grsecurity forums

[simonbcn]

Hi,
I have compiled today the kernel 2.6.38.3 with grsecurity-2.2.2-2.6.38.3-201104171745.patch but I can't start my server with it.
I have compared the config files of this kernel with previous and:

Code: Select all

# diff config-2.6.38.2-grsec-20110329 config-2.6.38.3-grsec-20110418
3,4c3,4
< # Linux/i386 2.6.38.2 Kernel Configuration
< # Tue Mar 29 14:23:37 2011
---
> # Linux/i386 2.6.38.3 Kernel Configuration
> # Mon Apr 18 13:47:09 2011
66c66
< CONFIG_LOCALVERSION="-20110329"
---
> CONFIG_LOCALVERSION="-20110418"
1544c1544
< CONFIG_DEVPORT=y
---
> # CONFIG_DEVPORT is not set
2256a2257
> # CONFIG_GRKERNSEC_KERN_LOCKOUT is not set


The main difference is "CONFIG_DEVPORT"

In grsecurity patch:

Code: Select all

 config DEVPORT
    bool
+   default n
    depends on !M68K
    depends on ISA || PCI
-   default y
+   depends on !GRKERNSEC_KMEM

My configuration satisfies these conditions (http://paste.ubuntu.com/595490/) but DEVPORT isn't activated:

Code: Select all

CONFIG_PCI=y
# CONFIG_GRKERNSEC_KMEM is not set

[PaX Team]

Hi,
I have compiled today the kernel 2.6.38.3 with grsecurity-2.2.2-2.6.38.3-201104171745.patch but I can't start my server with it.

do you have any kernel logs perhaps? any grsec/PaX related messages in there? do you enable USERCOPY? if so, can you disable it and see if it helps? if that's the problem then you're probably seeing a false positive, we'll really need the kernel logs then . as for DEVPORT, since its default has changed, i think you'll have to manually re-enable it.

[simonbcn]

Hi,
I have compiled today the kernel 2.6.38.3 with grsecurity-2.2.2-2.6.38.3-201104171745.patch but I can't start my server with it.

do you have any kernel logs perhaps? any grsec/PaX related messages in there? do you enable USERCOPY? if so, can you disable it and see if it helps? if that's the problem then you're probably seeing a false positive, we'll really need the kernel logs then . as for DEVPORT, since its default has changed, i think you'll have to manually re-enable it.

DEVPORT is changed when there is certain conditions. With grsecurity this conditions has changed:

Code: Select all

config DEVPORT
   bool
+   default n
   depends on !M68K
   depends on ISA || PCI
-   default y
+   depends on !GRKERNSEC_KMEM

Even when my config accomplishes those conditions (see my previous post), DEVPORT isn't enabled.
DEVPORT can't be enabled manually.

How can I obtain the kernel logs if this kernel doesn't start?

Same kernel compiled with same config but without grsecurity:

Code: Select all

$ grep -i devport config-2.6.38.3-20110418
CONFIG_DEVPORT=y

Same kernel compiled with same config but with grsecurity and without GRKERNSEC_KMEM:

Code: Select all

$ grep -i devport config-2.6.38.3-grsec-20110418
# CONFIG_DEVPORT is not set

Do you see the difference? The problem is in the grsecurity patch.

[specs]

I tried compiling a simple kernel for a workstation (i386) and I ran into similar problems.
After printing 4 rules on the screen the kernel stops with something like "Booting the kernel".

I tried disabling the GRKERNSEC_KMEM module, this did not produce a working kernel.
Like Pax Team suggested I tried disabling the USERCOPY option. This did produce a working kernel.

The diff between a working 2.6.38.2-kernel with a working 2.6.38.3 kernel, after a little optimization:

Code: Select all

< # Linux/i386 2.6.38.3 Kernel Configuration
< CONFIG_STRICT_DEVMEM=y
< CONFIG_GRKERNSEC_KERN_LOCKOUT=y
> # Linux/i386 2.6.38.2 Kernel Configuration
> CONFIG_DEVPORT=y
> CONFIG_PAX_USERCOPY=y


[simonbcn]

I tried compiling a simple kernel for a workstation (i386) and I ran into similar problems.
After printing 4 rules on the screen the kernel stops with something like "Booting the kernel".

I tried disabling the GRKERNSEC_KMEM module, this did not produce a working kernel.
Like Pax Team suggested I tried disabling the USERCOPY option. This did produce a working kernel.

