grsecurity forums

by **nickde** » Sun Aug 14, 2011 9:29 pm

The title is pretty descriptive. If those modules, needed for virtualbox to work, are build against grsecurity headers, gcc fails to compile it.

I am using vanilla kernel 2.6.39-4 with the latest grsecurity-pax patchset, and virtualbox 4.1.0.

The error produced is

Code: Select all: /var/lib/dkms/vboxhost/4.1.0/build/vboxdrv/SUPDrv.c: In function ‘supdrvIDC_LdrGetSymbol’: /var/lib/dkms/vboxhost/4.1.0/build/vboxdrv/SUPDrv.c:4346:17: error: assignment of read-only member ‘Out’ /var/lib/dkms/vboxhost/4.1.0/build/vboxdrv/SUPDrv.c:4377:21: error: assignment of read-only member ‘Out’

here is the offending function:

Code: Select all: /** * Gets the address of a symbol in an open image or the support driver. * * @returns VINF_SUCCESS on success. * @returns * @param pDevExt Device globals. * @param pSession Session data. * @param pReq The request buffer. */ static int supdrvIDC_LdrGetSymbol(PSUPDRVDEVEXT pDevExt, PSUPDRVSESSION pSession, PSUPDRVIDCREQGETSYM pReq) { int rc = VINF_SUCCESS; const char *pszSymbol = pReq->u.In.pszSymbol; const char *pszModule = pReq->u.In.pszModule; size_t cbSymbol; char const *pszEnd; uint32_t i; /* * Input validation. */ AssertPtrReturn(pszSymbol, VERR_INVALID_POINTER); pszEnd = RTStrEnd(pszSymbol, 512); AssertReturn(pszEnd, VERR_INVALID_PARAMETER); cbSymbol = pszEnd - pszSymbol + 1; if (pszModule) { AssertPtrReturn(pszModule, VERR_INVALID_POINTER); pszEnd = RTStrEnd(pszModule, 64); AssertReturn(pszEnd, VERR_INVALID_PARAMETER); } Log3(("supdrvIDC_LdrGetSymbol: pszModule=%p:{%s} pszSymbol=%p:{%s}\n", pszModule, pszModule, pszSymbol, pszSymbol)); if ( !pszModule || !strcmp(pszModule, "SupDrv")) { /* * Search the support driver export table. */ for (i = 0; i < RT_ELEMENTS(g_aFunctions); i++) if (!strcmp(g_aFunctions[i].szName, pszSymbol)) { pReq->u.Out.pfnSymbol = g_aFunctions[i].pfn; break; } } else { /* * Find the loader image. */ PSUPDRVLDRIMAGE pImage; supdrvLdrLock(pDevExt); for (pImage = pDevExt->pLdrImages; pImage; pImage = pImage->pNext) if (!strcmp(pImage->szName, pszModule)) break; if (pImage && pImage->uState == SUP_IOCTL_LDR_LOAD) { /* * Search the symbol strings. */ const char *pchStrings = pImage->pachStrTab; PCSUPLDRSYM paSyms = pImage->paSymbols; for (i = 0; i < pImage->cSymbols; i++) { if ( paSyms[i].offName + cbSymbol <= pImage->cbStrTab && !memcmp(pchStrings + paSyms[i].offName, pszSymbol, cbSymbol)) { /* * Found it! Calc the symbol address and add a reference to the module. */ pReq->u.Out.pfnSymbol = (PFNRT)((uint8_t *)pImage->pvImage + (int32_t)paSyms[i].offSymbol); rc = supdrvLdrAddUsage(pSession, pImage); break; } } } else rc = pImage ? VERR_WRONG_ORDER : VERR_MODULE_NOT_FOUND; supdrvLdrUnlock(pDevExt); } return rc; }

The first error is on "pReq->u.Out.pfnSymbol = g_aFunctions[i].pfn;" and the second on "pReq->u.Out.pfnSymbol = (PFNRT)((uint8_t *)pImage->pvImage + (int32_t)paSyms[i].offSymbol);"

I am not really sure where 'u' and 'Out' are defined, have to dig some more. I imagine something is defined as const?

