grsecurity forums

[uberslakr]

I'm having lots of pain trying to use the full feature set of PaX thanks to the NVidia proprietary drivers and libs. I'm running Debian Sarge with kernel 2.6.2 and PaX (now working thanks to a previous post!). However, after turning on non-executable pages (Segmentation based for my x86 arch), I've lost the ability to run my normal KDE desktop. I chpax'd XFree86 just fine, and it works well. But any application linked against OpenGL, which includes my entire KDE 3.2 build, won't run. The culprits seem to be the NVidia libGL.so and libGLcore.so-- if I remove them and drop in the Mesa libs, everything is OK.

It seems that my options are to 1) use the Mesa libs, and forget about any GL acceleration; 2) chpax almost *everything* to turn off non-exec pages; or 3) completely remove the non-exec page features of PaX from my kernel.

I'd really like to have the cake and eat it, but I'm not sure there is anything I can do with the NVidia libs. They are not released in source, so I can't rebuild them in any way (that I'm aware of). Any suggestions?

[PaX Team]

I chpax'd XFree86 just fine, and it works well. But any application linked against OpenGL, which includes my entire KDE 3.2 build, won't run. The culprits seem to be the NVidia libGL.so and libGLcore.so-- if I remove them and drop in the Mesa libs, everything is OK.

It seems that my options are to 1) use the Mesa libs, and forget about any GL acceleration; 2) chpax almost *everything* to turn off non-exec pages; or 3) completely remove the non-exec page features of PaX from my kernel.

if you're using the same .config you posted in the previous thread then your problems are not caused by non-exec pages per se but text relocations in the nvidia libraries. this is a known issue and some folks in Hardened Gentoo are trying to work it out with nvidia (i have patches to fix it in xfree at least), we'll see what we can achieve. your short term solutions are to disable NOELFRELOCS (khm, config help...) or to chpax -m all applications that link to those libraries. i'd like to also note that xfree is a special animal to properly secure under PaX, i suggest that you follow the thread a few lines below where i'll post more details about what and how you can do about it as soon as i worked some items off my todo list.