wolk-devel Mailing List for WOLK - Working Overloaded Linux Kernel (Page 2)
Brought to you by:
hight0wer
You can subscribe to this list here.
2002 |
Jan
|
Feb
|
Mar
(30) |
Apr
(22) |
May
(54) |
Jun
(49) |
Jul
(97) |
Aug
(62) |
Sep
(96) |
Oct
(131) |
Nov
(101) |
Dec
(127) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2003 |
Jan
(277) |
Feb
(62) |
Mar
(56) |
Apr
(131) |
May
(117) |
Jun
(82) |
Jul
(30) |
Aug
(75) |
Sep
(57) |
Oct
(17) |
Nov
(1) |
Dec
(10) |
2004 |
Jan
(14) |
Feb
(28) |
Mar
(70) |
Apr
(95) |
May
(41) |
Jun
(43) |
Jul
(7) |
Aug
(9) |
Sep
(23) |
Oct
(6) |
Nov
(20) |
Dec
|
2005 |
Jan
(7) |
Feb
|
Mar
|
Apr
(1) |
May
(4) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2007 |
Jan
|
Feb
|
Mar
|
Apr
(5) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: ian s. (m. list) <ia...@qs...> - 2004-11-18 02:20:48
|
On Wed, 17 Nov 2004, Marc-Christian Petersen wrote: > On Wednesday 17 November 2004 13:06, Marc-Christian Petersen wrote: > > > > http://linux-abi.sourceforge.net/patches/linux-abi-2.4.26-0.patch.gz > > > I've tried to patch WOLK 4.16, and the patch runs ok for the most > > > part...with just some failed hunks. > > > and where is the patch which applies to 4.16s? Do all of you really think > > that I release a new 2.4-wolk based on 2.4.28 when its still a one man > > show? Surely not :p > > anyway, I've added it, but it does: > > 1. not compile > 2. due to 1 not work ;) > > and I don't care at all about Linux-ABI so someone has to fix it up to work > with LDT in 2.4 mainline changes and SKAS changes in 2.4-wolk. Ok no problem. Thanks for trying anyway. |
From: Mike B. <Mik...@fu...> - 2004-11-17 23:50:35
|
> I encourage _all_ 2.4-WOLK users to update to v4.17s! It=20 > fixes a local=20 > exploitable security issue!! hey marc, thanks for the patches; does this vunerability apply to = previous versions as well or just 4.16s? |
From: Marc-Christian P. <m....@wo...> - 2004-11-17 23:26:06
|
Hi all, so, here we go, FINAL v4.17. This is the 17th maintenance update for WOLK4.0. v4.18s will follow when it's finished but for now security is more= =20 important. Sorry for the delay. Files will are up at kernel.org now and wil= l=20 be available within some minutes at sourceforge.net too. =2D----------------------------------------------------------------------- I encourage _all_ 2.4-WOLK users to update to v4.17s! It fixes a local=20 exploitable security issue!! =2D----------------------------------------------------------------------- Changelog from v4.16s -> v4.17s =2D------------------------------ o fixed: binfmt_elf: Local privilege escalation vulnerabilities o fixed: binfmt_elf: memleak error handling o fixed: binfmt_elf: handle p_filesz =3D=3D 0 on PT_INTERP section o fixed: binfmt_elf: 32-bit apps with large bss md5sums: =2D------- 6a6b73973c0b7baacbef6888fd174063 linux-2.4.20-wolk4.17-fullkernel.tar.bz2 b765fd622644961a098e15b679485b3a linux-2.4.20-wolk4.17-fullkernel.tar.gz aba4d81219790d2cee7addb8c27a2d5f linux-2.4.20-wolk4.16s-to-4.17s.patch.bz2 4968570373896a2e339de9930ca5ecb5 linux-2.4.20-wolk4.16s-to-4.17s.patch.gz Enjoy :) =2D- Kind regards Marc-Christian Petersen http://sourceforge.net/projects/wolk PGP/GnuPG Key: 1024D/569DE2E3DB441A16 =46ingerprint: 3469 0CF8 CA7E 0042 7824 080A 569D E2E3 DB44 1A16 Key available at http://pgp.mit.edu. Encrypted e-mail preferred |
From: Marc-Christian P. <m....@wo...> - 2004-11-17 19:14:17
|
On Wednesday 17 November 2004 13:06, Marc-Christian Petersen wrote: > > http://linux-abi.sourceforge.net/patches/linux-abi-2.4.26-0.patch.gz > > I've tried to patch WOLK 4.16, and the patch runs ok for the most > > part...with just some failed hunks. > and where is the patch which applies to 4.16s? Do all of you really think > that I release a new 2.4-wolk based on 2.4.28 when its still a one man > show? Surely not :p anyway, I've added it, but it does: 1. not compile 2. due to 1 not work ;) and I don't care at all about Linux-ABI so someone has to fix it up to work with LDT in 2.4 mainline changes and SKAS changes in 2.4-wolk. ciao, Marc |
From: Marc-Christian P. <m....@wo...> - 2004-11-17 17:53:07
|
On Tuesday 16 November 2004 10:56, Alexandru Matei wrote: > Sorry, for MPLS are at > http://cvs.sourceforge.net/viewcvs.py/mpls-linux/mpls-linux/patches/kernel/ >?hideattic=0 or better > http://dsmpls.atlantis.ugent.be/files/patch_2.4.20_2.4.22_ROBC++.zip very very unsorted project. Anyway, does that actually work? ciao, Marc |
From: Marc-Christian P. <m....@wo...> - 2004-11-17 12:06:25
|