I can report this to virtualbox, but first need to gather more info about it - why does it happen, as I am not really sure what exactly this plugin does.

by **PaX Team** » Mon Aug 15, 2011 5:30 am

nickde wrote:The title is pretty descriptive. If those modules, needed for virtualbox to work, are build against grsecurity headers, gcc fails to compile it.

i have a fix for this in my test dir.

by **nickde** » Mon Aug 15, 2011 7:12 am

PaX Team wrote:
nickde wrote:The title is pretty descriptive. If those modules, needed for virtualbox to work, are build against grsecurity headers, gcc fails to compile it.
i have a fix for this in my test dir.

Thank you very much. Couldn't find it by searching on google - maybe it appeared on the mailing list sometime.
Can I ask what exactly "__no_const" does? So that I learn something out of this :-)

My guess is that it makes the plugin ignore this struct.

by **boris64** » Mon Aug 15, 2011 10:12 am

PaX Team wrote:
nickde wrote:The title is pretty descriptive. If those modules, needed for virtualbox to work, are build against grsecurity headers, gcc fails to compile it.
i have a fix for this in my test dir.

I have the same problem. After applying
virtualbox-pax-const.patch make dies a bit later.

Code: Select all: >>> Emerging (1 of 1) app-emulation/virtualbox-modules-4.1.0-r1 from overlay-boris64-net * vbox-kernel-module-src-4.1.0.tar.bz2 RMD160 SHA1 SHA256 size ;-) ... [ ok ] * Determining the location of the kernel source code * Found kernel source directory: * /usr/src/linux * Found sources for kernel version: * 2.6.32.44-grsec-r201108141242-lts-2k12+ >>> Unpacking source... >>> Unpacking vbox-kernel-module-src-4.1.0.tar.bz2 to /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work >>> Source unpacked in /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work >>> Preparing source in /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work ... * Applying virtualbox-modules-4.1.0-vboxbug9305.patch ... [ ok ] * Applying virtualbox-modules-4.1.0-pax-const.patch ... [ ok ] >>> Source prepared. >>> Configuring source in /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work ... >>> Source configured. >>> Compiling source in /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work ... ln: failed to create symbolic link `Module.symvers': File exists * Preparing vboxdrv module make -j8 HOSTCC=x86_64-pc-linux-gnu-gcc CROSS_COMPILE=x86_64-pc-linux-gnu- LDFLAGS= KERN_DIR=/usr/src/linux KERNOUT=/usr/src/linux all *** Building 'vboxdrv' module *** make[1]: Entering directory `/tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv' make KBUILD_VERBOSE= SUBDIRS=/tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv SRCROOT=/tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv -C /usr/src/linux modules make[2]: Entering directory `/usr/src/linux-2.6.32.44-grsec-r201108141242' /usr/src/linux-2.6.32.44-grsec-r201108141242/arch/x86/Makefile:82: stack protector enabled but no compiler support CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/linux/SUPDrv-linux.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/SUPDrv.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/SUPDrvSem.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/r0drv/alloc-r0drv.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/r0drv/initterm-r0drv.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/r0drv/memobj-r0drv.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/r0drv/mpnotification-r0drv.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/r0drv/powernotification-r0drv.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/r0drv/linux/assert-r0drv-linux.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/r0drv/linux/alloc-r0drv-linux.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/r0drv/linux/initterm-r0drv-linux.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/r0drv/linux/memobj-r0drv-linux.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/r0drv/linux/memuserkernel-r0drv-linux.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/r0drv/linux/mp-r0drv-linux.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/r0drv/linux/mpnotification-r0drv-linux.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/r0drv/linux/process-r0drv-linux.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/r0drv/linux/semevent-r0drv-linux.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/r0drv/linux/semeventmulti-r0drv-linux.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/r0drv/linux/semfastmutex-r0drv-linux.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/r0drv/linux/semmutex-r0drv-linux.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/r0drv/linux/spinlock-r0drv-linux.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/r0drv/linux/thread-r0drv-linux.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/r0drv/linux/thread2-r0drv-linux.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/r0drv/linux/time-r0drv-linux.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/r0drv/linux/timer-r0drv-linux.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/r0drv/generic/semspinmutex-r0drv-generic.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/alloc/alloc.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/checksum/crc32.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/checksum/ipv4.