Pb compressing kernels with UPX & 1.9.9g patch

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Pb compressing kernels with UPX & 1.9.9g patch

Postby jnilo » Sun Apr 27, 2003 4:43 am

My embedded distro uses a 2.4.20 kernel with grsecurity patch. The kernel is compressed with UPX.
http://upx.sf.net
http://leaf.sf.net/devel/jnilo
The 2.4.20 kernel + 1.9.9e grsecurity patch compress OK
but
The 2.4.20 kernel + 1.9.9g grsecurity patch does not want to be compressed. I get:

debian:/tmp/upx-1.90-linux# ./upx --best -o linux.upx /usr/src/linux/arch/i386/boot/bzImage
Ultimate Packer for eXecutables
Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002
UPX 1.90 Markus F.X.J. Oberhumer & Laszlo Molnar Nov 11th 2002

File size Ratio Format Name
-------------------- ------ ----------- -----------
upx: /usr/src/linux/arch/i386/boot/bzImage: CantPackException: unrecognized kernel architecture; use option `-f' to force packing

Packed 1 file: 0 ok, 1 error.

If I force the compression, The linux kernel seems to start decompression OK but I get a reboot at the end of the initrd loading process.
Since I cannot find the 1.9.9f patch anymore I do not know when the problem started
Any idea of what is happening ?
Jacques
jnilo
 
Posts: 8
Joined: Sun Jul 14, 2002 4:41 am

Re: Pb compressing kernels with UPX & 1.9.9g patch

Postby PaX Team » Sun Apr 27, 2003 8:13 am

jnilo wrote:The 2.4.20 kernel + 1.9.9e grsecurity patch compress OK
but The 2.4.20 kernel + 1.9.9g grsecurity patch does not want to be compressed.
what happened in-between is KERNEXEC ;-), a new feature in PaX that implements non-executable kernel pages and for that i had to reorganize the kernel memory layout a bit. as a sideeffect of this, the entry point of the decompressed kernel is no longer a hardcoded address and that's where the UPX decompressor stub goes wrong. the fix is simple, i'll email the authors and hopefully the next release will work fine.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: Pb compressing kernels with UPX & 1.9.9g patch

Postby PaX Team » Mon Apr 28, 2003 7:07 pm

PaX Team wrote:the fix is simple, i'll email the authors and hopefully the next release will work fine.
ok, after some discussion i've fixed it in PaX instead (and tested it with UPX). the code is in the CVS already and i guess Brad will soon import it into grsecurity as well.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby jnilo » Tue Apr 29, 2003 5:31 pm

Great! I was a bit afraid to have to wait for an UPX evolution since development appears to be semewhat slower than grsec...
Would it be possible to send me offlist the patch to be applied to grsecurity 1.9.9g to have UPX working ?
jnilo at users dot sf dot net
Thanks again !
Jacques
jnilo
 
Posts: 8
Joined: Sun Jul 14, 2002 4:41 am

Postby PaX Team » Tue Apr 29, 2003 5:55 pm

jnilo wrote:Would it be possible to send me offlist the patch to be applied to grsecurity 1.9.9g to have UPX working ?
better, you can grab it from cvsweb: http://cvsweb.grsecurity.net/index.cgi/grsecurity/arch/i386/boot/compressed/head.S.diff?r2=1.3&r1=1.2&f=u and http://cvsweb.grsecurity.net/index.cgi/grsecurity/arch/i386/vmlinux.lds.S.diff?r2=1.3&r1=1.2&f=u
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby jnilo » Wed Apr 30, 2003 1:21 am

OK. Thanks a lot !
Jacques
jnilo
 
Posts: 8
Joined: Sun Jul 14, 2002 4:41 am

Postby jnilo » Wed Apr 30, 2003 9:52 am

OK I tested those two patches on the top of 2.4.20 + grsecurity 1.9.9g
They work great
Just one thing to mention for the record of this thread:
You have to use the force option (-f) with upx 1.90 since the kernel is not recognized by upx as a linux kernel anymore.
But it will compress and decompress OK
Thanks again
Jacques
jnilo
 
Posts: 8
Joined: Sun Jul 14, 2002 4:41 am

Postby PaX Team » Wed Apr 30, 2003 10:30 am

jnilo wrote:You have to use the force option (-f) with upx 1.90 since the kernel is not recognized by upx as a linux kernel anymore.
a short explanation: what UPX does for kernel recognition is that it checks the first two bytes of the kernel image which are part of some i386 instructions and they are different under PaX (cld/mov eax vs. jmp far). technically i could have copied these over and not force users to use -f with UPX, but it's probably better to not enter this 'who fools who' game and let the UPX guys add an extra check in the future or find a better way for checking the kernel image.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm


Return to grsecurity support