grsecurity forums

I have just tried compiling a patched version of the kernel today, I have had no problems with any kernels (2.4.23, 2.4.22, 2.4.21, 2.4.20) kernels. I have tried a Redhat 8.0 and a 7.3 machine. The kernel compiles fine without the patch.

I am using, make dep, make bzImage -j2
Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/3.2.2/specs
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --disable-checking --with-system-zlib --enable-__cxa_atexit --host=i386-redhat-linux
Thread model: posix
gcc version 3.2.2 20030222 (Red Hat Linux 3.2.2-5)

[root@scsi3 linux-2.4.24]# gcc -v
Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs
gcc version 2.96 20000731 (Red Hat Linux 7.3 2.96-113)


ld -m elf_i386 -T /usr/src/linux-2.4.24/arch/i386/vmlinux.lds -e stext arch/i386/kernel/head.o arch/i386/kernel/init_task.o init/main.o init/version.o init/do_mounts.o \
--start-group \
arch/i386/kernel/kernel.o arch/i386/mm/mm.o kernel/kernel.o mm/mm.o fs/fs.o ipc/ipc.o \
drivers/char/char.o drivers/block/block.o drivers/misc/misc.o drivers/net/net.o drivers/char/drm/drm.o drivers/ide/idedriver.o drivers/cdrom/driver.o drivers/pci/driver.o drivers/pcmcia/pcmcia.o drivers/net/pcmcia/pcmcia_net.o drivers/pnp/pnp.o drivers/video/video.o drivers/media/media.o crypto/crypto.o \
net/network.o \
grsecurity/grsec.o \
/usr/src/linux-2.4.24/arch/i386/lib/lib.a /usr/src/linux-2.4.24/lib/lib.a /usr/src/linux-2.4.24/arch/i386/lib/lib.a \
--end-group \
-o vmlinux
/usr/src/linux-2.4.24/arch/i386/vmlinux.lds:94 invalid assignment to location counter

Hi there, had the same problem myself (rh 7.3, gcc 3.3.2).

Here's a quick (and very dirty) fix:
. Copy your include/asm-i386/page_offset.h from the older kernel grsecurity tree to the new tree.

. Change line 122 in arch/i386/Makefile from:

$(CPP) -C -P -I$(HPATH) -imacros $(HPATH)/linux/config.h -imacros $(HPATH)/asm-i386/segment.h -imacros $(HPATH)/asm-i386/page.h -Ui386 arch/i386/vmlinux.lds.S >arch/i386/vmlinux.lds

to

$(CPP) -C -P -I$(HPATH) -imacros $(HPATH)/linux/config.h -imacros $(HPATH)/asm-i386/segment.h -imacros $(HPATH)/asm-i386/page_offset.h -Ui386 arch/i386/vmlinux.lds.S >arch/i386/vmlinux.lds

The symbols that were on page_offset.h were moved to page.h, somehow that change broke the compile process, the pre-processor seems to be having problems converting those symbols to their real values so vmlinux.lds instead of having the numerical offsets has only the symbols.

Best regards,
João

I will try that for my next kernel, for now I just compiled 2.4.23 with grsecurity, then patched to 2.4.24. Do you know of a test program to see if the machine is still vulnerable for the mremap() hole?

I'm not aware of any public exploit, still... assuming you've patched the kernel correctly, you should be safe.

Same here on slackware linux 8.1 and 9.0. Even updated to latest stable binutils - no luck.

I'm sorry for my ignorance but I don't know much about kernel programming.

The problem seems to be with grsecurity's patch of .24 kernel. Kernel compiles fine without grsecurity.

Is the above fix a stable one?

Well, I'm using it on a couple of production servers, seems stable until now.
The "fix" is a very trivial thing. It's just a couple of macros that weren't being converted, what I did was simply to put those macros in a separate header file (like the old grsecurity patches did), nothing special.

I could be wrong, maybe Brad or the PaX Team could shed some light in here

I've tried 2.4.24 w/grsec on rh 8,9 and 7.3 and all of em give the same error.

Are you sure you've put page_offset.h, in the right place? (/path/to/kernel/include/asm-i386/)

Regards

same on debian woody!I think someone supposed to check the pacth! Please developers ... Most of people does not have enough C and coding knowledge to resolve this internal error...

Cheers

Ivan

just update any current tree with the patch-2.4.24 from kernel.org
Changes are minimal, it works without rejects (but Makefile of course) on 2.4.23-grsec and 2.4.23-ck1, tested both myself

the problem is a missing -D__KERNEL__ in the i386 Makefile, for now i've put a fixed patch at .... update: patch removed as official fix is out.

I received a mail from the mailing list, if you aren't on it, here it is.

I redownloaded the patch off the website and it compiles fine now.

Message

I've just fixed the 2.4.24 patch on the website after seeing the 50 some emails I got this morning about it. I didn't notice it in my sparc64 compile. The change was a one-line fix to arch/i386/Makefile. The patch and gpg signature on the website have been updated. Sorry about that.

-Brad