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/checksum/ipv6.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/err/RTErrConvertFromErrno.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/err/RTErrConvertToErrno.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/log/log.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/log/logellipsis.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/log/logrel.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/log/logrelellipsis.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/log/logcom.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/log/logformat.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/misc/RTAssertMsg1Weak.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/misc/RTAssertMsg2.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/misc/RTAssertMsg2Add.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/misc/RTAssertMsg2AddWeak.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/misc/RTAssertMsg2AddWeakV.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/misc/RTAssertMsg2Weak.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/misc/RTAssertMsg2WeakV.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/misc/assert.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/misc/handletable.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/misc/handletablectx.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/misc/thread.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/string/RTStrCopyP.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/string/strformat.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/string/strformatrt.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/string/strformattype.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/string/strprintf.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/string/strtonum.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/table/avlpv.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/time/time.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/r0drv/linux/RTLogWriteDebugger-r0drv-linux.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/generic/RTAssertShouldPanic-generic.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/generic/RTLogWriteStdErr-stub-generic.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/generic/RTLogWriteStdOut-stub-generic.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/generic/RTLogWriteUser-generic.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/generic/RTMpGetArraySize-generic.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/generic/RTSemEventWait-2-ex-generic.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/generic/RTSemEventWaitNoResume-2-ex-generic.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/generic/RTSemEventMultiWait-2-ex-generic.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/generic/RTSemEventMultiWaitNoResume-2-ex-generic.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/generic/RTTimerCreate-generic.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/generic/errvars-generic.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/generic/mppresent-generic.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/generic/uuid-generic.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/VBox/log-vbox.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/common/alloc/heapsimple.o LD [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/vboxdrv.o Building modules, stage 2. MODPOST 1 modules WARNING: modpost: Found 218 section mismatch(es). To see full details build your kernel with: 'make CONFIG_DEBUG_SECTION_MISMATCH=y' CC /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/vboxdrv.mod.o LD [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv/vboxdrv.ko make[2]: Leaving directory `/usr/src/linux-2.6.32.44-grsec-r201108141242' make[1]: Leaving directory `/tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxdrv' *** Building 'vboxnetflt' module *** make[1]: Entering directory `/tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxnetflt' make KBUILD_VERBOSE= SUBDIRS=/tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxnetflt SRCROOT=/tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxnetflt -C /usr/src/linux modules make[2]: Entering directory `/usr/src/linux-2.6.32.44-grsec-r201108141242' /usr/src/linux-2.6.32.44-grsec-r201108141242/arch/x86/Makefile:82: stack protector enabled but no compiler support CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxnetflt/linux/VBoxNetFlt-linux.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxnetflt/VBoxNetFlt.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxnetflt/SUPR0IdcClient.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxnetflt/SUPR0IdcClientComponent.