On Wednesday 17 November 2004 08:43, ian sison (mailing list) wrote: Hi Ian, > http://linux-abi.sourceforge.net/patches/linux-abi-2.4.26-0.patch.gz > I've tried to patch WOLK 4.16, and the patch runs ok for the most > part...with just some failed hunks. and where is the patch which applies to 4.16s? Do all of you really think that I release a new 2.4-wolk based on 2.4.28 when its still a one man show? Surely not :p -- Kind regards Marc-Christian Petersen |
From: ian s. (m. list) <ia...@qs...> - 2004-11-17 07:43:58
|
Hi Marc, At the risk of sounding repetitious... http://linux-abi.sourceforge.net/patches/linux-abi-2.4.26-0.patch.gz I've tried to patch WOLK 4.16, and the patch runs ok for the most part...with just some failed hunks. :) On Tue, 16 Nov 2004, Marc-Christian Petersen wrote: > On Tuesday 16 November 2004 08:44, Alexandru Matei wrote: > > Hi Alexandru, > > > MPLS: http://mpls-linux.sourceforge.net/ > > and where are the 2.4 patches? > > > > IP_Accounting: http://www.barbara.eu.org/~quaker/ipt_account/index.html.en > > Already in. > > > > Kexec patch: www.xmission.com/~ebiederm/files/*kexec*/ > > and where are the 2.4 patches? > > ciao, Marc > > > ------------------------------------------------------- > This SF.Net email is sponsored by: InterSystems CACHE > FREE OODBMS DOWNLOAD - A multidimensional database that combines > robust object and relational technologies, making it a perfect match > for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 > _______________________________________________ > WOLK - Working Overloaded Linux Kernel > WOL...@li... > https://lists.sourceforge.net/lists/listinfo/wolk-devel > > |
From: Alexandru M. <al...@qb...> - 2004-11-16 09:56:45
|
Marc-Christian Petersen wrote: >On Tuesday 16 November 2004 08:44, Alexandru Matei wrote: > >Hi Alexandru, > > > >>MPLS: http://mpls-linux.sourceforge.net/ >> >> > >and where are the 2.4 patches? > > > > Sorry, for MPLS are at http://cvs.sourceforge.net/viewcvs.py/mpls-linux/mpls-linux/patches/kernel/?hideattic=0 or better http://dsmpls.atlantis.ugent.be/files/patch_2.4.20_2.4.22_ROBC++.zip >>IP_Accounting: http://www.barbara.eu.org/~quaker/ipt_account/index.html.en >> >> > >Already in. > > > > >>Kexec patch: www.xmission.com/~ebiederm/files/*kexec*/ >> >> > >and where are the 2.4 patches? > > > Sorry, my mistake. They were on ftp://download.lnxi.com/pub/src/linux-kernel-patches/ some 4-6 months ago but it seems they aren't anymore. Best regards, Alex >ciao, Marc > > >------------------------------------------------------- >This SF.Net email is sponsored by: InterSystems CACHE >FREE OODBMS DOWNLOAD - A multidimensional database that combines >robust object and relational technologies, making it a perfect match >for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 >_______________________________________________ >WOLK - Working Overloaded Linux Kernel >WOL...@li... >https://lists.sourceforge.net/lists/listinfo/wolk-devel > > > |
From: Marc-Christian P. <m....@wo...> - 2004-11-16 09:12:03
|
On Tuesday 16 November 2004 08:44, Alexandru Matei wrote: Hi Alexandru, > MPLS: http://mpls-linux.sourceforge.net/ and where are the 2.4 patches? > IP_Accounting: http://www.barbara.eu.org/~quaker/ipt_account/index.html.en Already in. > Kexec patch: www.xmission.com/~ebiederm/files/*kexec*/ and where are the 2.4 patches? ciao, Marc |
From: Alexandru M. <al...@qb...> - 2004-11-16 07:44:35
|
Hi Marc, If you have any spare time I would love to see these patches in the new V4.17's: MPLS: http://mpls-linux.sourceforge.net/ IP_Accounting: http://www.barbara.eu.org/~quaker/ipt_account/index.html.en Kexec patch: www.xmission.com/~ebiederm/files/*kexec*/ Best regards, Alex |
From: Stefan F. <st...@st...> - 2004-11-10 19:59:19
|
Hi Marc, hello list, I am running WOLK 4.16s on an Intel Celeron. I have mounted some filesystems with the "acl" option. Unfortunately, whenever I change to a directory where I'm only granted access due to the ACLs on this directory, create a single directory there (which correctly inherits the default ACLs from its parent directory) and then "rmdir" this directory, I get a: demeter kernel: Assertion failure in ext3_flush_inode_reservation() at inode.c:2447: "test_bit(EXT3_STATE_INODE_RESERVATION, &EXT3_I(inode)->i_state)" (sorry for the linebreaking) The dump from the kernel BUG is: ------------[ cut here ]------------ kernel BUG at inode.c:2447! invalid operand: 0000 [#1] GRSECURITY Modules linked in: loop quota_v2 eepro100 mii CPU: 0 EIP: 0010:[ext3_flush_inode_reservation+182/208] Not tainted VLI EFLAGS: 00010286 (2.4.20-wolk4.16s) eax: 0000008a ebx: d2fbac80 ecx: d1c4c02c edx: 00000046 esi: c1d6a000 edi: c1d27e40 ebp: c1d27e40 esp: