grsecurity forums

[Hal9000]

Ok, there's no patch for 2.6.6, and 2.6.7 fixes a security issue (2.6.6 fixes some too afaik).
Will there be a grsec patch soon or should i stick onto a patched 2.4.26-grsec? (don't even know if that's possible, given that the patch is for vanilla and not grsec kernel)
greetings
hal

[To]

I'm still with 2.6.5 you can allways try it if you wish to go for a 2.6.

Tó

[Hal9000]

well, 2.6.5 has that security bug too...
so if i'm going for a 2.6 i'm gonna wait for a grsec patch for 2.6.7
if it doesn't come out then duh... i'm gonna have to stick with a 2.4.6-grsec+clear_cpu-patch (http://linux.bkbits.net:8080/linux-2.4/ ... Q7r9uDRvJQ)

[c0ldbyte]

well, 2.6.5 has that security bug too...
so if i'm going for a 2.6 i'm gonna wait for a grsec patch for 2.6.7
if it doesn't come out then duh... i'm gonna have to stick with a 2.4.6-grsec+clear_cpu-patch (http://linux.bkbits.net:8080/linux-2.4/ ... Q7r9uDRvJQ)

There is a patch that was released that fixes the specific bug that you are talking about. In order to fix this, you should first apply the grsec patch and then apply the patch that changes the include files to fix the bug just to be sure that you arent overwriting any of grsec's changes. A comment on the bug can be found with links to the patch at http://www.kerneltrap.org/. yes thats the patch above.

[spender]

http://grsecurity.net/~spender/grsecuri ... .6.7.patch

try that for now, official version will be released soon.

-Brad

[FloFri]

thank you spender, now i can migrate to 2.6, too

[androsyn]

Got a compile error on sparc64 with the patch from above, not sure if this is a grsecurity issue or just a brokeness with 2.6.7 on sparc64. Below is part of the errors from the compile.

-Aaron

fs/compat.c: In function `compat_do_execve':
fs/compat.c:1134: warning: implicit declaration of function `gr_learn_resource'
fs/compat.c:1134:90: macro "atomic_read" passed 2 arguments, but takes just 1
fs/compat.c:1134: error: `atomic_read' undeclared (first use in this function)
fs/compat.c:1134: error: (Each undeclared identifier is reported only once
fs/compat.c:1134: error: for each function it appears in.)
fs/compat.c:1134: error: parse error before ';' token
fs/compat.c:1116: warning: unused variable `bprm'
fs/compat.c:1119: warning: unused variable `i'
fs/compat.c:1121: warning: unused variable `old_exec_file'
fs/compat.c:1122: warning: unused variable `old_acl'
fs/compat.c:1123: warning: unused variable `old_rlim'
fs/compat.c: At top level:

[spender]

I've uploaded a new patch that should resolve your problem.

-Brad

[androsyn]

It looks like pte_exprotect doesn't exist in inclue/asm-sparc64/pgtable.h, nor does it exist on sparc32. It's getting called from mm/mremap.c:136

-Aaron

[spender]

I've uploaded a new patch that corrects that problem. PaX was just recently ported to the 2.6 series, so non-i386 archs may not even compile. Any problems you run into however I'll be sure to pass on to the PaX team to fix.

-Brad

[PaX Team]

It looks like pte_exprotect doesn't exist in inclue/asm-sparc64/pgtable.h, nor does it exist on sparc32. It's getting called from mm/mremap.c:136

change the #ifdef to depend on CONFIG_ARCH_TRACK_EXEC_LIMIT instead and it will compile.

[androsyn]

That fixed it.

-Aaron

[Cyrus]

Got this error on two different machines:

# gradm -E
Could not open /dev/grsec.
open: No such device or address

And the /dev/grsec is there, I made make install to gradm:

# ls -l /dev/grsec
crw--w--w- 1 root root 1, 10 Jul 4 18:10 /dev/grsec

I'm using 2.6.7 with the latest grsecurity-2.0.1

[spender]

You need to grab the newest CVS of gradm2. I had to change the device number for /dev/grsec so that it would not conflict with a device created by UML.

-Brad

[Cyrus]

Thanks a lot. Its working now