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxnetflt/linux/SUPR0IdcClient-linux.o /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxnetflt/linux/VBoxNetFlt-linux.c: In function ‘vboxNetFltLinuxHookDev’: /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxnetflt/linux/VBoxNetFlt-linux.c:968:5: error: assignment of read-only member ‘Ops’ /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxnetflt/linux/VBoxNetFlt-linux.c:972:5: error: assignment of read-only member ‘Ops’ make[3]: *** [/tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxnetflt/linux/VBoxNetFlt-linux.o] Error 1 make[2]: *** [_module_/tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxnetflt] Error 2 make[2]: Leaving directory `/usr/src/linux-2.6.32.44-grsec-r201108141242' make[1]: *** [vboxnetflt] Error 2 make[1]: Leaving directory `/tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxnetflt' cp: cannot stat `vboxnetflt/vboxnetflt.ko': No such file or directory *** Building 'vboxnetadp' module *** make[1]: Entering directory `/tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxnetadp' make KBUILD_VERBOSE= SUBDIRS=/tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxnetadp SRCROOT=/tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxnetadp -C /usr/src/linux modules make[2]: Entering directory `/usr/src/linux-2.6.32.44-grsec-r201108141242' /usr/src/linux-2.6.32.44-grsec-r201108141242/arch/x86/Makefile:82: stack protector enabled but no compiler support CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxnetadp/linux/VBoxNetAdp-linux.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxnetadp/VBoxNetAdp.o LD [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxnetadp/vboxnetadp.o Building modules, stage 2. MODPOST 1 modules CC /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxnetadp/vboxnetadp.mod.o LD [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxnetadp/vboxnetadp.ko make[2]: Leaving directory `/usr/src/linux-2.6.32.44-grsec-r201108141242' make[1]: Leaving directory `/tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxnetadp' *** Building 'vboxpci' module *** make[1]: Entering directory `/tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxpci' make KBUILD_VERBOSE= SUBDIRS=/tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxpci SRCROOT=/tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxpci -C /usr/src/linux modules make[2]: Entering directory `/usr/src/linux-2.6.32.44-grsec-r201108141242' /usr/src/linux-2.6.32.44-grsec-r201108141242/arch/x86/Makefile:82: stack protector enabled but no compiler support CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxpci/linux/VBoxPci-linux.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxpci/VBoxPci.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxpci/SUPR0IdcClient.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxpci/SUPR0IdcClientComponent.o CC [M] /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxpci/linux/SUPR0IdcClient-linux.o /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxpci/VBoxPci.c: In function ‘vboxPciQueryFactoryInterface’: /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxpci/VBoxPci.c:68:13: warning: return discards qualifiers from pointer target type /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxpci/VBoxPci.c: In function ‘vboxPciInitGlobals’: /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxpci/VBoxPci.c:732:9: error: assignment of read-only member ‘RawPciFactory’ /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxpci/VBoxPci.c:733:9: error: assignment of read-only member ‘RawPciFactory’ /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxpci/VBoxPci.c:734:9: error: assignment of read-only member ‘RawPciFactory’ /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxpci/VBoxPci.c:735:9: error: assignment of read-only member ‘RawPciFactory’ make[3]: *** [/tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxpci/VBoxPci.o] Error 1 make[3]: *** Waiting for unfinished jobs.... make[2]: *** [_module_/tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxpci] Error 2 make[2]: Leaving directory `/usr/src/linux-2.6.32.44-grsec-r201108141242' make[1]: *** [vboxpci] Error 2 make[1]: Leaving directory `/tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work/vboxpci' cp: cannot stat `vboxpci/vboxpci.ko': No such file or directory >>> Source compiled. >>> Test phase [not enabled]: app-emulation/virtualbox-modules-4.1.0-r1 >>> Install virtualbox-modules-4.1.0-r1 into /tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/image/ category app-emulation * Installing vboxdrv module * Installing vboxnetflt module install: cannot stat `vboxnetflt.ko': No such file or directory !!! doins: vboxnetflt.ko does not exist doins failed * ERROR: app-emulation/virtualbox-modules-4.1.0-r1 failed (install phase): * doins vboxnetflt.ko failed * * Call stack: * ebuild.sh, line 56: Called src_install * environment, line 3466: Called linux-mod_src_install * environment, line 2692: Called die * The specific snippet of code: * doins ${modulename}.${KV_OBJ} || die "doins ${modulename}.${KV_OBJ} failed"; * * If you need support, post the output of 'emerge --info =app-emulation/virtualbox-modules-4.1.0-r1', * the complete build log and the output of 'emerge -pqv =app-emulation/virtualbox-modules-4.1.0-r1'. * This ebuild is from an overlay named 'overlay-boris64-net': '/var/portage/overlays/boris64.net/' * The complete build log is located at '/tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/temp/build.log.gz'. * The ebuild environment file is located at '/tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/temp/environment'. * S: '/tmp/portage/portage/app-emulation/virtualbox-modules-4.1.0-r1/work' * QA Notice: file does not exist: * * doins: vboxnetflt.ko does not exist >>> Failed to emerge app-emulation/virtualbox-modules-4.1.0-r1