c1d27de8 ds: 0018 es: 0018 ss: 0018 Process kjournald (pid: 7396, stackpage=3Dc1d27000) Stack: c03d2ec0 c03d0755 c03cfb83 0000098f c03d37a0 d147ab80 c1d26000 c01= fdce6 c1d27e34 c1d6a374 c026d4f1 c1d27e40 d2fbac80 df16aaf4 df16aa80 c1d27e60 c0274527 c1d27e40 df16aa80 c1d6a000 00000296 c1cb0cc8 cea57e80 00000000 Call Trace: [schedule+422/656] [ext3_commit_callback+49/66] [do_clie= nt_callback+167/413] [journal_commit_transaction+216/4720] [__switch_to+47/256]= [schedule+422/656] [schedule+433/656e [kjournald+277/480] [commit_timeout+0= /16] [arch_kernel_thread+46/64] [kjournald+0/480] Code: 0f 0b 8f 09 83 fb 3c c0 e9 52 ff ff ff 8d b6 00 00 00 00 8d I just did some quick tests: This does also happen if I delete the "acl" stanza from /etc/fstab and do a "mount -o remount /export/home" (where /export/home is just an example of a filesystem mounted with the "acl" option). So, next step, I deactivated quota for "/export/home" and tried again to delete the (still existing) directory. Now it reads: ------------[ cut here ]------------ kernel BUG at inode.c:2447! invalid operand: 0000 [#1] GRSECURITY Modules linked in: loop eepro100 mii CPU: 0 EIP: 0010:[<c0267086>] Not tainted VLI EFLAGS: 00010286 (2.4.20-wolk4.16s) eax: 0000008a ebx: d2d29b80 ecx: c011d5c8 edx: 00000046 esi: c1fdd800 edi: c1e0be40 ebp: c1e0be40 esp: c1e0bde8 ds: 0018 es: 0018 ss: 0018 Process kjournald (pid: 19877, stackpage=3Dc1e0b000) Stack: c03d2ec0 c03d0755 c03cfb83 0000098f c03d37a0 d142eb80 c1e0a000 c01= fdce6 c1e0be34 c1fddb74 c026d4f1 c1e0be40 d2d29b80 df16aaf4 df16aa80 c1e= 0be60 c0274527 c1e0be40 df16aa80 c1fdd800 00000286 c1f17510 df1c9d80 000= 00000 Call Trace: [<c01fdce6>] [<c026d4f1>] [<c0274527>] [<c02732e8>] = [<c01ebbdf>] [<c01fdce6>] [<c01fdcf1>] [<c0276625>] [<c02764f0>] = [<c01eb90e>] [<c0276510>] Code: 0f 0b 8f 09 83 fb 3c c0 e9 52 ff ff ff 8d b6 00 00 00 00 8d Honestly, I'm running out of ideas right now. Can you help me? To help you debug this problem, I have created a tarball containig the following information: -output from lspci and lspci -vvv -the files /proc/interrupts and /proc/slabinfo -the running kernel-config (in file dot.config) -a file describing the policy of the quota and lvm10 packages -versioning information about the gcc used to compile the kernel -some other stuff which is quite self explanatory Ciao, Stefan --=20 Stefan F=F6rster Public Key: 0xBBE2A9E9 FdI #280: Freizeit - Wenn Du etwas f=FCr die Firma zu Hause (der Ort, der= in Deinem Personalausweis steht. Genau, dort, wo mal wieder dringend abgewas= chen werden m=FCsste) tust. (Florian Kuehnert) |
From: Stefan F. <st...@st...> - 2004-11-10 19:33:53
|
* Stefan Foerster <st...@st...> wrote: > To help you debug this problem, I have created a tarball containig the > following information: >=20 > -output from lspci and lspci -vvv > -the files /proc/interrupts and /proc/slabinfo > -the running kernel-config (in file dot.config) > -a file describing the policy of the quota and lvm10 packages > -versioning information about the gcc used to compile the kernel > -some other stuff which is quite self explanatory Uh, and it is located under: http://mail.incertum.net/bugreport.tar.gz My fault. Ciao, Stefan --=20 Stefan F=F6rster Public Key: 0xBBE2A9E9 FdI #68: WWW - World Wide Waiting |
From: ian s. (m. list) <ia...@qs...> - 2004-10-28 16:43:26
|
> Anyway, I'll fix that for 4.17s. If you are interested (so far the changelog) > > > Changelog from v4.16s -> v4.17s > ------------------------------- > o added: for whatever fscking reason: netdev-random was missing > o added: manual oom killer invocation via sysrq > o added: CRC32 library backport (usbnet needs this for example) > o fixed: RAID1 error handling locking > o fixed: some compiler warnings in fs/proc/kconfig.c > o fixed: tmpfs: shmem_file_write return value > o fixed: tmpfs: stop negative dentries > o fixed: compile error in fs/binfmt_elf.c when PAGEEXEC is used. > o updated: Broadcom Tigon3 (tg3) v3.10 > o updated: SysKonnect SK-98xx v7.08 > o updated: grsecurity v2.0.2 as an replacement patch you have to apply > manually to use v2.0.2 instead of v1.9.15. Please use > gradm2 from ./gradm2 directory and make sure, /dev/grsec > has minor number 12 instead of 10. > o updated: Intel/ICP RAID Controller support v3.04 > o updated: CryptoAPI (up to 2.4.28-pre4) > o updated: Intel Software RAID Driver (iswraid) v0.1.4.3 > o updated: Intel e1000 v5.4.11-k1 > Hi Marc, hoping that you're in the mood for this, well.. extension... I've run across a new patch for linux-abi[1], and tried it on 4.16s, it seems to apply for the most part, except for some files. Maybe you can give it a try? I can help test this if you can make it compile as i've got a client using the abi extension which i had to use 2.4.26 on and not WOLK [1] http://linux-abi.sourceforge.net/patches/linux-abi-2.4.26-0.patch.gz Also, i know you've already compiled a UML kernel from your recent posts, but when i tried it myself, following the instructions from the UML website, i ran into some compile time errors. Is there any specific procedure for generating a UML kernel from wolk? - ian |
