grsecurity forums

[franz]

Hi,

need help to succesfully compile nvidia module.
Using kernel 3.6.7 and grsecurity-2.9.1-3.6.7-201211221000.patch
Nvidia driver package: NVIDIA-Linux-x86_64-310.19-no-compat32.run ftp://download.nvidia.com/XFree86/

Suspect that the error is related to earlier findings in forum thread http://forums.grsecurity.net/viewtopic.php?f=3&t=2626&hilit=nvidia and http://forums.grsecurity.net/viewtopic.php?f=3&t=2716&hilit=nvidia&start=30#p11305

Error so far:

Code: Select all

/usr/src/linux-3.6.7-4-grsec/arch/x86/include/asm/uaccess_64.h: In function ‘copy_from_user’:
/usr/src/linux-3.6.7-4-grsec/arch/x86/include/asm/uaccess_64.h:80:6: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
/usr/src/linux-3.6.7-4-grsec/arch/x86/include/asm/uaccess_64.h: In function ‘copy_to_user’:
/usr/src/linux-3.6.7-4-grsec/arch/x86/include/asm/uaccess_64.h:95:6: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
/var/abs/local/nvidia-bumblebee/src/NVIDIA-Linux-x86_64-310.19-no-compat32/kernel/nv-procfs.c: In function ‘nv_register_procfs’:
/var/abs/local/nvidia-bumblebee/src/NVIDIA-Linux-x86_64-310.19-no-compat32/kernel/nv-procfs.c:529:5: error: assignment of member ‘read’ in read-only object
/var/abs/local/nvidia-bumblebee/src/NVIDIA-Linux-x86_64-310.19-no-compat32/kernel/nv-procfs.c:530:5: error: assignment of member ‘write’ in read-only object
make[3]: *** [/var/abs/local/nvidia-bumblebee/src/NVIDIA-Linux-x86_64-310.19-no-compat32/kernel/nv-procfs.o] Error 1
make[2]: *** [_module_/var/abs/local/nvidia-bumblebee/src/NVIDIA-Linux-x86_64-310.19-no-compat32/kernel] Error 2
NVIDIA: left KBUILD.
nvidia.ko failed to build!
make[1]: *** [module] Error 1
make: *** [module] Error 2


It does run and compile fine, not using grsec.
Laptop I'm using has a NVIDIA Corporation GF108GLM [Quadro 1000M] (Optimus) card and I cannot find a way to use dual screens without the nvidia driver but also want to run grsec at the same time.

Any suggestion?

/franz

[PaX Team]

did you apply my patches?

[franz]

Hi

if you talking about the one mentioned in http://forums.grsecurity.net/viewtopic.php?f=3&t=2716&hilit=nvidia&start=30#p11305, no.
Was not sure if that one is meant to be used with my version, but I can give it a try if you think that the issue is still the same.

/franz

[PaX Team]

it's the same problem. also apply the other patch for USERCOPY, they're all in my homedir.

[franz]

Patchees is working, driver loads successfully after build.

I do not have any "grsec/policy" set yet but are not able to run any test as Xorg fails to execute libglx.so.310.19
My kernel has this set: CONFIG_PAX_USERCOPY=y
Do I have to create a policy before this will work?

Code: Select all

[ 5905.273717] grsec: denied RWX mmap of /usr/lib/nvidia-bumblebee/xorg/modules/extensions/libglx.so.310.19 by /usr/bin/Xorg[Xorg:7845] uid/euid:0/0 gid/egid:998/998, parent /usr/sbin/bumblebeed[bumblebeed:7686] uid/euid:0/0 gid/egid:998/998

Have change permission on it just to make a test, but it did not help

Code: Select all

[root@host ~]# paxctl -v /usr/lib/nvidia-bumblebee/xorg/modules/extensions/libglx.so.310.19
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -p-s-m-x-e-r [/usr/lib/nvidia-bumblebee/xorg/modules/extensions/libglx.so.310.19]
        PAGEEXEC is disabled
        SEGMEXEC is disabled
        MPROTECT is disabled
        RANDEXEC is disabled
        EMUTRAMP is disabled
        RANDMMAP is disabled


Code: Select all

[root@host ~]# modinfo nvidia
filename:       /lib/modules/3.6.7-4-grsec/extramodules/nvidia.ko
alias:          char-major-195-*
version:        310.19
supported:      external
license:        NVIDIA
alias:          pci:v000010DEd00000E00sv*sd*bc04sc80i00*
alias:          pci:v000010DEd00000AA3sv*sd*bc0Bsc40i00*
alias:          pci:v000010DEd*sv*sd*bc03sc02i00*
alias:          pci:v000010DEd*sv*sd*bc03sc00i00*
depends:        i2c-core
vermagic:       3.6.7-4-grsec SMP preempt mod_unload modversions REFCOUNT CONSTIFY_PLUGIN STACKLEAK_PLUGIN GRSEC
parm:           NVreg_Mobile:int
parm:           NVreg_ResmanDebugLevel:int
parm:           NVreg_RmLogonRC:int
parm:           NVreg_ModifyDeviceFiles:int
parm:           NVreg_DeviceFileUID:int
parm:           NVreg_DeviceFileGID:int
parm:           NVreg_DeviceFileMode:int
parm:           NVreg_RemapLimit:int
parm:           NVreg_UpdateMemoryTypes:int
parm:           NVreg_InitializeSystemMemoryAllocations:int
parm:           NVreg_RMEdgeIntrCheck:int
parm:           NVreg_UsePageAttributeTable:int
parm:           NVreg_EnableMSI:int
parm:           NVreg_MapRegistersEarly:int
parm:           NVreg_RegisterForACPIEvents:int
parm:           NVreg_CheckPCIConfigSpace:int
parm:           NVreg_RegistryDwords:charp
parm:           NVreg_RmMsg:charp


/franz

[PaX Team]

nvidia's GL implementation wants to do runtime codegen so you'll have to allow that, that is, disable MPROTECT on all the affected executables (and not the libraries).

[x14sg1]

After re-reading this thread, our problems are not the same - my compiles work but Xorg cores unless I compile the way I talk about below.

Sorry for hijacking this thread
-----------
I have also had this problem for some time (with nvidia version 300+)

I have written a script that allows me to compile nvidia kernel modules for all kernels I have a source tree for.

Just tonight, I figured out that I can use this script while running a non-grsec kernel to get a valid nvidia install for grsec kernels.

If I am remembering correctly, the grsec error I see while trying to compile
nvidia while running a grsec kernel occurs in an intermediate nvidia executable run from /tmp. I will try to duplicate the error tomorrow.

Because of this (or if this is not the cause of this problem), I am not sure what executables to disable MPROTECT on to try to fix this. Any suggestions?


I am seeing this on an Intel(R) Atom(TM) CPU N280 @ 1.66GHz/NVIDIA ION

I am curious what CPU/Graphics card you using.

[franz]

Hi,

the card was "NVIDIA Corporation GF108GLM [Quadro 1000M]" (Optimus)
just borrowed the laptop back then and never manage to have the driver running under grsec.

/franz

[x14sg1]

The executables that "Pax Team" are referring to seem to be generated during the compile and you can't get to them with paxctl to fix them.

The problem for me was that /usr/lib/tls/libnvidia-tls.so.XXX.XX but the build says
it succeeded.

If you install the the driver with a non-grsec kernel and then generate the grsec kernel module from the same non-grsec kernel (I have a script that does this), NVIDIA will them work with a grsec kernel.