentoo, nvidia-drivers-256.53 with following patch, hardened-sources-2.6.38-r6 or hardened-sources-2.6.38-r4.
Driver works with hardened-sources-2.6.38. Newer nvidia-drivers are buggy.

Code: Select all

May 27 09:54:36 local kernel: PAX: kernel memory leak attempt detected from ffff8800abee2ebf (nv_stack_t) (1 bytes)
May 27 09:54:36 local kernel: Pid: 10243, comm: X Tainted: P            2.6.38-hardened-r6 #1
May 27 09:54:36 local kernel: Call Trace:
May 27 09:54:36 local kernel: [<ffffffff810ce1b1>] ? 0xffffffff810ce1b1
May 27 09:54:36 local kernel: [<ffffffffa095459a>] ? 0xffffffffa095459a
May 27 09:54:36 local kernel: [<ffffffffa045ff0a>] ? 0xffffffffa045ff0a
May 27 09:54:36 local kernel: [<ffffffffa092957a>] ? 0xffffffffa092957a
May 27 09:54:36 local kernel: [<ffffffffa047b5d3>] ? 0xffffffffa047b5d3
May 27 09:54:36 local kernel: [<ffffffffa05ff146>] ? 0xffffffffa05ff146
May 27 09:54:36 local kernel: [<ffffffffa0498dae>] ? 0xffffffffa0498dae
May 27 09:54:36 local kernel: [<ffffffffa06072f4>] ? 0xffffffffa06072f4
May 27 09:54:36 local kernel: [<ffffffffa060ca65>] ? 0xffffffffa060ca65
May 27 09:54:36 local kernel: [<ffffffffa04989e4>] ? 0xffffffffa04989e4
May 27 09:54:36 local kernel: [<ffffffffa0498213>] ? 0xffffffffa0498213
May 27 09:54:36 local kernel: [<ffffffffa0498714>] ? 0xffffffffa0498714
May 27 09:54:36 local kernel: [<ffffffffa049874c>] ? 0xffffffffa049874c
May 27 09:54:36 local kernel: [<ffffffffa047cc1b>] ? 0xffffffffa047cc1b
May 27 09:54:36 local kernel: [<ffffffffa093781a>] ? 0xffffffffa093781a
May 27 09:54:36 local kernel: [<ffffffffa0933f65>] ? 0xffffffffa0933f65
May 27 09:54:36 local kernel: [<ffffffffa095039a>] ? 0xffffffffa095039a
May 27 09:54:36 local kernel: [<ffffffffa095091c>] ? 0xffffffffa095091c
May 27 09:54:36 local kernel: [<ffffffff810d9fb4>] ? 0xffffffff810d9fb4
May 27 09:54:36 local kernel: [<ffffffff810b7532>] ? 0xffffffff810b7532
May 27 09:54:36 local kernel: [<ffffffff810b723c>] ? 0xffffffff810b723c
May 27 09:54:36 local kernel: [<ffffffff810b8739>] ? 0xffffffff810b8739
May 27 09:54:36 local kernel: [<ffffffff810da6d9>] ? 0xffffffff810da6d9
May 27 09:54:36 local kernel: [<ffffffff81002ec4>] ? 0xffffffff81002ec4


Code: Select all

Trace; ffffffff810ce1b1 <pax_report_usercopy+81/f0>
Trace; ffffffffa095459a <__brk_limit+1ef5459a/7dc00000>
Trace; ffffffffa045ff0a <__brk_limit+1ea5ff0a/7dc00000>
Trace; ffffffffa092957a <__brk_limit+1ef2957a/7dc00000>
Trace; ffffffffa047b5d3 <__brk_limit+1ea7b5d3/7dc00000>
Trace; ffffffffa05ff146 <__brk_limit+1ebff146/7dc00000>
Trace; ffffffffa0498dae <__brk_limit+1ea98dae/7dc00000>
Trace; ffffffffa06072f4 <__brk_limit+1ec072f4/7dc00000>
Trace; ffffffffa060ca65 <__brk_limit+1ec0ca65/7dc00000>
Trace; ffffffffa04989e4 <__brk_limit+1ea989e4/7dc00000>
Trace; ffffffffa0498213 <__brk_limit+1ea98213/7dc00000>
Trace; ffffffffa0498714 <__brk_limit+1ea98714/7dc00000>
Trace; ffffffffa049874c <__brk_limit+1ea9874c/7dc00000>
Trace; ffffffffa047cc1b <__brk_limit+1ea7cc1b/7dc00000>
Trace; ffffffffa093781a <__brk_limit+1ef3781a/7dc00000>
Trace; ffffffffa0933f65 <__brk_limit+1ef33f65/7dc00000>
Trace; ffffffffa095039a <__brk_limit+1ef5039a/7dc00000>
Trace; ffffffffa095091c <__brk_limit+1ef5091c/7dc00000>
Trace; ffffffff810d9fb4 <do_vfs_ioctl+b4/790>
Trace; ffffffff810b7532 <unmap_region+162/180>
Trace; ffffffff810b723c <remove_vma+5c/80>
Trace; ffffffff810b8739 <do_munmap+329/3c0>
Trace; ffffffff810da6d9 <sys_ioctl+49/80>
Trace; ffffffff81002ec4 <system_call_fastpath+16/1b>