From: Carl H. <cha...@qu...> - 2004-10-26 19:28:38
|
Hi Marc, I'm currently in the process of building WOLK RPMS for Red Hat Enterprise Linux/Fedora (one of your wish list items.) For configuration management purposes, I never install anything on my servers that are not packaged as RPMS. It would help me greatly in this endeavor if I could have access to the broken-out patch sets for WOLK-2.4-4.16s and WOLK-2.6-3.0. There are two reasons this would help. The first is that I'm struggling a bit with implementing WOLK in place of Red Hat's highly patched kernel. Specifically, Red Hat implements exec-shield, a PaX want-to-be, and I'm encountering difficulties. The second reason is that I can conditionally apply patches during the RPM build process with command line switches. This nicely solves the issue where two version of a patch (grsecurity, openswan, etc.) might exist and one is preferred over the other by various users. I'm currently focusing on the 2.4 version of WOLK (hence my flurry of messages), as Red Hat Enterprise Linux 3 uses this kernel (actually 2.4.21.) Red Hat has just released v4 as a beta (using kernel version 2.6.8.1), and I've started playing around with it a bit. I'll eventually move to this, so I figure I'll build the RPMS for this version now also. After I get my firewall/gateway configured the way I want, (the reason I'm using WOLK), I'm thinking I'll take a little time to put up a WOLK web site (your other wish list item.) But more on that later... If space is an issue, I could probably throw up an FTP server, but since I'm very security conscious, I'd rather not do so in a hurry if it's not necessary. Again, once I've completed configuration of my firewall this would be easier to do. Thanks for your help -- Carl |
From: Marc-Christian P. <m....@wo...> - 2004-10-26 19:20:38
|
On Tuesday 26 October 2004 20:55, Carl Hagmueller wrote: Hi Carl, > I ran into the following compile error in linux-2.4.20-wolk4.16s, with > Grsecurity/Pax options enabled. Specifically, CONFIG_PAX_PAGEEXEC=y > binfmt_elf.c: In function `load_elf_binary': > binfmt_elf.c:1006: warning: passing arg 2 of `__do_mmap_pgoff' makes > pointer from integer without a cast > binfmt_elf.c:1006: too few arguments to function `__do_mmap_pgoff' > make[2]: *** [binfmt_elf.o] Error 1 > make[2]: Leaving directory > `/home/chagmuel/devel/RPM/BUILD/wolk-4.16/linux-2.4.20/fs' erm, even if my mind is sometimes vary bad, I am quite sure I've fixed that in some previous wolk versions, didn't I? Lance? You hit that too no? some months ago? hmmm ... funny ;() > This leads me to believe that the proper call should be as follows: > #ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC > if (current->flags & PF_PAX_PAGEEXEC) > load_addr_random = __do_mmap_pgoff(current->mm, NULL, > ELF_PAGESTART(load_bias_random + vaddr), 0UL, elf_prot, elf_flags | > MAP_MIRROR, error); > ^^^^^^^^^^^ > #endif you are correct. current->mm is missing to the __do_mmap_pgoff call :) and _now_ I see, I didn't fix that, I fixed that some time ago for SEGMEXEC and RANDEXEC but forgot PAGEEXEC, mostly because PAGEEXEC is a lot of shit (as in it really really megareally hurts performance of the whole machine :( This is an issue of PaX itself. PaX developers already did some improvements to that code but unfortunately only for 2.6 (yet), but even there it's still a lot of shit as in slow :) You better disable that config option. Or you might give it a try after you've changed that code in binfmt_elf.c (or you want me to send a patch? :)) and notice the difference in overall performance of your machine. I'll bet it hurts ;) > I realize this is probably a Grsecurity issue, but I wanted to run it by > you first, since I'm very fuzzy on the mmap/rmap issues, and I'm not really > a kernel hacker! I'm also new to Grsecurity and Pax. In retrospect, I > probably don't need this option (that's why the issue has never come up > before?) but I need to learn more about the various options. This was a > first cut following the Grsecurity 'QuickStart Guide' > Let me know what you think. this