2.6.24.3 patch seems broken

Discuss and suggest new grsecurity features

2.6.24.3 patch seems broken

Postby samadei » Tue Mar 11, 2008 1:48 am

I tried to use the 2.1.11-26.24.3-200803101831 patch... and i got some nonsense about "CONFIG_PAX enabled, but no PaX options are enabled"... I looked in include/linux/grsecurity.h on line 18, and noted references to CONFIG_ALSR and CONFIG_NOEXEC... which were not in my .config... but CONFIG_PAX_ASLR and CONFIG_PAX_NOEXEC were... so I fixed these and I got a good kernel.

Looks like a minor typo.

Stephen
samadei
 
Posts: 1
Joined: Tue Mar 11, 2008 1:42 am

Re: 2.6.24.3 patch seems broken

Postby forsaken » Tue Mar 11, 2008 4:33 am

Same problem here.
forsaken
 
Posts: 74
Joined: Tue May 18, 2004 3:04 am

Re: 2.6.24.3 patch seems broken

Postby spender » Wed Mar 12, 2008 12:42 am

The patches have been fixed and updated.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: 2.6.24.3 patch seems broken

Postby fed.linuxgossip » Thu Mar 13, 2008 5:28 pm

I recieve the followoing error:

In file included from arch/x86/kernel/ioport_32.c:17:
include/linux/grsecurity.h:18:2: #error "CONFIG_PAX enabled, but no PaX options are enabled."
make[1]: *** [arch/x86/kernel/ioport_32.o] Error 1
make: *** [arch/x86/kernel] Error 2

[root@server linux-2.6.24.3]# head -20 arch/x86/kernel/ioport_32.c
/*
* This contains the io-permission bitmap code - written by obz, with changes
* by Linus.
*/

#include <linux/sched.h>
#include <linux/kernel.h>
#include <linux/capability.h>
#include <linux/errno.h>
#include <linux/types.h>
#include <linux/ioport.h>
#include <linux/smp.h>
#include <linux/stddef.h>
#include <linux/slab.h>
#include <linux/thread_info.h>
#include <linux/syscalls.h>
#include <linux/grsecurity.h>

/* Set EXTENT bits starting at BASE in BITMAP to value TURN_ON. */
static void set_bitmap(unsigned long *bitmap, unsigned int base, unsigned int extent, int new_value)
[root@server linux-2.6.24.3]#


Please advise
fed.linuxgossip
 
Posts: 21
Joined: Mon Feb 25, 2008 9:46 am

Re: 2.6.24.3 patch seems broken

Postby spender » Thu Mar 13, 2008 7:10 pm

I updated the patch about an hour ago or so. Please use that one for now.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: 2.6.24.3 patch seems broken

Postby fed.linuxgossip » Thu Mar 13, 2008 11:23 pm

Even with the latest path I found the same error on a fresh kernel compilation. The only solution I found was to enable each pax options in menuconfig , which allowed the process to complete successfully. Are there any specific options in PAX which has to be selected for sure.
fed.linuxgossip
 
Posts: 21
Joined: Mon Feb 25, 2008 9:46 am

Re: 2.6.24.3 patch seems broken

Postby spender » Fri Mar 14, 2008 9:12 am

In that case, you were hitting the intended purpose of the change: to inform people who compile kernel with configs that won't give them the additional security they possibly expected. In your case, you enabled the CONFIG_PAX option, but didn't enable anything inside of it that would have provided security (namely, enabling either options in the ASLR menu or enabling either SEGMEXEC/PAGEEXEC).

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity development