error while builting kernel 2.4.21 with High security level

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

error while builting kernel 2.4.21 with High security level

Postby gkweb » Sun Jul 13, 2003 6:48 pm

When i built it with pre configured "Medium" security level, all is fine, "System is 881 bytes".
But when i built with "High" security, the kernel at the end is only 13 bytes and obviously unbootable.

I tried with the lastest CVS version and i think that it updated successfully the path grsecurity (i followed steps shown on the website) but at worst if i failed it was version 2.0-rc1 (link on the website).

My kernel is 2.4.21 on mandrake 8.1, on a i686 system (AMD Athlon thunderbird 1Ghz) and has applied before grsecurity some NetFilter patch (like "recent" and "psd" modules, and few more).

How can i built my kernel successfully with "High" security mode ?

regards,

gkweb.
gkweb
 
Posts: 16
Joined: Sun Jul 13, 2003 12:45 pm

Re: error while builting kernel 2.4.21 with High security le

Postby PaX Team » Sun Jul 13, 2003 9:05 pm

gkweb wrote:How can i built my kernel successfully with "High" security mode ?
if you disabled module support, High mode enabled KERNEXEC and that doesn't work with obsolete ld versions, like v2.11, you'll need 2.13 or newer. ld -v will tell you what you have.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby gkweb » Mon Jul 14, 2003 6:48 am

I have "ld 2.11.90.0.8" with indeed module support disable.

I'm looking at the lastest gnu binutils, and i will report here the result, thanks for the answer :)

regards,

gkweb.
gkweb
 
Posts: 16
Joined: Sun Jul 13, 2003 12:45 pm

Postby gkweb » Mon Jul 14, 2003 7:58 am

Failed again.

I used this time "ld 2.13.1" and "make 3.80" and kernel at the end again 13 bytes.

What does it mean ? "ld" is not correctly install ?? or the problem is something else ?

regards,

gkweb.
gkweb
 
Posts: 16
Joined: Sun Jul 13, 2003 12:45 pm

Postby gkweb » Mon Jul 14, 2003 12:04 pm

I thought it was my gcc version 2.96, so i downloaded, built, and install gcc 3.3 stable and now i can't even just compile the kernel, i type make bzImage and i have an error 5s after...

Can you tell me all right package which i need pls ? :cry:
gkweb
 
Posts: 16
Joined: Sun Jul 13, 2003 12:45 pm

Postby gkweb » Mon Jul 14, 2003 3:44 pm

I found how to do at least to build as usual my kernel (with gcc 3.3):

make bzImage CC=/usr/local/bin/gcc

but i have again a "System is 13kB" (not "bytes", sorry).

So i tried :

make bzImage CC=/usr/local/bin/gcc LD=/usr/local/bin/ld

(path of my ld v2.13.1) and again "High" security mode of grsecurity ended with the same error.
I try all that i can, but it doesn't want to build correctly, have you any other idea that i could test ?

regards,

gkweb.
gkweb
 
Posts: 16
Joined: Sun Jul 13, 2003 12:45 pm

Postby PaX Team » Mon Jul 14, 2003 7:33 pm

gkweb wrote:I try all that i can, but it doesn't want to build correctly, have you any other idea that i could test ?
first of all, the recommended kernel compiler is (still) 2.95.3. second, are you sure that the correct ld version is used for linking (best is when you have no other versions lurking around of course)? the thing is, ld 2.13 (and 2.14) worked fine for me so far, i can't imagine what else can go wrong. can you perhaps paste the precise error messages you get at the end of the kernel build process?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby gkweb » Mon Jul 14, 2003 8:33 pm