isn't a grsecurity issue, or, well, not by itself but caused by the UML (user-mode-linux) SKAS stuff :) Thanks alot for noticing this and your interest! Anyway, I'll fix that for 4.17s. If you are interested (so far the changelog) Changelog from v4.16s -> v4.17s ------------------------------- o added: for whatever fscking reason: netdev-random was missing o added: manual oom killer invocation via sysrq o added: CRC32 library backport (usbnet needs this for example) o fixed: RAID1 error handling locking o fixed: some compiler warnings in fs/proc/kconfig.c o fixed: tmpfs: shmem_file_write return value o fixed: tmpfs: stop negative dentries o fixed: compile error in fs/binfmt_elf.c when PAGEEXEC is used. o updated: Broadcom Tigon3 (tg3) v3.10 o updated: SysKonnect SK-98xx v7.08 o updated: grsecurity v2.0.2 as an replacement patch you have to apply manually to use v2.0.2 instead of v1.9.15. Please use gradm2 from ./gradm2 directory and make sure, /dev/grsec has minor number 12 instead of 10. o updated: Intel/ICP RAID Controller support v3.04 o updated: CryptoAPI (up to 2.4.28-pre4) o updated: Intel Software RAID Driver (iswraid) v0.1.4.3 o updated: Intel e1000 v5.4.11-k1 ciao, Marc |
From: Marc-Christian P. <m....@wo...> - 2004-10-26 19:20:38
|
On Tuesday 26 October 2004 20:39, Carl Hagmueller wrote: Hi Carl, > depmod: *** Unresolved symbols in > /lib/modules/2.4.20-4.16.WOLKsmp/kernel/drivers/usb/usbnet.o > depmod: crc32_le outch :( > I did some investigation and found that indeed, usbnet requires crc32_le. > I've attached a patch, derived from Alan Cox's 2.4.21 patchset, which > defines crc32 as a library module and adjusts all references to crc32_le, > crc32_be and bitreverse to use this new module. I went over the patch > carefully, but as I'm a 'newbie kernel hacker', you might want to take a > look at it yourself. coolio. I'll take a look and merge it then :) > Thanks for all your hard work on WOLK! np. you're welcome - Thanks for the patch! :) ciao, Marc |
From: Carl H. <cha...@qu...> - 2004-10-26 18:55:58
|
Hi Marc, I ran into the following compile error in linux-2.4.20-wolk4.16s, with Grsecurity/Pax options enabled. Specifically, CONFIG_PAX_PAGEEXEC=y gcc -D__KERNEL__ -I/home/chagmuel/devel/RPM/BUILD/wolk-4.16/linux-2.4.20/include -Wall -Wstrict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common -g -Wno-unused -Os -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=i686 -nostdinc -iwithprefix include -DKBUILD_BASENAME=binfmt_elf -c -o binfmt_elf.o binfmt_elf.c binfmt_elf.c: In function `load_elf_binary': binfmt_elf.c:1006: warning: passing arg 2 of `__do_mmap_pgoff' makes pointer from integer without a cast binfmt_elf.c:1006: too few arguments to function `__do_mmap_pgoff' make[2]: *** [binfmt_elf.o] Error 1 make[2]: Leaving directory `/home/chagmuel/devel/RPM/BUILD/wolk-4.16/linux-2.4.20/fs' Looking at the offending code in fs/binfmt_elf.c there seems to be an inconsistancy in the call to __do_mmap_pgoff. Every other call to this function includes current->mm as the first argument except the call which caused the error: #ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC if (current->flags & PF_PAX_PAGEEXEC) load_addr_random = __do_mmap_pgoff(NULL, ELF_PAGESTART(load_bias_random + vaddr), 0UL, elf_prot, elf_flags | MAP_MIRROR, error); #endif #ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC if (current->flags & PF_PAX_SEGMEXEC) { if (elf_prot & PROT_EXEC) { load_addr_random = __do_mmap_pgoff(current->mm, NULL, ELF_PAGESTART(load_bias_random + vaddr), elf_ppnt->p_memsz + ELF_PAGEOFFSET(elf_ppnt->p_vaddr), PROT_NONE, MAP_PRIVATE | MAP_FIXED, 0UL); if (!BAD_ADDR(load_addr_random)) { load_addr_random = __do_mmap_pgoff(current->mm, NULL, ELF_PAGESTART(load_bias_random + vaddr + SEGMEXEC_TASK_SIZE), 0UL, lf_prot, elf_flags | MAP_MIRROR, error); if (!BAD_ADDR(load_addr_random)) load_addr_random -= SEGMEXEC_TASK_SIZE; } } else load_addr_random = __do_mmap_pgoff(current->mm, NULL, ELF_PAGESTART(load_bias_random + vaddr), 0UL, elf_prot, elf_flags | MAP_MIRROR, error); } #endif The prototype for __do_mmap_pgoff in include/linux/mm.h is as follows: extern unsigned long __do_mmap_pgoff(struct mm_struct *mm, struct file *file, unsigned long addr, unsigned long len, unsigned long prot, unsigned long flag, unsigned long pgoff); This leads me to believe that the proper call should be as follows: #ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC if (current->flags & PF_PAX_PAGEEXEC) load_addr_random = __do_mmap_pgoff(current->mm, NULL, ELF_PAGESTART(load_bias_random + vaddr), 0UL, elf_prot, elf_flags | MAP_MIRROR, error); ^^^^^^^^^^^ #endif I realize this is probably a Grsecurity issue, but I wanted to run it by you first, since I'm very fuzzy on the mmap/rmap issues, and I'm not really a kernel hacker! I'm also new to Grsecurity and Pax. In retrospect, I probably don't need this option (that's why the issue has never come up before?) but I need to learn more about the various options. This was a first cut following the Grsecurity 'QuickStart Guide' Let me know what you think. -- Carl |
