Page 1 of 1

Unable to boot with latest grsec patch (for 3.18.2 kernel)

PostPosted: Mon Jan 12, 2015 7:35 am
by rfnx
Hello,

Yesterday, I tried to update my server with the latest kernel (3.18.2) with latest grsec patch (timestamp 201501111422). All I can say is it doesn't work for me :p . Since this server is "headless", I can only access it via SSH, so it is very hard (impossible ?) to debug. Of course, nothing is written in my system (Archlinux) log because the system doesn't boot. I had no problem with the grsec patch just before this one (for kernel 3.18.1).

This topic may seem useless, but I wanted to warn the developer about that and maybe someone has an idea to help me to debug the boot ?

Some information about my server :
  • CPU Intel Xeon E3 1245v2
  • 3 SSD with Hardware RAID LSI MegaRAID

Re: Unable to boot with latest grsec patch (for 3.18.2 kerne

PostPosted: Mon Jan 12, 2015 9:26 am
by spender
Hi,

It is probably due to a bug in the kernfs fix I wrote, which has been corrected in the patches I just released. Sorry about that!

-Brad

Re: Unable to boot with latest grsec patch (for 3.18.2 kerne

PostPosted: Mon Jan 12, 2015 12:47 pm
by KDE
I'm also getting panic on my Gentoo ~amd64 PC with grsecurity-3.0-3.18.2-201501120821
3.17.7 grsec and 3.18.2 non-grsec work

photo from my old phone
http://www.imagebam.com/image/9a0562380990817

Re: Unable to boot with latest grsec patch (for 3.18.2 kerne

PostPosted: Mon Jan 12, 2015 6:07 pm
by PaX Team
can you enable frame pointers and also capture the kernel logs via netconsole or similar?

Re: Unable to boot with latest grsec patch (for 3.18.2 kerne

PostPosted: Mon Jan 12, 2015 7:36 pm
by rfnx
The problem is solved for me with grsecurity-3.0-3.18.2-201501120821 ! Thanks for that very quick patch ! :)

Re: Unable to boot with latest grsec patch (for 3.18.2 kerne

PostPosted: Tue Jan 13, 2015 3:08 pm
by KDE
I tried to enable frame pointers - output is similar
qemu - boot now ends with can't find root filesystem
can't try netconsole - have only one usable machine now

Re: Unable to boot with latest grsec patch (for 3.18.2 kerne

PostPosted: Tue Jan 13, 2015 3:27 pm
by PaX Team
with frame pointers the backtrace is much cleaner, that's why we need that screenshot.

edit: another thing you could do is resolve the reported RIP value with addr2line (disable KASLR first, e.g., pass nokaslr on the boot command line): addr2line -e vmlinux -fip <RIP value>

Re: Unable to boot with latest grsec patch (for 3.18.2 kerne

PostPosted: Tue Jan 13, 2015 4:08 pm
by PaX Team
do you happen to have SCHED_STACK_END_CHECK enabled (new in 3.18)?

edit: and also STACKLEAK?

Re: Unable to boot with latest grsec patch (for 3.18.2 kerne

PostPosted: Tue Jan 13, 2015 4:17 pm
by KDE
PaX Team wrote:do you happen to have SCHED_STACK_END_CHECK enabled (new in 3.18)?

edit: and also STACKLEAK?

yes
CONFIG_PAX_MEMORY_STACKLEAK=y
CONFIG_SCHED_STACK_END_CHECK=y

I will try with nokaslr tomorrow.

Re: Unable to boot with latest grsec patch (for 3.18.2 kerne

PostPosted: Tue Jan 13, 2015 4:30 pm
by PaX Team
no worries, i already know the underlying problem, should be fixed by tomorrow ;).