make bzImage CC=/usr/local/bin/gcc LD=/usr/local/bin/ld

LAST PART OF BUILDING
##############################
/usr/local/bin/ld -T /usr/src/linux-2.4.21/arch/i386/vmlinux.lds -e stext arch/i386/kernel/head.o arch/i386/kernel/init_task.o init/main.o init/version.o init/do_mounts.o \
--start-group \
arch/i386/kernel/kernel.o arch/i386/mm/mm.o kernel/kernel.o mm/mm.o fs/fs.o ipc/ipc.o \
drivers/char/char.o drivers/block/block.o drivers/misc/misc.o drivers/net/net.o drivers/ide/idedriver.o drivers/cdrom/driver.o drivers/pci/driver.o drivers/video/video.o drivers/usb/usbdrv.o drivers/media/media.o \
net/network.o \
grsecurity/grsec.o \
/usr/src/linux-2.4.21/arch/i386/lib/lib.a /usr/src/linux-2.4.21/lib/lib.a /usr/src/linux-2.4.21/arch/i386/lib/lib.a \
--end-group \
-o vmlinux
nm vmlinux | grep -v '\(compiled\)\|\(\.o$\)\|\( [aUw] \)\|\(\.\.ng$\)\|\(LASH[RL]DI\)' | sort > System.map
make[1]: Entering directory `/usr/src/linux-2.4.21/arch/i386/boot'
/usr/local/bin/gcc -E -D__KERNEL__ -I/usr/src/linux-2.4.21/include -D__BIG_KERNEL__ -traditional -DSVGA_MODE=NORMAL_VGA bootsect.S -o bbootsect.s
bootsect.S:237: attention : éléments lexicaux superflus à la fin de la directive #ifdef
as -o bbootsect.o bbootsect.s
bbootsect.s: Assembler messages:
bbootsect.s:232: Warning: indirect lcall without `*'
/usr/local/bin/ld -Ttext 0x0 -s --oformat binary bbootsect.o -o bbootsect
/usr/local/bin/gcc -E -D__KERNEL__ -I/usr/src/linux-2.4.21/include -D__BIG_KERNEL__ -D__ASSEMBLY__ -traditional -DSVGA_MODE=NORMAL_VGA setup.S -o bsetup.s
as -o bsetup.o bsetup.s
bsetup.s: Assembler messages:
bsetup.s:1335: Warning: indirect lcall without `*'
/usr/local/bin/ld -Ttext 0x0 -s --oformat binary -e begtext -o bsetup bsetup.o
make[2]: Entering directory `/usr/src/linux-2.4.21/arch/i386/boot/compressed'
tmppiggy=_tmp_$$piggy; \
rm -f $tmppiggy $tmppiggy.gz $tmppiggy.lnk; \
objcopy -O binary -R .note -R .comment -S /usr/src/linux-2.4.21/vmlinux $tmppiggy; \
gzip -f -9 < $tmppiggy > $tmppiggy.gz; \
echo "SECTIONS { .data : { input_len = .; LONG(input_data_end - input_data) input_data = .; *(.data) input_data_end = .; }}" > $tmppiggy.lnk; \
/usr/local/bin/ld -r -o piggy.o -b binary $tmppiggy.gz -b elf32-i386 -T $tmppiggy.lnk; \
rm -f $tmppiggy $tmppiggy.gz $tmppiggy.lnk
BFD: Warning: Writing section `.text.startup' to huge (ie negative) file offset 0xc0100000.
BFD: Warning: Writing section `.data' to huge (ie negative) file offset 0xc0100040.
BFD: Warning: Writing section `.data.cacheline_aligned' to huge (ie negative) file offset 0xc013b440.
BFD: Warning: Writing section `.data.init_task' to huge (ie negative) file offset 0xc013c000.
BFD: Warning: Writing section `.data.page_aligned' to huge (ie negative) file offset 0xc013e000.
BFD: Warning: Writing section `.bss' to huge (ie negative) file offset 0xc0143000.
BFD: Warning: Writing section `.data.init' to huge (ie negative) file offset 0xc0179000.
BFD: Warning: Writing section `.setup.init' to huge (ie negative) file offset 0xc017b060.
BFD: Warning: Writing section `.initcall.init' to huge (ie negative) file offset 0xc017b178.
BFD: Warning: Writing section `.text.init' to huge (ie negative) file offset 0xc017b2a8.
BFD: Warning: Writing section `.rodata.page_aligned' to huge (ie negative) file offset 0xc057e000.
BFD: Warning: Writing section `.rodata' to huge (ie negative) file offset 0xc057e800.
BFD: Warning: Writing section `__ex_table' to huge (ie negative) file offset 0xc05ba2b0.
objcopy: _tmp_7037piggy: File truncated
/usr/local/bin/gcc -D__ASSEMBLY__ -D__KERNEL__ -I/usr/src/linux-2.4.21/include -traditional -c head.S
/usr/local/bin/gcc -D__KERNEL__ -I/usr/src/linux-2.4.21/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=athlon -DKBUILD_BASENAME=misc -c misc.c
/usr/local/bin/ld -Ttext 0x100000 -e startup_32 -o bvmlinux head.o misc.o piggy.o
make[2]: Leaving directory `/usr/src/linux-2.4.21/arch/i386/boot/compressed'
gcc -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer -o tools/build tools/build.c -I/usr/src/linux-2.4.21/include
objcopy -O binary -R .note -R .comment -S compressed/bvmlinux compressed/bvmlinux.out
tools/build -b bbootsect bsetup compressed/bvmlinux.out CURRENT > bzImage
Root device is (3, 1)
Boot sector 512 bytes.
Setup is 2524 bytes.
System is 13 kB
make[1]: Leaving directory `/usr/src/linux-2.4.21/arch/i386/boot'
[root@FIREWALL linux-2.4.21]#
############################
END OF BUILDING

I'm not sure to have only one "ld", i just downloaded binutils 2.13.1 and install it, i thought that "ld" should be overwritten.
But "/usr/local/bin/ld -v" give me "2.13.1".

I just downloaded 2.14 (but not installed), if you want i can try install it and try again ?
Or may be have i to clean up all "ld" version before re installing it, but i don't know which directory i have to delete.

regards,

gkweb.