From: Carl H. <cha...@qu...> - 2004-10-26 18:39:40
|
Hi Marc, I ran across the following issue after building a kernel with usbnet as a module: depmod: *** Unresolved symbols in /lib/modules/2.4.20-4.16.WOLKsmp/kernel/drivers/usb/usbnet.o depmod: crc32_le I did some investigation and found that indeed, usbnet requires crc32_le. I've attached a patch, derived from Alan Cox's 2.4.21 patchset, which defines crc32 as a library module and adjusts all references to crc32_le, crc32_be and bitreverse to use this new module. I went over the patch carefully, but as I'm a 'newbie kernel hacker', you might want to take a look at it yourself. Thanks for all your hard work on WOLK! -- Carl |
From: Marc-Christian P. <m....@wo...> - 2004-09-18 16:17:19
|
On Saturday 18 September 2004 17:59, Michal Purzynski wrote: > gcc version 3.4.1 20040803 (Gentoo Hardened Linux 3.4.1-r2, ssp-3.4-2, > pie-8.7.6.5) > i would patch it myself if i would knew how FASTCALL (macro ?) work. > any ideas how to fix it ? Look at: http://linux.bkbits.net:8080/linux-2.4 and search for every gcc 3.4 fix/patch which went in. Try to apply them all to WOLK too, find missing things which are not in vanilla (quite much ;), fix them too, send a patch and 2.4-WOLK will happily compile with gcc 3.4. If you don't want to do that, compile with gcc <= 3.3.4. ciao, Marc |
From: Michal P. <al...@ze...> - 2004-09-18 15:59:19
|
hey, i have runed into following problem during copmilation: gcc -D__KERNEL__ -I/root/linux-2.4.20-wolk4.16-fullkernel/include -Wall -Wstrict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common -Wno-unused -finline-limit=2000 -O2 -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=pentium3 -fno-unit-at-a-time -DUTS_MACHINE='"i386"' -DKBUILD_BASENAME=version -c -o init/version.o init/version.c make CFLAGS="-D__KERNEL__ -I/root/linux-2.4.20-wolk4.16-fullkernel/include -Wall -Wstrict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common -Wno-unused -finline-limit=2000 -O2 -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=pentium3 -fno-unit-at-a-time " -C kernel make[1]: Entering directory `/root/linux-2.4.20-wolk4.16-fullkernel/kernel' make all_targets make[2]: Entering directory `/root/linux-2.4.20-wolk4.16-fullkernel/kernel' gcc -D__KERNEL__ -I/root/linux-2.4.20-wolk4.16-fullkernel/include -Wall -Wstrict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common -Wno-unused -finline-limit=2000 -O2 -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=pentium3 -fno-unit-at-a-time -nostdinc -iwithprefix include -DKBUILD_BASENAME=sched -fno-omit-frame-pointer -c -o sched.o sched.c make[2]: Leaving directory `/root/linux-2.4.20-wolk4.16-fullkernel/kernel' make[1]: Leaving directory `/root/linux-2.4.20-wolk4.16-fullkernel/kernel' sched.c:333: error: conflicting types for 'try_to_wake_up' sched.c:331: error: previous declaration of 'try_to_wake_up' was here sched.c:333: error: conflicting types for 'try_to_wake_up' sched.c:331: error: previous declaration of 'try_to_wake_up' was here sched.c:399: error: conflicting types for 'wake_up_process' /root/linux-2.4.20-wolk4.16-fullkernel/include/linux/sched.h:715: error: previous declaration of 'wake_up_process' was here sched.c:399: error: conflicting types for 'wake_up_process' /root/linux-2.4.20-wolk4.16-fullkernel/include/linux/sched.h:715: error: previous declaration of 'wake_up_process' was here sched.c:404: error: conflicting types for 'wake_up_process_kick' /root/linux-2.4.20-wolk4.16-fullkernel/include/linux/sched.h:716: error: previous declaration of 'wake_up_process_kick' was here sched.c:404: error: conflicting types for 'wake_up_process_kick' /root/linux-2.4.20-wolk4.16-fullkernel/include/linux/sched.h:716: error: previous declaration of 'wake_up_process_kick' was here sched.c:409: error: conflicting types for 'wake_up_forked_process' /root/linux-2.4.20-wolk4.16-fullkernel/include/linux/sched.h:717: error: previous declaration of 'wake_up_forked_process' was here sched.c:409: error: conflicting types for 'wake_up_forked_process' /root/linux-2.4.20-wolk4.16-fullkernel/include/linux/sched.h:717: error: previous