by **nickde** » Mon Aug 15, 2011 10:34 am

So, after messing with it for a while, I figured that I needed another two patches, except those in your patch for vbox:

Code: Select all: diff -urp vboxhost/vboxdrv/SUPDrvIDC.h /usr/src/vboxhost-4.1.0/vboxdrv/SUPDrvIDC.h --- vboxhost/vboxdrv/SUPDrvIDC.h 2011-07-19 13:53:53.000000000 +0300 +++ /usr/src/vboxhost-4.1.0/vboxdrv/SUPDrvIDC.h 2011-08-15 14:17:38.056752712 +0300 @@ -160,7 +160,7 @@ typedef struct SUPDRVIDCREQGETSYM { /** The symbol address. */ PFNRT pfnSymbol; - } Out; + } __no_const Out; } u; } SUPDRVIDCREQGETSYM; /** Pointer to a SUPDRV IDC get symbol request. */ diff -urp vboxhost/vboxnetflt/include/VBox/intnet.h /usr/src/vboxhost-4.1.0/vboxnetflt/include/VBox/intnet.h --- vboxhost/vboxnetflt/include/VBox/intnet.h 2011-07-19 13:53:53.000000000 +0300 +++ /usr/src/vboxhost-4.1.0/vboxnetflt/include/VBox/intnet.h 2011-08-15 14:18:44.266752698 +0300 @@ -783,7 +783,7 @@ typedef struct INTNETTRUNKFACTORY DECLR0CALLBACKMEMBER(int, pfnCreateAndConnect,(struct INTNETTRUNKFACTORY *pIfFactory, const char *pszName, PINTNETTRUNKSWPORT pSwitchPort, uint32_t fFlags, PINTNETTRUNKIFPORT *ppIfPort)); -} INTNETTRUNKFACTORY; +} __no_const INTNETTRUNKFACTORY; /** Pointer to the trunk factory. */ typedef INTNETTRUNKFACTORY *PINTNETTRUNKFACTORY; diff -urp vboxhost/vboxnetflt/linux/VBoxNetFlt-linux.c /usr/src/vboxhost-4.1.0/vboxnetflt/linux/VBoxNetFlt-linux.c --- vboxhost/vboxnetflt/linux/VBoxNetFlt-linux.c 2011-07-19 13:53:53.000000000 +0300 +++ /usr/src/vboxhost-4.1.0/vboxnetflt/linux/VBoxNetFlt-linux.c 2011-08-15 17:32:50.096512225 +0300 @@ -839,8 +839,7 @@ typedef struct ethtool_ops OVR_OPSTYPE; # define OVR_XMIT pfnStartXmit # else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 29) */ - -typedef struct net_device_ops OVR_OPSTYPE; +typedef struct net_device_ops __no_const OVR_OPSTYPE; # define OVR_OPS netdev_ops # define OVR_XMIT pOrgOps->ndo_start_xmit diff -urp vboxhost/vboxpci/include/VBox/rawpci.h /usr/src/vboxhost-4.1.0/vboxpci/include/VBox/rawpci.h --- vboxhost/vboxpci/include/VBox/rawpci.h 2011-07-19 13:53:53.000000000 +0300 +++ /usr/src/vboxhost-4.1.0/vboxpci/include/VBox/rawpci.h 2011-08-15 17:08:44.094034496 +0300 @@ -545,7 +545,7 @@ typedef struct RAWPCIFACTORY DECLR0CALLBACKMEMBER(void, pfnDeinitVm,(PRAWPCIFACTORY pFactory, PVM pVM, PRAWPCIPERVM pPciData)); -} RAWPCIFACTORY; +} RAWPCIFACTORY, __no_const RAWPCIFACTORY_NO_CONST; #define RAWPCIFACTORY_UUID_STR "ea089839-4171-476f-adfb-9e7ab1cbd0fb" diff -urp vboxhost/vboxpci/VBoxPciInternal.h /usr/src/vboxhost-4.1.0/vboxpci/VBoxPciInternal.h --- vboxhost/vboxpci/VBoxPciInternal.h 2011-07-19 13:53:53.000000000 +0300 +++ /usr/src/vboxhost-4.1.0/vboxpci/VBoxPciInternal.h 2011-08-15 17:08:53.204034498 +0300 @@ -130,7 +130,7 @@ typedef struct VBOXRAWPCIGLOBALS PVBOXRAWPCIINS pInstanceHead; /** The raw PCI interface factory. */ - RAWPCIFACTORY RawPciFactory; + RAWPCIFACTORY_NO_CONST RawPciFactory; /** The SUPDRV component factory registration. */ SUPDRVFACTORY SupDrvFactory; /** The number of current factory references. */

Don't know if that's the best way to do it, but that's what I ended up with after tracking down another constification errors.

by **PaX Team** » Mon Aug 15, 2011 2:12 pm

nickde wrote:Don't know if that's the best way to do it, but that's what I ended up with after tracking down another constification errors.

my patch was against 4.0.x so 4.1 may very well need a new one indeed, i'll take a look at it later and see what the best way is.

by vs » Sun Aug 21, 2011 2:29 pm

The below patch is for VirtualBox 4.1.2.

