grsecurity forums

My embedded distro uses a 2.4.20 kernel with grsecurity patch. The kernel is compressed with UPX.
http://upx.sf.net
http://leaf.sf.net/devel/jnilo
The 2.4.20 kernel + 1.9.9e grsecurity patch compress OK
but
The 2.4.20 kernel + 1.9.9g grsecurity patch does not want to be compressed. I get:

debian:/tmp/upx-1.90-linux# ./upx --best -o linux.upx /usr/src/linux/arch/i386/boot/bzImage
Ultimate Packer for eXecutables
Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002
UPX 1.90 Markus F.X.J. Oberhumer & Laszlo Molnar Nov 11th 2002

File size Ratio Format Name
-------------------- ------ ----------- -----------
upx: /usr/src/linux/arch/i386/boot/bzImage: CantPackException: unrecognized kernel architecture; use option `-f' to force packing

Packed 1 file: 0 ok, 1 error.

If I force the compression, The linux kernel seems to start decompression OK but I get a reboot at the end of the initrd loading process.
Since I cannot find the 1.9.9f patch anymore I do not know when the problem started
Any idea of what is happening ?
Jacques

jnilo wrote:The 2.4.20 kernel + 1.9.9e grsecurity patch compress OK
but The 2.4.20 kernel + 1.9.9g grsecurity patch does not want to be compressed.

what happened in-between is KERNEXEC , a new feature in PaX that implements non-executable kernel pages and for that i had to reorganize the kernel memory layout a bit. as a sideeffect of this, the entry point of the decompressed kernel is no longer a hardcoded address and that's where the UPX decompressor stub goes wrong. the fix is simple, i'll email the authors and hopefully the next release will work fine.

PaX Team wrote:the fix is simple, i'll email the authors and hopefully the next release will work fine.

ok, after some discussion i've fixed it in PaX instead (and tested it with UPX). the code is in the CVS already and i guess Brad will soon import it into grsecurity as well.

Great! I was a bit afraid to have to wait for an UPX evolution since development appears to be semewhat slower than grsec...
Would it be possible to send me offlist the patch to be applied to grsecurity 1.9.9g to have UPX working ?
jnilo at users dot sf dot net
Thanks again !
Jacques

jnilo wrote:Would it be possible to send me offlist the patch to be applied to grsecurity 1.9.9g to have UPX working ?

better, you can grab it from cvsweb: http://cvsweb.grsecurity.net/index.cgi/grsecurity/arch/i386/boot/compressed/head.S.diff?r2=1.3&r1=1.2&f=u and http://cvsweb.grsecurity.net/index.cgi/grsecurity/arch/i386/vmlinux.lds.S.diff?r2=1.3&r1=1.2&f=u

OK. Thanks a lot !
Jacques

OK I tested those two patches on the top of 2.4.20 + grsecurity 1.9.9g
They work great
Just one thing to mention for the record of this thread:
You have to use the force option (-f) with upx 1.90 since the kernel is not recognized by upx as a linux kernel anymore.
But it will compress and decompress OK
Thanks again
Jacques

jnilo wrote:You have to use the force option (-f) with upx 1.90 since the kernel is not recognized by upx as a linux kernel anymore.

a short explanation: what UPX does for kernel recognition is that it checks the first two bytes of the kernel image which are part of some i386 instructions and they are different under PaX (cld/mov eax vs. jmp far). technically i could have copied these over and not force users to use -f with UPX, but it's probably better to not enter this 'who fools who' game and let the UPX guys add an extra check in the future or find a better way for checking the kernel image.