RANDSTRUCT and third-party kernel module build woes.

Discuss and suggest new grsecurity features

Moderators: spender, PaX Team

RANDSTRUCT and third-party kernel module build woes.

Postby Neokernsec » Mon Feb 16, 2015 10:21 pm

With CONFIG_GRKERNSEC_RANDSTRUCT enabled, I have compile failures building "third party" kernel modules like cryptodev-1.7 as follows:

Code: Select all
make[4]: Entering directory 'linux-ar71xx_generic/cryptodev-linux-1.7'
make -C linux-ar71xx_generic/linux-3.14.30 SUBDIRS=`pwd` ARCH=mips CROSS_COMPILE=mips-openwrt-linux-uclibc- modules
make[5]: Entering directory 'linux-ar71xx_generic/linux-3.14.30'
  CC [M]  linux-ar71xx_generic/cryptodev-linux-1.7/ioctl.o
linux-ar71xx_generic/cryptodev-linux-1.7/ioctl.c:1120:2: error: invalid initializer
  {0, },
  ^
linux-ar71xx_generic/cryptodev-linux-1.7/ioctl.c:1120:2: error: (near initialization for 'verbosity_ctl_dir[1].<anonymous>')
linux-ar71xx_generic/cryptodev-linux-1.7/ioctl.c:1129:2: error: invalid initializer
  {0, },
  ^
linux-ar71xx_generic/cryptodev-linux-1.7/ioctl.c:1129:2: error: (near initialization for 'verbosity_ctl_root[1].<anonymous>')


I've seen examples of build problems of this sort with other kernel modules like zfs, etc. I am happy to pull up my sleeves and provide some patches either to the module authors or elsewhere, but I'm a little unsure of what the problem is here. Is it a matter of the randomize plugin not being invoked in the build of this module, along with reference to the current/valid "randomizing key"?

The platform in question here is an Atheros SoC (MIPS) 7133, and I've made all of the adjustments to the mainline grsecurity-3.14 patch to get it built cleanly within the OpenWRT buildroot system, so that's behind me.

linux-3.14.30 via OpenWRT trunk feed, with grsecurity-3.0-3.14.32-201502062101.patch applied.
GCC: gcc-cross (OpenWrt/Linaro GCC 4.9-2014.10 r44233) 4.9.2

Kernel config: http://pastebin.com/abYe9fuZ
Neokernsec
 
Posts: 16
Joined: Sun Dec 30, 2012 8:53 am

Re: RANDSTRUCT and third-party kernel module build woes.

Postby PaX Team » Mon Feb 16, 2015 10:37 pm

RANDSTRUCT works with designated initializers only, you'll have to patch all other instances (you'll keep getting the invalid initializer error until you fixed all of them, so it's a fail-safe mechanism).
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm


Return to grsecurity development