grsecurity forums

[x14sg1]

The patch fixes my const problem but I had to remove the pax calls as they are not defined .

what errors did you get exactly? the patch worked fine for me (i used gentoo's ebuild system but i doubt it does anything special with kernel module compilation).

Ok ... I understand what is happening .... I compile kernels with and without grsec - the grsec kernels
compile ok with your patch. The non-grsec kernels do not. So I will just add a few #ifdefs to the patch
and regen a custom NVIDIA file. I will report your patch (the casts) to NVIDIA. Do you think they will do anything about it?

Thanks

Tim

[PaX Team]

Code: Select all

# make
Makefile:648: "WARNING: Appending $KCPPFLAGS (-march=native -mtune=native -O2 -pipe -w -fomit-frame-pointer) from environment to kernel $CPPFLAGS"
Makefile:656: "WARNING: Appending $KCFLAGS (-march=native -mtune=native -O2 -pipe -w -fomit-frame-pointer) from environment to kernel $CFLAGS"

what are these variables and where do they come from?

From my environment. Why?

you must be very careful with adding explicit flags to kernel compilation, unless you really know what you're doing, you should not do it. e.g., -fomit-frame-pointer doesn't do anything in the preprocessor and it is actually controlled by a kernel config option for the compiler, you should not just override it like this. so my advice is to unset these.

SSP? What is this? "grep SSP .config" shows nothing.

stack smashing protector, look for CC_STACKPROTECTOR (and disable it).

[PaX Team]

Ok ... I understand what is happening .... I compile kernels with and without grsec - the grsec kernels
compile ok with your patch. The non-grsec kernels do not.

ah sorry, i thought it was obvious that my patch was meant for grsec/PaX kernels only.

So I will just add a few #ifdefs to the patch and regen a custom NVIDIA file.

make the code depend on CONFIG_PAX_KERNEXEC, that way it'll be unique to PaX kernels.

I will report your patch (the casts) to NVIDIA. Do you think they will do anything about it?

i doubt they'll care about third party kernels/patches but give it a try and let us know .

[simonbcn]

you must be very careful with adding explicit flags to kernel compilation, unless you really know what you're doing, you should not do it. e.g., -fomit-frame-pointer doesn't do anything in the preprocessor and it is actually controlled by a kernel config option for the compiler, you should not just override it like this. so my advice is to unset these.

Ok, thanks. I have disabled it.

SSP? What is this? "grep SSP .config" shows nothing.

stack smashing protector, look for CC_STACKPROTECTOR (and disable it).

It was already disabled but the error continues:

Code: Select all

Symbol: CC_STACKPROTECTOR [=n]

[PaX Team]

It was already disabled but the error continues:

Code: Select all

Symbol: CC_STACKPROTECTOR [=n]

then i don't know, but something's compiled those objects with ssp. maybe you're using a compiler/wrapper that enforces ssp? or maybe they're stale objects from an earlier compilation (try make clean)?

[simonbcn]

It was already disabled but the error continues:

Code: Select all

Symbol: CC_STACKPROTECTOR [=n]

then i don't know, but something's compiled those objects with ssp. maybe you're using a compiler/wrapper that enforces ssp? or maybe they're stale objects from an earlier compilation (try make clean)?

The problem occurs only with grsecurity patch. I compile it with the same configuration as the kernel 2.6.39.3, but with the patches for kernel 2.6.39.4 it doesn't compile.
My config is this: http://paste.ubuntu.com/668457/
My compiler:

Code: Select all

# gcc --version
gcc (Ubuntu/Linaro 4.5.2-8ubuntu4) 4.5.2


Any idea? I think the problem is in patch.

[simonbcn]

I've tried with grsecurity-2.2.2-2.6.39.4-201108172006.patch but same error: http://paste.ubuntu.com/669365/
And this time without KCPPFLAGS/KCFLAGS.

[simonbcn]

Same error with grsecurity-2.2.2-2.6.39.4-201108192305.patch :

Code: Select all

...
WARNING: modpost: Found 4717 section mismatch(es).
To see full details build your kernel with:
'make CONFIG_DEBUG_SECTION_MISMATCH=y'
init/built-in.o: In function `name_to_dev_t':
(.text+0x4bd): undefined reference to `__stack_chk_fail'
init/built-in.o: In function `mount_block_root':
(.init.text+0xc6a): undefined reference to `__stack_chk_fail'
init/built-in.o: In function `change_floppy':
(.init.text+0xe02): undefined reference to `__stack_chk_fail'
init/built-in.o: In function `rd_load_image':
(.init.text+0x1692): undefined reference to `__stack_chk_fail'
init/built-in.o: In function `md_setup_drive':
do_mounts_md.c:(.init.text+0x2203): undefined reference to `__stack_chk_fail'
init/built-in.o:initramfs.c:(.init.text+0x2ed9): more undefined references to `__stack_chk_fail' follow
make: *** [.tmp_vmlinux1] Error 1


Without grsecurity patch this error doesn't occur.

[PaX Team]

Same error with grsecurity-2.2.2-2.6.39.4-201108192305.patch

can you post

Code: Select all

head init/.do_mounts.o.cmd

?