Code: Select all: diff -urN vboxhost.orig/vboxdrv/SUPDrvIDC.h vboxhost/vboxdrv/SUPDrvIDC.h --- vboxhost.orig/vboxdrv/SUPDrvIDC.h 2010-10-28 12:01:18.000000000 +0200 +++ vboxhost/vboxdrv/SUPDrvIDC.h 2011-08-21 02:52:49.000000000 +0200 @@ -160,7 +160,7 @@ { /** The symbol address. */ PFNRT pfnSymbol; - } Out; + } __no_const Out; } u; } SUPDRVIDCREQGETSYM; /** Pointer to a SUPDRV IDC get symbol request. */ diff -urN vboxhost.orig/vboxnetflt/include/VBox/intnet.h vboxhost/vboxnetflt/include/VBox/intnet.h --- vboxhost.orig/vboxnetflt/include/VBox/intnet.h 2011-07-15 16:19:31.000000000 +0200 +++ vboxhost/vboxnetflt/include/VBox/intnet.h 2011-08-21 02:40:22.000000000 +0200 @@ -783,7 +783,7 @@ DECLR0CALLBACKMEMBER(int, pfnCreateAndConnect,(struct INTNETTRUNKFACTORY *pIfFactory, const char *pszName, PINTNETTRUNKSWPORT pSwitchPort, uint32_t fFlags, PINTNETTRUNKIFPORT *ppIfPort)); -} INTNETTRUNKFACTORY; +} __no_const INTNETTRUNKFACTORY; /** Pointer to the trunk factory. */ typedef INTNETTRUNKFACTORY *PINTNETTRUNKFACTORY; diff -urN vboxhost.orig/vboxnetflt/linux/VBoxNetFlt-linux.c vboxhost/vboxnetflt/linux/VBoxNetFlt-linux.c --- vboxhost.orig/vboxnetflt/linux/VBoxNetFlt-linux.c 2011-07-19 12:52:25.000000000 +0200 +++ vboxhost/vboxnetflt/linux/VBoxNetFlt-linux.c 2011-08-21 03:08:10.000000000 +0200 @@ -840,7 +840,7 @@ # else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 29) */ -typedef struct net_device_ops OVR_OPSTYPE; +typedef struct net_device_ops __no_const OVR_OPSTYPE; # define OVR_OPS netdev_ops # define OVR_XMIT pOrgOps->ndo_start_xmit diff -urN vboxhost.orig/vboxpci/include/VBox/rawpci.h vboxhost/vboxpci/include/VBox/rawpci.h --- vboxhost.orig/vboxpci/include/VBox/rawpci.h 2011-04-18 17:18:10.000000000 +0200 +++ vboxhost/vboxpci/include/VBox/rawpci.h 2011-08-21 02:59:57.000000000 +0200 @@ -545,7 +545,7 @@ DECLR0CALLBACKMEMBER(void, pfnDeinitVm,(PRAWPCIFACTORY pFactory, PVM pVM, PRAWPCIPERVM pPciData)); -} RAWPCIFACTORY; +} __no_const RAWPCIFACTORY; #define RAWPCIFACTORY_UUID_STR "ea089839-4171-476f-adfb-9e7ab1cbd0fb"

by **zkutch** » Sat Sep 24, 2011 8:07 pm

hi
again and again problem with 3.0.4 linux kernel now with grsecurity-2.2.2-3.0.4-201109240842.patch

in log is following

DKMS make.log for vboxhost-4.1.2 for kernel 3.0.4-grsec (x86_64)
Sun Sep 25 02:45:50 GET 2011
make: Entering directory `/usr/src/linux-3.0.4'
LD /var/lib/dkms/vboxhost/4.1.2/build/built-in.o
LD /var/lib/dkms/vboxhost/4.1.2/build/vboxdrv/built-in.o
CC [M] /var/lib/dkms/vboxhost/4.1.2/build/vboxdrv/linux/SUPDrv-linux.o
CC [M] /var/lib/dkms/vboxhost/4.1.2/build/vboxdrv/SUPDrv.o
/var/lib/dkms/vboxhost/4.1.2/build/vboxdrv/SUPDrv.c: In function ‘supdrvIDC_LdrGetSymbol’:
/var/lib/dkms/vboxhost/4.1.2/build/vboxdrv/SUPDrv.c:4345:17: error: assignment of member ‘pfnSymbol’ in read-only object
/var/lib/dkms/vboxhost/4.1.2/build/vboxdrv/SUPDrv.c:4376:21: error: assignment of member ‘pfnSymbol’ in read-only object
make[2]: *** [/var/lib/dkms/vboxhost/4.1.2/build/vboxdrv/SUPDrv.o] Error 1
make[1]: *** [/var/lib/dkms/vboxhost/4.1.2/build/vboxdrv] Error 2
make: *** [_module_/var/lib/dkms/vboxhost/4.1.2/build] Error 2
make: Leaving directory `/usr/src/linux-3.0.4'

maybe somebody have any ideas?