The diff between a working 2.6.38.2-kernel with a working 2.6.38.3 kernel, after a little optimization:

Code: Select all

< # Linux/i386 2.6.38.3 Kernel Configuration
< CONFIG_STRICT_DEVMEM=y
< CONFIG_GRKERNSEC_KERN_LOCKOUT=y
> # Linux/i386 2.6.38.2 Kernel Configuration
> CONFIG_DEVPORT=y
> CONFIG_PAX_USERCOPY=y


If I active GRSECURITY=MEDIUM, like I did until 2.6.38.2, the CONFIG_PAX_USERCOPY can't be disabled. I have to set GRSECURITY=CUSTOM. This shouldn't be. It should work with GRSECURITY=MEDIUM, as 2.6.38.2.

By other side, the conditions to enabled CONFIG_DEVPORT are correct in my 2.6.38.3 config, but the grsecurity patch isn't working well.

Indeed, I have tried disabling USERCOPY but it still doesn't work:

Code: Select all

# diff config-2.6.38.3-grsec-20110419 config-2.6.38.2-grsec-20110329
3,4c3,4
< # Linux/i386 2.6.38.3 Kernel Configuration
< # Tue Apr 19 00:33:56 2011
---
> # Linux/i386 2.6.38.2 Kernel Configuration
> # Tue Mar 29 14:23:37 2011
1544c1544
< # CONFIG_DEVPORT is not set
---
> CONFIG_DEVPORT=y
2217c2217
< CONFIG_STRICT_DEVMEM=y
---
> # CONFIG_STRICT_DEVMEM is not set
2244c2244
< # CONFIG_GRKERNSEC_MEDIUM is not set
---
> CONFIG_GRKERNSEC_MEDIUM=y
2246c2246
< CONFIG_GRKERNSEC_CUSTOM=y
---
> # CONFIG_GRKERNSEC_CUSTOM is not set
2257d2256
< CONFIG_GRKERNSEC_KERN_LOCKOUT=y
2370c2369
< # CONFIG_PAX_USERCOPY is not set
---
> CONFIG_PAX_USERCOPY=y


[spender]

The booting issue has nothing to do with DEVPORT -- it's either due to USERCOPY or the thread_info move, please send us your bzImage and vmlinux files.
-Brad

[simonbcn]

The booting issue has nothing to do with DEVPORT -- it's either due to USERCOPY or the thread_info move, please send us your bzImage and vmlinux files.
-Brad

With CONFIG_PAX_USERCOPY disabled it fails too.
I haven't bzImage.
I have vmlinuz, config and System.map.
Thanks.

[PaX Team]

I have vmlinuz, config and System.map.

can you try the latest patch? we fixed the SLAB related changes yesterday, that was likely your problem as well.

[simonbcn]

I have vmlinuz, config and System.map.

can you try the latest patch? we fixed the SLAB related changes yesterday, that was likely your problem as well.

Same problem.
I've tried with and without CONFIG_PAX_USERCOPY enabled.
This is the config file.
Do you want the other files (vmlinuz and System.map)?

[spender]

Yes, can you make your vmlinux and vmlinuz files available or email them to pageexec@freemail.hu?

-Brad

[simonbcn]

Yes, can you make your vmlinux and vmlinuz files available or email them to pageexec@freemail.hu?
-Brad

This is the new vmlinuz file.

[PaX Team]

This is the new vmlinuz file.

interesting, this one and the other one as well boot fine in qemu... where does your kernel fail? does it print any message or nothing at all?

[simonbcn]

This is the new vmlinuz file.

interesting, this one and the other one as well boot fine in qemu... where does your kernel fail? does it print any message or nothing at all?

In boot time. I'm using it in a remote server.
It does shows nothing.

[specs]

I tried compiling a simple kernel for a workstation (i386) and I ran into similar problems.
After printing 4 rules on the screen the kernel stops with something like "Booting the kernel".

I tried disabling the GRKERNSEC_KMEM module, this did not produce a working kernel.
Like Pax Team suggested I tried disabling the USERCOPY option. This did produce a working kernel.

The diff between a working 2.6.38.2-kernel with a working 2.6.38.3 kernel, after a little optimization:

Code: Select all

< # Linux/i386 2.6.38.3 Kernel Configuration
< CONFIG_STRICT_DEVMEM=y
< CONFIG_GRKERNSEC_KERN_LOCKOUT=y
> # Linux/i386 2.6.38.2 Kernel Configuration
> CONFIG_DEVPORT=y
> CONFIG_PAX_USERCOPY=y


Reading this threat it feels like simonbcn has a different problem.
With the 201104190633-patch at least my workstation boots again with USERCOPY enabled.

[spender]

simonbcn: your problem should be fixed in the latest patches just uploaded.

-Brad