[simonbcn]

Same error with grsecurity-2.2.2-2.6.39.4-201108192305.patch

can you post

Code: Select all

head init/.do_mounts.o.cmd

?

Code: Select all

# head init/.do_mounts.o.cmd
cmd_init/do_mounts.o := gcc -Wp,-MD,init/.do_mounts.o.d  -nostdinc -isystem /usr/lib/x86_64-linux-gnu/gcc/x86_64-linux-gnu/4.5.2/include -I/root/kernel/linux-2.6.39.4/arch/x86/include -Iinclude  -include include/generated/autoconf.h -D__KERNEL__ -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs -W -Wno-unused-parameter -Wno-missing-field-initializers -fno-strict-aliasing -fno-common -Werror-implicit-function-declaration -Wno-format-security -fno-delete-null-pointer-checks -Wno-empty-body -O2 -fplugin=/root/kernel/linux-2.6.39.4/tools/gcc/constify_plugin.so -m64 -mno-red-zone -mcmodel=kernel -maccumulate-outgoing-args -DCONFIG_AS_CFI=1 -DCONFIG_AS_CFI_SIGNAL_FRAME=1 -DCONFIG_AS_CFI_SECTIONS=1 -DCONFIG_AS_FXSAVEQ=1 -pipe -Wno-sign-compare -fno-asynchronous-unwind-tables -fomit-frame-pointer -DCC_HAVE_ASM_GOTO    -D"KBUILD_STR(s)=\#s" -D"KBUILD_BASENAME=KBUILD_STR(do_mounts)"  -D"KBUILD_MODNAME=KBUILD_STR(mounts)" -c -o init/do_mounts.o init/do_mounts.c

source_init/do_mounts.o := init/do_mounts.c

deps_init/do_mounts.o := \
    $(wildcard include/config/block.h) \
    $(wildcard include/config/debug/block/ext/devt.h) \
    $(wildcard include/config/root/nfs.h) \
    $(wildcard include/config/blk/dev/ram.h) \
    $(wildcard include/config/blk/dev/fd.h) \


[PaX Team]

ok, so the passed in compiler flags look fine, now can you send me your init/do_mounts.o file please? also, what is your distro/gcc exactly? is it some hardened gcc that enforces ssp unconditionally?

[simonbcn]

ok, so the passed in compiler flags look fine, now can you send me your init/do_mounts.o file please? also, what is your distro/gcc exactly? is it some hardened gcc that enforces ssp unconditionally?

http://dl.dropbox.com/u/1466192/do_mounts.o
distro: Ubuntu Natty 64 bits

Code: Select all

# gcc --version
gcc (Ubuntu/Linaro 4.5.2-8ubuntu4) 4.5.2
Copyright (C) 2010 Free Software Foundation, Inc.


[PaX Team]

Code: Select all

# gcc --version
gcc (Ubuntu/Linaro 4.5.2-8ubuntu4) 4.5.2
Copyright (C) 2010 Free Software Foundation, Inc.


i don't know this one, does Linaro enforce SSP perhaps? can you also compare the vanilla kernel's init/.do_mounts.o.cmd file to see if it's different from the grsec one?

[simonbcn]

Code: Select all

# gcc --version
gcc (Ubuntu/Linaro 4.5.2-8ubuntu4) 4.5.2
Copyright (C) 2010 Free Software Foundation, Inc.


i don't know this one, does Linaro enforce SSP perhaps? can you also compare the vanilla kernel's init/.do_mounts.o.cmd file to see if it's different from the grsec one?

I also don't know that.
But in gcc changelog of Ubuntu talks about SSP: http://changelogs.ubuntu.com/changelogs/pool/main/g/gcc-4.5/gcc-4.5_4.5.2-8ubuntu4/changelog
And in gcc sources there is a README.ssp document:

Stack smashing protection is a feature of GCC that enables a program to detect buffer overflows and immediately terminate execution, rather than continuing execution with corrupt internal data structures. It uses "canaries" and local variable reordering to reduce the likelihood of stack corruption through buffer overflows.

Options that affect stack smashing protection:

-fstack-protector
Enables protection for functions that are vulnerable to stack smashing, such as those that call alloca() or use pointers.

-fstack-protector-all
Enables protection for all functions.

-Wstack-protector
Warns about functions that will not be protected. Only active when -fstack-protector has been used.

Applications built with stack smashing protection should link with the ssp library by using the option "-lssp" for systems with glibc-2.3.x or older; glibc-2.4 and newer versions provide this functionality in libc.

The Debian architectures alpha, hppa, ia64, m68k, mips, mipsel do not have support for stack smashing protection.

More documentation can be found at the project's website: http://researchweb.watson.ibm.com/trl/p ... urity/ssp/

The diff between init/.do_mounts.o.cmd files (do_mounts.o.cmd = grsec file / linux-2.6.39.4/init/.do_mounts.o.cmd = vanilla kernel): http://paste.ubuntu.com/671216/

[PaX Team]

The diff between init/.do_mounts.o.cmd files (do_mounts.o.cmd = grsec file / linux-2.6.39.4/init/.do_mounts.o.cmd = vanilla kernel): http://paste.ubuntu.com/671216/

so vanilla passes -fno-stack-protector whereas grsec doesn't. question is where it comes from in the vanilla kernel...