grsecurity forums

Hello,

Nvidia has added a new module to their driver nvidia-modeset.

I have tried many things trying to get the above version of nvidia to work with grsecurity and the RANDSTRUCT_PLUGIN without success.

Here is the error I get without any patching using gcc 4.9.3 (the nvidia driver compiles with a non-grsecurity kernel):

/tmp/selfgz1837/NVIDIA-Linux-x86_64-358.09-no-compat32-custom/kernel/nvidia-modeset/nvidia-modeset-linux.c:296:5: error: invalid initializer
nvkms_suspend,
^
/tmp/selfgz1837/NVIDIA-Linux-x86_64-358.09-no-compat32-custom/kernel/nvidia-modeset/nvidia-modeset-linux.c:296:5: error: (near initialization for 'nvkms_rm_callbacks.<anonymous>')
make[3]: *** [/tmp/selfgz1837/NVIDIA-Linux-x86_64-358.09-no-compat32-custom/kernel/nvidia-modeset/nvidia-modeset-linux.o] Error 1

-------------------------------------------------------------------------

A prior post here indicated that 3rd party plugins had to be modified but no suggestions of how to go about that were given. I have tried to model it after other kernel changes made by the grsecurity patch and __no_const but everything I do gives initializer errors like it can't recognize that I have supplied an __attribute__. Here is my last attempt:

#ifdef RANDSTRUCT_PLUGIN
struct nnnn {
#else
typedef struct {
#endif
/*
* Suspend & resume callbacks. Note that these are called once per GPU.
*/
void (*suspend)(NvU32 gpu_id);
void (*resume)(NvU32 gpu_id);
#ifdef RANDSTRUCT_PLUGIN
};
typedef struct nnnn __no_randomize_layout nvidia_modeset_callbacks_t;
#else
} nvidia_modeset_callbacks_t;
#endif

------------------------------------------------------

Any help would be appreciated. I would like to turn CONFIG_GRKERNSEC_RANDSTRUCT back on.

https://grsecurity.net/~spender/NVIDIA- ... TRUCT.diff should resolve it. If there are still any compilation issues let me know and I'll fix them up. The problem is that they weren't using designated initializers for their ops struct. RANDSTRUCT requires designated initializers due to GCC limitations and so inserts a fake field into all structs that forces a compilation error when they're not used.

-Brad

That fixed it.

Thank you.

After seeing your patch for this, I can see how it resembles this one which I also use based on one of paxguy1's patches. Hopefully, I can
figure out the next one.

diff -urp kernel/nvidia-uvm/uvm_common.c kernel/nvidia-uvm/uvm_common.c
--- kernel/nvidia-uvm/uvm_common.c 2015-10-07 21:53:03.000000000 -0400
+++ kernel/nvidia-uvm/uvm_common.c 2015-10-12 18:28:48.000000000 -0400
@@ -79,7 +79,9 @@ NvBool uvmnext_activated(void)
#endif // NVIDIA_UVM_NEXT_ENABLED

static dev_t g_uvmBaseDev;
+#ifndef SLAB_USERCOPY
struct UvmOpsUvmEvents g_exportedUvmOps;
+#endif

// TODO: This would be easier if RM allowed for multiple registrations, since we
// could register UVM-Lite and UVM-Next separately (bug 1372835).
@@ -112,9 +114,17 @@ static NV_STATUS uvmSetupGpuProvider(voi
NV_STATUS status = NV_OK;

#ifdef NVIDIA_UVM_RM_ENABLED
+#ifndef SLAB_USERCOPY
g_exportedUvmOps.startDevice = uvm_gpu_event_start_device;
g_exportedUvmOps.stopDevice = uvm_gpu_event_stop_device;
g_exportedUvmOps.isrTopHalf = uvmnext_isr_top_half;
+#else
+ static struct UvmOpsUvmEvents g_exportedUvmOps = {
+ .startDevice = uvm_gpu_event_start_device,
+ .stopDevice = uvm_gpu_event_stop_device,
+ .isrTopHalf = uvmnext_isr_top_half,
+ };
+#endif

// call RM to exchange the function pointers.
status = nvUvmInterfaceRegisterUvmCallbacks(&g_exportedUvmOps);

Hello,

I just tried to compile the new nvidia driver, 358.16, and it worked without additionnal patch.
I could compile with the patches I used for older versions, but I don't know if I will have issues later, I will post here to tell you.

For your information, I used the 3 patches of this package : https://aur.archlinux.org/packages/nvidia-grsec/

rfnx wrote:I just tried to compile the new nvidia driver, 358.16, and it worked without additionnal patch.

Maybe you don't have RANDSTRUCT enabled in your kernel? Because I tried to compile the nvidia 358.16 driver but it doesn't work without the additional patch (I have RANDSTRUCT enabled).

You are right, I don't have RANDSTRUCT enabled on my desktop. Sorry