by **PaX Team** » Mon Sep 26, 2011 12:27 pm

zkutch wrote:maybe somebody have any ideas?

http://www.grsecurity.net/~paxguy1/virtualbox-modules-4.1.2-pax-const.patch

by **Pryka** » Sun Oct 23, 2011 4:31 pm

Hello I applied virtualbox-modules-4.1.2-pax-const.patch but still getting an error like boris64 but with vboxpci.ko file

Maybe I patching wrong file? Dunno...

by **PaX Team** » Tue Oct 25, 2011 1:21 pm

Pryka wrote:Hello I applied virtualbox-modules-4.1.2-pax-const.patch but still getting an error like boris64 but with vboxpci.ko file

what's the exact error you get? the patch works for me fine (there's one for 4.1.4 now as well btw).

by **specs** » Wed Oct 26, 2011 7:54 am

On the possibility the problem is unrelated I post here my findings on virtualbox (4.1.4 with the paxguy-patches):

Compilation works well.

Code: Select all: $ diff config-3.0.8 ../linux-3.0.8vb/.config 48a49 > CONFIG_X86_32_LAZY_GS=y 374a376 > # CONFIG_CC_STACKPROTECTOR is not set 2422c2424 < CONFIG_PAX_MEMORY_UDEREF=y --- > # CONFIG_PAX_MEMORY_UDEREF is not set

Note: I saw no difference with the stack-protector enabled or disabled.
Pageexec has been disabled using paxctl.

When starting virtualbox everything works well, but when building a new system (after selecting an installation image):

Code: Select all: grsec: denied resource overstep by requesting 20 for RLIMIT_NICE against limit 0 for /usr/lib/virtualbox/VBoxXPCOMIPCD[VBoxXPCOMIPCD:4047] uid/euid:1003/1003 gid/egid:1003/1003, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 grsec: more alerts, logging disabled for 10 seconds PAX: suspicious general protection fault: 0000 [#1] SMP Modules linked in: fbcon font bitblit softcursor binfmt_misc fuse vboxpci vboxnetflt vboxnetadp vboxdrv 8021q garp stp llc thermal smsc47m192 hwmon_vid vfat fat ipv6 lp af_packet i915 drm_kms_helper drm fb fbdev i2c_algo_bit cfbcopyarea video backlight cfbimgblt cfbfillrect usbhid snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_hwdep snd_pcm_oss snd_mixer_oss snd_pcm snd_seq snd_timer r8169 snd_seq_device snd bitrev uhci_hcd i2c_i801 evdev i2c_core ehci_hcd soundcore crc32 mii usbcore snd_page_alloc parport_pc parport button processor unix Pid: 4102, comm: VirtualBox Not tainted 3.0.8-201110250925-2-vb+ #2 /D945GCLF2 EIP: 0060:[<002df076>] EFLAGS: 00210286 CPU: 2 EAX: c14e2260 EBX: f8561010 ECX: c14e31d0 EDX: c14e31e0 ESI: c14cd020 EDI: 00000000 EBP: f664ba50 ESP: f3d53e54 DS: 0068 ES: 0068 FS: 00d8 GS: 0033 SS: 0068 Process VirtualBox (pid: 4102, ti=f5af4e48 task=f5af4bf0 task.ti=f5af4e48) Stack: 000025d8 00000163 f664ba50 ffffffff f8561060 f8561060 002e2aef ffff4111 f3d53e8c 00000000 b08d5000 b08d5000 b0845008 002db384 00005604 f850c5e4 f5f61010 f8561010 b08d4777 f8561010 b0845000 0008f770 00005604 f4365b40 Call Trace: [<000025d8>] ? sched_clock_data+0x18/0x1b [<002e2aef>] ? rtR0MemAllocEx+0x12a/0x155 [vboxdrv] [<002db384>] ? VBoxDrvLinuxIOCtl+0x212/0x325 [vboxdrv] [<00005604>] ? init_new_context+0xa4/0x11f [<0008f770>] ? do_last.clone.22+0x401/0x6bd [<00005604>] ? init_new_context+0xa4/0x11f [<0008f770>] ? do_last.clone.22+0x401/0x6bd [<002db172>] ? SUPR0Printf+0x49/0x49 [vboxdrv] [<000920a4>] ? do_vfs_ioctl+0x619/0x678 [<00005604>] ? init_new_context+0xa4/0x11f [<00005604>] ? init_new_context+0xa4/0x11f [<00092148>] ? sys_ioctl+0x45/0x69 [<00303170>] ? fbcon_redraw_blit.clone.18+0xb/0x146 [fbcon] [<0008f720>] ? do_last.clone.22+0x3b1/0x6bd [<00223af2>] ? syscall_call+0x7/0xb [<00005604>] ? init_new_context+0xa4/0x11f [<000865a0>] ? sget+0x2bf/0x2ff [<0008f720>] ? do_last.clone.22+0x3b1/0x6bd [<00200292>] ? udp_sendmsg+0x518/0x6ab [<00019062>] ? vmalloc_sync_all+0x1/0x1 [<00210246>] ? __lro_proc_segment.clone.3+0x21e/0x291 [<00200293>] ? udp_sendmsg+0x519/0x6ab Code: 39 f7 75 63 8b 74 24 3c 39 4e 1c 75 5a 39 56 20 75 55 39 46 24 75 50 e9 56 13 00 00 8b 7c 24 08 8b 43 20 89 47 2c e9 47 13 00 00 <ff> d0 85 c0 89 c5 0f 84 4a 13 00 00 8b 54 24 3c 8b 4c 24 08 8b EIP: [<002df076>] supdrvIOCtl+0xd95/0x2132 [vboxdrv] SS:ESP 0068:f3d53e54 ---[ end trace 3287493170030d36 ]--- grsec: banning user with uid 1003 until system restart for suspicious kernel crash