Code: Select all

--- kernel/nv.c.orig    2010-09-06 14:45:15.854189159 +0200
+++ kernel/nv.c 2010-09-06 14:45:35.972189393 +0200
@@ -423,9 +423,10 @@
 static struct file_operations nv_fops = {
     .owner     = THIS_MODULE,
     .poll      = nv_kern_poll,
-    .ioctl     = nv_kern_ioctl,
 #if defined(HAVE_UNLOCKED_IOCTL)
     .unlocked_ioctl = nv_kern_unlocked_ioctl,
+#else
+    .ioctl     = nv_kern_ioctl,
 #endif
 #if defined(NVCPU_X86_64) && defined(HAVE_COMPAT_IOCTL)
     .compat_ioctl = nv_kern_compat_ioctl,


Code: Select all

CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
CONFIG_GRKERNSEC_MEDIUM=y
# CONFIG_GRKERNSEC_HIGH is not set
# CONFIG_GRKERNSEC_HARDENED_SERVER is not set
# CONFIG_GRKERNSEC_HARDENED_WORKSTATION is not set
# CONFIG_GRKERNSEC_HARDENED_VIRTUALIZATION is not set
# CONFIG_GRKERNSEC_CUSTOM is not set

#
# Address Space Protection
#
# CONFIG_GRKERNSEC_KMEM is not set
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODHARDEN=y
CONFIG_GRKERNSEC_HIDESYM=y
# CONFIG_GRKERNSEC_KERN_LOCKOUT is not set

#
# Role Based Access Control Options
#
CONFIG_GRKERNSEC_NO_RBAC=y
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=10
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
# CONFIG_GRKERNSEC_ROFS is not set
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y

#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y

#
# Executable Protections
#
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_TPE=y
CONFIG_GRKERNSEC_TPE_ALL=y
# CONFIG_GRKERNSEC_TPE_INVERT is not set
CONFIG_GRKERNSEC_TPE_GID=666

#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_BLACKHOLE=y
# CONFIG_GRKERNSEC_SOCKET is not set

#
# Sysctl support
#
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y

#
# Logging Options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4

#
# PaX
#
CONFIG_PAX_PER_CPU_PGD=y
CONFIG_TASK_SIZE_MAX_SHIFT=42
CONFIG_PAX=y

#
# PaX Control
#
CONFIG_PAX_SOFTMODE=y
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_EMUTRAMP=y
# CONFIG_PAX_MPROTECT is not set
CONFIG_PAX_KERNEXEC=y

#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
# CONFIG_PAX_RANDKSTACK is not set
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y

#
# Miscellaneous hardening features
#
CONFIG_PAX_MEMORY_SANITIZE=y
# CONFIG_PAX_MEMORY_STACKLEAK is not set
# CONFIG_PAX_MEMORY_UDEREF is not set
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_USERCOPY=y


KDE wrote:I can see this problem on Gentoo, nvidia-drivers-256.53 with following patch, hardened-sources-2.6.38-r6 or hardened-sources-2.6.38-r4.
Driver works with hardened-sources-2.6.38. Newer nvidia-drivers are buggy.

Code: Select all

May 27 09:54:36 local kernel: PAX: kernel memory leak attempt detected from ffff8800abee2ebf (nv_stack_t) (1 bytes)
May 27 09:54:36 local kernel: Pid: 10243, comm: X Tainted: P            2.6.38-hardened-r6 #1


they're not necessarily buggy, it's just that the nvidia driver uses a special slab (nv_stack_t) that later it tries to copy from into userland (and probably the other direction too), and this slab hasn't been marked for such purposes yet (you can read the blog about the recent changes in USERCOPY). the solution to this is to change nv-linux.h:NV_KMEM_CACHE_CREATE (the 5 argument version) and add SLAB_USERCOPY to the 4th parameter, to look something like this:

Code: Select all

 685 #elif (NV_KMEM_CACHE_CREATE_ARGUMENT_COUNT == 5)
 686 #define NV_KMEM_CACHE_CREATE(kmem_cache, name, type)            \
 687     {                                                           \
 688         kmem_cache = kmem_cache_create(name, sizeof(type),      \
 689                         0, SLAB_USERCOPY, NULL);                            \
 690     }


Newer drivers are breaking Java applications or have half performance.
Patch for 256.53, which helped me:

Code: Select all

--- kernel/nv-linux.h.orig      2010-08-28 05:28:03.000000000 +0200
+++ kernel/nv-linux.h   2011-05-27 12:47:08.175727041 +0200
@@ -639,7 +639,7 @@
 #define NV_KMEM_CACHE_CREATE(kmem_cache, name, type)            \
     {                                                           \
         kmem_cache = kmem_cache_create(name, sizeof(type),      \
-                        0, 0, NULL);                            \
+                        0, SLAB_USERCOPY, NULL);                            \
     }
 #else
 #error "NV_KMEM_CACHE_CREATE_ARGUMENT_COUNT value unrecognized!"