EDIT : the full log available here http://perso.wanadoo.fr/jugesoftware/LOG.txt (but warning and errors were printed on screen, not logged).
gkweb
 
Posts: 16
Joined: Sun Jul 13, 2003 12:45 pm

Postby PaX Team » Tue Jul 15, 2003 10:16 am

gkweb wrote:I'm not sure to have only one "ld", i just downloaded binutils 2.13.1 and install it, i thought that "ld" should be overwritten.
But "/usr/local/bin/ld -v" give me "2.13.1".
when you say you installed binutils, did you compile it yourself or rather got a binary package? i'm asking it because the symptoms you showed are those of an outdated ld (libbfd) version, and i can imagine that a binary package may have been incorrectly linked whereas if you compile it yourself, you should get the proper version of bfd. if nothing else works, contact me by email and i'll send you my ld.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby gkweb » Tue Jul 15, 2003 3:04 pm

I received your version by mail, which was <1MB while mine is >2.8MB :o
but same error :-?
I'm really embarrassed because i never had such kind of problem and i would really wish to find the solution quiclky to avoid to take you too much time.

There is obviously something wrong on my system, may be too old glibc ?
I never been anoyed to build sources, but for the High security it doesn't works, i even tried with the stable version of grsecurity 1.9 from the website but the same error again.
Each time i tried to build it i was running on "Medium" security level (build well and run well) may be is there restrictions which prevents to build or link files ?

The base linux on my system is mandrake 8.1, since i built myself lot of stuff, but never update all of binutils, gcc, glibc, etc...

For now i have :
make 3.80
gcc 3.3
binutils 2.14 (ld 2.14)
grsecurity patch 2.0-rc1 (medium level)

I tried untar kernel-2.4.21 and patch it with grsecurity without my NetFilter patch but same result. :cry:

regards,

gkweb.
gkweb
 
Posts: 16
Joined: Sun Jul 13, 2003 12:45 pm

Postby PaX Team » Tue Jul 15, 2003 6:24 pm

gkweb wrote:There is obviously something wrong on my system, may be too old glibc ?
ok, some attentive (re)reading of the build log above made me think that you might have an outdated objcopy on your system which for some reason comes before the v2.14 version on your PATH. can you verify this (which objcopy and objcopy --version)?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby gkweb » Tue Jul 15, 2003 6:41 pm

/usr/bin/objcopy -> v2.11.90.0.8
/usr/local/bin/objcopy -> v2.14 20030612

i don't specify path of objcopy while building, so i guess that v2.11 is used ?

gkweb.

EDIT : better news, things have changed, now the kernel is 1121 Kb, still unbootable (reboot without print anything).
I typed the following command:

"make bzImage CC=/usr/local/bin/gcc LD=/usr/local/bin/ld OBJCOPY=/usr/local/bin/objcopy OBJDUMP=/usr/local/bin/objdump"

I begin to guess something : all stuff for compiling is used by default in /usr/bin, but for me all my updated compiler related packages are in /usr/local/bin, is there any variable to put after the make ?
(i tried "make dep PATH=/usr/local/bin" but doesn't work).
gkweb
 
Posts: 16
Joined: Sun Jul 13, 2003 12:45 pm

Postby PaX Team » Wed Jul 16, 2003 5:20 am

gkweb wrote:EDIT : better news, things have changed, now the kernel is 1121 Kb, still unbootable (reboot without print anything).
if that size is that of the compressed kernel then it looks ok. which gcc did you use to compile the kernel with? your best bet would be 2.95.3, that works here.
I begin to guess something : all stuff for compiling is used by default in /usr/bin, but for me all my updated compiler related packages are in /usr/local/bin, is there any variable to put after the make ?
if you don't mind completely getting rid of the old binutils, then you're better off with rebuilding the newer binutils with configure --prefix=/usr, this will put the binaries into /usr instead of /usr/local.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby gkweb » Wed Jul 16, 2003 7:17 am

Victory !!

Now it's works ! I rebuilt binutils 2.14 with the right prefix, i used gcc 3.3 (now you know that it is good too :wink: ) and at the end the kernel was near 950Kb if i remember right (instead of near 820Kb in Medium level).

All my system seems to work fine on High level, i'm using an USB modem, squid, snort, iptables, samba, and ssh, and it's rocks :D
I had read warning about Xfree but i it isn't installed on my server, so no pb.
Now i know that if an application is not compatible with PaX i will have to handle that with ACLs to disable PaX for this binarie, but for now no pb so far 8)

Thank you very much for you support PaX Team, i'm now running PaX on my server and you will be noticed of problems if any.
If you need a test on a i686 or something specific on my system, about a new patch or something else, ask me!

Again thanks a lot! :D

Best regards,

gkweb.
gkweb
 
Posts: 16
Joined: Sun Jul 13, 2003 12:45 pm


Return to grsecurity support

cron