Kernel 4.2.4/Nvidia 358.09 with all 4.2.4 grsecurity patches

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Kernel 4.2.4/Nvidia 358.09 with all 4.2.4 grsecurity patches

Postby x14sg1 » Sat Oct 24, 2015 2:17 pm

Hello,

Nvidia has added a new module to their driver nvidia-modeset.

I have tried many things trying to get the above version of nvidia to work with grsecurity and the RANDSTRUCT_PLUGIN without success.

Here is the error I get without any patching using gcc 4.9.3 (the nvidia driver compiles with a non-grsecurity kernel):

/tmp/selfgz1837/NVIDIA-Linux-x86_64-358.09-no-compat32-custom/kernel/nvidia-modeset/nvidia-modeset-linux.c:296:5: error: invalid initializer
nvkms_suspend,
^
/tmp/selfgz1837/NVIDIA-Linux-x86_64-358.09-no-compat32-custom/kernel/nvidia-modeset/nvidia-modeset-linux.c:296:5: error: (near initialization for 'nvkms_rm_callbacks.<anonymous>')
make[3]: *** [/tmp/selfgz1837/NVIDIA-Linux-x86_64-358.09-no-compat32-custom/kernel/nvidia-modeset/nvidia-modeset-linux.o] Error 1

-------------------------------------------------------------------------

A prior post here indicated that 3rd party plugins had to be modified but no suggestions of how to go about that were given. I have tried to model it after other kernel changes made by the grsecurity patch and __no_const but everything I do gives initializer errors like it can't recognize that I have supplied an __attribute__. Here is my last attempt:

#ifdef RANDSTRUCT_PLUGIN
struct nnnn {
#else
typedef struct {
#endif
/*
* Suspend & resume callbacks. Note that these are called once per GPU.
*/
void (*suspend)(NvU32 gpu_id);
void (*resume)(NvU32 gpu_id);
#ifdef RANDSTRUCT_PLUGIN
};
typedef struct nnnn __no_randomize_layout nvidia_modeset_callbacks_t;
#else
} nvidia_modeset_callbacks_t;
#endif

------------------------------------------------------

Any help would be appreciated. I would like to turn CONFIG_GRKERNSEC_RANDSTRUCT back on.
x14sg1
 
Posts: 137
Joined: Sun Aug 23, 2009 7:47 pm

Re: Kernel 4.2.4/Nvidia 358.09 with all 4.2.4 grsecurity pat

Postby spender » Sat Oct 24, 2015 10:38 pm

https://grsecurity.net/~spender/NVIDIA- ... TRUCT.diff should resolve it. If there are still any compilation issues let me know and I'll fix them up. The problem is that they weren't using designated initializers for their ops struct. RANDSTRUCT requires designated initializers due to GCC limitations and so inserts a fake field into all structs that forces a compilation error when they're not used.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Kernel 4.2.4/Nvidia 358.09 with all 4.2.4 grsecurity pat

Postby x14sg1 » Sun Oct 25, 2015 1:15 am

That fixed it.

Thank you.

After seeing your patch for this, I can see how it resembles this one which I also use based on one of paxguy1's patches. Hopefully, I can
figure out the next one.

diff -urp kernel/nvidia-uvm/uvm_common.c kernel/nvidia-uvm/uvm_common.c
--- kernel/nvidia-uvm/uvm_common.c 2015-10-07 21:53:03.000000000 -0400
+++ kernel/nvidia-uvm/uvm_common.c 2015-10-12 18:28:48.000000000 -0400
@@ -79,7 +79,9 @@ NvBool uvmnext_activated(void)
#endif // NVIDIA_UVM_NEXT_ENABLED

static dev_t g_uvmBaseDev;
+#ifndef SLAB_USERCOPY
struct UvmOpsUvmEvents g_exportedUvmOps;
+#endif

// TODO: This would be easier if RM allowed for multiple registrations, since we
// could register UVM-Lite and UVM-Next separately (bug 1372835).
@@ -112,9 +114,17 @@ static NV_STATUS uvmSetupGpuProvider(voi
NV_STATUS status = NV_OK;

#ifdef NVIDIA_UVM_RM_ENABLED
+#ifndef SLAB_USERCOPY
g_exportedUvmOps.startDevice = uvm_gpu_event_start_device;
g_exportedUvmOps.stopDevice = uvm_gpu_event_stop_device;
g_exportedUvmOps.isrTopHalf = uvmnext_isr_top_half;
+#else
+ static struct UvmOpsUvmEvents g_exportedUvmOps = {
+ .startDevice = uvm_gpu_event_start_device,
+ .stopDevice = uvm_gpu_event_stop_device,
+ .isrTopHalf = uvmnext_isr_top_half,
+ };
+#endif

// call RM to exchange the function pointers.
status = nvUvmInterfaceRegisterUvmCallbacks(&g_exportedUvmOps);
x14sg1
 
Posts: 137
Joined: Sun Aug 23, 2009 7:47 pm

Re: Kernel 4.2.4/Nvidia 358.09 with all 4.2.4 grsecurity pat

Postby rfnx » Sun Nov 22, 2015 5:41 am

Hello,

I just tried to compile the new nvidia driver, 358.16, and it worked without additionnal patch.
I could compile with the patches I used for older versions, but I don't know if I will have issues later, I will post here to tell you.

For your information, I used the 3 patches of this package : https://aur.archlinux.org/packages/nvidia-grsec/
rfnx
 
Posts: 30
Joined: Sat Dec 20, 2014 8:06 am

Re: Kernel 4.2.4/Nvidia 358.09 with all 4.2.4 grsecurity pat

Postby Fuxino » Mon Nov 23, 2015 8:16 pm

rfnx wrote:I just tried to compile the new nvidia driver, 358.16, and it worked without additionnal patch.

Maybe you don't have RANDSTRUCT enabled in your kernel? Because I tried to compile the nvidia 358.16 driver but it doesn't work without the additional patch (I have RANDSTRUCT enabled).
Fuxino
 
Posts: 22
Joined: Sun Oct 11, 2015 8:35 am

Re: Kernel 4.2.4/Nvidia 358.09 with all 4.2.4 grsecurity pat

Postby rfnx » Mon Nov 23, 2015 9:47 pm

You are right, I don't have RANDSTRUCT enabled on my desktop. Sorry :(
rfnx
 
Posts: 30
Joined: Sat Dec 20, 2014 8:06 am


Return to grsecurity support

cron