declaration of 'wake_up_forked_process' was here sched.c:466: error: conflicting types for 'sched_exit' /root/linux-2.4.20-wolk4.16-fullkernel/include/linux/sched.h:176: error: previous declaration of 'sched_exit' was here sched.c:466: error: conflicting types for 'sched_exit' /root/linux-2.4.20-wolk4.16-fullkernel/include/linux/sched.h:176: error: previous declaration of 'sched_exit' was here sched.c:548: error: conflicting types for 'idle_cpu' /root/linux-2.4.20-wolk4.16-fullkernel/include/linux/sched.h:177: error: previous declaration of 'idle_cpu' was here sched.c:548: error: conflicting types for 'idle_cpu' /root/linux-2.4.20-wolk4.16-fullkernel/include/linux/sched.h:177: error: previous declaration of 'idle_cpu' was here sched.c:1154: error: conflicting types for '__wake_up' /root/linux-2.4.20-wolk4.16-fullkernel/include/linux/sched.h:707: error: previous declaration of '__wake_up' was here sched.c:1154: error: conflicting types for '__wake_up' /root/linux-2.4.20-wolk4.16-fullkernel/include/linux/sched.h:707: error: previous declaration of '__wake_up' was here sched.c:1166: error: conflicting types for '__wake_up_sync' /root/linux-2.4.20-wolk4.16-fullkernel/include/linux/sched.h:708: error: previous declaration of '__wake_up_sync' was here sched.c:1166: error: conflicting types for '__wake_up_sync' /root/linux-2.4.20-wolk4.16-fullkernel/include/linux/sched.h:708: error: previous declaration of '__wake_up_sync' was here sched.c:1181: error: conflicting types for 'complete' /root/linux-2.4.20-wolk4.16-fullkernel/include/linux/completion.h:31: error: previous declaration of 'complete' was here sched.c:1181: error: conflicting types for 'complete' /root/linux-2.4.20-wolk4.16-fullkernel/include/linux/completion.h:31: error: previous declaration of 'complete' was here sched.c:1191: error: conflicting types for 'wait_for_completion' /root/linux-2.4.20-wolk4.16-fullkernel/include/linux/completion.h:30: error: previous declaration of 'wait_for_completion' was here sched.c:1191: error: conflicting types for 'wait_for_completion' /root/linux-2.4.20-wolk4.16-fullkernel/include/linux/completion.h:30: error: previous declaration of 'wait_for_completion' was here sched.c:1226: error: conflicting types for 'interruptible_sleep_on' /root/linux-2.4.20-wolk4.16-fullkernel/include/linux/sched.h:712: error: previous declaration of 'interruptible_sleep_on' was here sched.c:1226: error: conflicting types for 'interruptible_sleep_on' /root/linux-2.4.20-wolk4.16-fullkernel/include/linux/sched.h:712: error: previous declaration of 'interruptible_sleep_on' was here sched.c:1237: error: conflicting types for 'interruptible_sleep_on_timeout' /root/linux-2.4.20-wolk4.16-fullkernel/include/linux/sched.h:713: error: previous declaration of 'interruptible_sleep_on_timeout' was here sched.c:1237: error: conflicting types for 'interruptible_sleep_on_timeout' /root/linux-2.4.20-wolk4.16-fullkernel/include/linux/sched.h:713: error: previous declaration of 'interruptible_sleep_on_timeout' was here sched.c:1250: error: conflicting types for 'sleep_on' /root/linux-2.4.20-wolk4.16-fullkernel/include/linux/sched.h:709: error: previous declaration of 'sleep_on' was here sched.c:1250: error: conflicting types for 'sleep_on' /root/linux-2.4.20-wolk4.16-fullkernel/include/linux/sched.h:709: error: previous declaration of 'sleep_on' was here sched.c:1261: error: conflicting types for 'sleep_on_timeout' /root/linux-2.4.20-wolk4.16-fullkernel/include/linux/sched.h:710: error: previous declaration of 'sleep_on_timeout' was here sched.c:1261: error: conflicting types for 'sleep_on_timeout' /root/linux-2.4.20-wolk4.16-fullkernel/include/linux/sched.h:710: error: previous declaration of 'sleep_on_timeout' was here make[2]: *** [sched.o] Error 1 make[1]: *** [first_rule] Error 2 make: *** [_dir_kernel] Error 2 gcc version 3.4.1 20040803 (Gentoo Hardened Linux 3.4.1-r2, ssp-3.4-2, pie-8.7.6.5) i would patch it myself if i would knew how FASTCALL (macro ?) work. any ideas how to fix it ? Albeiro |
From: Stefan F. <st...@st...> - 2004-09-12 17:58:43
|
Hi Marc, * Marc-Christian Petersen <m....@wo...> wrote: > o fixed: unresolved symbol 'ipv6_skip_exthdr' in ip6_tables.o thank you _very_ much vor that one! Keep up the good work! Ciao, Stefan |
From: Marc-Christian P. <m....@wo...> - 2004-09-11 09:35:24
|