While everything is compilating fine and the binaries are executing not everything is working well.
Perhaps it would work with an existing image.

by **PaX Team** » Wed Oct 26, 2011 11:41 am

specs wrote:
Code: Select all
> # CONFIG_PAX_MEMORY_UDEREF is not set

vbox's own module loader isn't compatible with KERNEXEC/i386, i think it was already discussed here on the forums in the past

.

by **specs** » Wed Oct 26, 2011 1:29 pm

I see. In the thread "Re: Virtualbox & kernel 2.6.37-grsec - is possible?" you mentioned:

yes, vbox does things that are simply not compatible with these features and only they can fix them properly (which is unlikely to happen given the amount of work required, at least for KERNEXEC/i386).

Earlier in the thread "Re: Virtualbox with grsec" you were not so clear:

i thought i'd fixed up KERNEXEC/KVM a while ago and that combo should work. are you having a problem with the latest .29.x versions still? if so, i'd appreciate more details.

(quotes added just in case someone searches the problem again.)

With the earlier comment in mind I just assumed it was possible to use KERNEXEC and disable a few paxctl options. Too much wishfull thinking :wink:

Thanks for your help, the virtual environment is now installing.

The current diff:

Code: Select all: 48a49 > CONFIG_X86_32_LAZY_GS=y 374a376 > # CONFIG_CC_STACKPROTECTOR is not set 2382d2383 < CONFIG_PAX_PER_CPU_PGD=y 2406,2407c2407 < CONFIG_PAX_KERNEXEC=y < CONFIG_PAX_KERNEXEC_MODULE_TEXT=4 --- > # CONFIG_PAX_KERNEXEC is not set 2422c2422 < CONFIG_PAX_MEMORY_UDEREF=y --- > # CONFIG_PAX_MEMORY_UDEREF is not set

grsecurity forums

virtualbox modules do not compile with gcc constify plugin

virtualbox modules do not compile with gcc constify plugin

Re: virtualbox modules do not compile with gcc constify plug

Re: virtualbox modules do not compile with gcc constify plug

Re: virtualbox modules do not compile with gcc constify plug

Re: virtualbox modules do not compile with gcc constify plug

Re: virtualbox modules do not compile with gcc constify plug

Re: virtualbox modules do not compile with gcc constify plug

Re: virtualbox modules do not compile with gcc constify plug

Re: virtualbox modules do not compile with gcc constify plug

Re: virtualbox modules do not compile with gcc constify plug

Re: virtualbox modules do not compile with gcc constify plug

Re: virtualbox modules do not compile with gcc constify plug

Re: virtualbox modules do not compile with gcc constify plug

Re: virtualbox modules do not compile with gcc constify plug