On Saturday 11 September 2004 11:25, Marc-Christian Petersen wrote: Hi all, > so, here we go, FINAL v4.16. This is the 16th maintenance update for > WOLK4.0. > o updated: grsecurity v2.0.1 as an replacement patch you have to apply > manually to use v2.0.1 instead of v1.9.15. Please use > gradm2 from ./gradm2 directory and make sure, /dev/grsec > has minor number 12 instead of 10. GRRRRR. Due to a mistake I've made, grsecurity 2.0.1 _____ IS ____ applied. Damn fsck. Because uploading takes ages, please _UNAPPLY_ the patch located in ./ADDON-patches if you do _NOT_ want grsecurity 2.0.1 but 1.9.15. Thank you. ciao, Marc |
From: Marc-Christian P. <m....@wo...> - 2004-09-11 09:26:05
|
Hi all, so, here we go, FINAL v4.16. This is the 16th maintenance update for WOLK4.0. ------------------------------------------------------------------------ I encourage _all_ 2.4-WOLK users to update to v4.16s! It fixes all known security issues up to 11th September 2004 (today). ------------------------------------------------------------------------ Changelog from v4.15s -> v4.16s ------------------------------- o added: Autonegotiation on|off|sense for sk98lin driver if compiled statically into the kernel via config o added: calculate default broadcast even when using SIOCSIGNETMASK o added: NDIS wrapper v0.9 o added: AGP: Intel i915G support o added: nForce Ethernet v0.29 o added: Broadcom BCM4400 (b44, alternate driver) v0.93 o added: Intel PRO/10GbE support v1.0.65 o added: Statistic support for LSI MegaRAID (v2.10.6) in /proc o added: /proc/sys/net/ipv4/netdebug, default on disable this if you get annoyed by things like: - hw tcp v4 csum failed - TCP: Treason uncloaked! Peer <foo> shrinks window <bar>. - udp v4 hw csum failure Bonus: Made error messages consistent! o added: 3c920n 9100 IGP support to 3c59x network driver o added: WCCP tunnels over IP (IPWCCP) o fixed: compile problems with RANDEXEC enabled o fixed: RANDEXEC works now with RMAP :p o fixed: ntpd segfaults with grsecurity o fixed: CAN-2004-0497: missing DAC check on sys_chown o fixed: CAN-2004-0587: QLA2xxx device permissions o fixed: CAN-2004-0394: potential buffer overflow in panic o fixed: CAN-2004-0415: fix an exploitable race in file offset handling which allows unpriviledged users from potentially reading kernel memory. This touches several drivers and generic proc code. o fixed: wtd semaphore race condition o fixed: ext3 direct io o fixed: removed bogus __set_current_state(TASK_RUNNING) o fixed: some compiler warnings in kernel/ksyms.c o fixed: With PREEMPT and SMP, machines rebooted immediately :( o fixed: /proc/config.gz output was fucked up on SMP o fixed: duplicated /proc/<PID>/status:TGid field o fixed: now really fix the oops output to get kallsyms feature back. o fixed: compile warnings in all QLA2xxx drivers o fixed: pcmcia shared irq on qlogicfas o fixed: repair scsi/pcmcia modules so that they can build by only including scsi_module.c for non-PCMCIA builds o fixed: some xconfig holy shit brain damage o fixed: unresolved symbol 'ipv6_skip_exthdr' in ip6_tables.o o updated: LUFS v0.9.7 o updated: XFS (up to 2.4.27-pre3) o updated: JFS (up to 2.4.28-pre3) o updated: Loop-AES v2.2b o updated: Loop Cyphers: Blowfish, twofish, serpent v2.0i o updated: CryptoAPI (up to 2.4.28-pre3) o updated: Bluetooth 2.4.20-mh18 o updated: Broadcom BCM5700 v7.3.5 o updated: Broadcom Tigon3 (tg3) v3.9 o updated: SysKonnect SK-98xx v7.07 o updated: 3ware 9xxx SATA-RAID support v2.24.00.011fw o updated: HP CISS Driver v2.4.52 o updated: Compaq SMART2 Driver v2.4.28 o updated: IBM ServeRAID v7.10.18 (New driver series) o updated: Openswan v1.0.7 o updated: CIFS v1.20c o updated: grsecurity v2.0.1 as an replacement patch you have to apply manually to use v2.0.1 instead of v1.9.15. Please use gradm2 from ./gradm2 directory and make sure, /dev/grsec has minor number 12 instead of 10. o updated: Bonding v2.6.0 + mpxor support + ifenslave v1.1.0 o updated: 802.1Q VLAN support v1.8 o updated: Ethernet Link Aggregation (veth) v0.6.5 o updated: Redundancy of Link Segment (lr) v0.8.5 o updated: NTFS v2.1.6b o updated: AutoFS v4 2.4.20-20040508 o removed: QIC-02 tape support (tpqic02): non-GPL. Mainline will follow o removed: FTP file system support (use LUFS instead) o removed: enchanced SFQ: breaks normal SFQ, HTB and whatelse o removed: ikconfig support o removed: /proc/config.gz: merged better support, this was broken! o changed: net.ipv4.tcp_default_win_scale default to 7 o changed: net.ipv4.tcp_vegas_cong_avoid default to 1 o changed: net.ipv4.tcp_moderate_rcvbuf default to 1 o changed: net.ipv4.tcp_rfc1337 default to 1 o changed: net.ipv4.ipfrag_secret_interval default to 300 o changed: net.ipv4.route.secret_interval default to 300 md5sums: -------- d74229b0cdaa84d37cb70ec5bf5e226c linux-2.4.20-wolk4.16-fullkernel.tar.bz2 c056c0dceea1e098ce366527b24e7e4c linux-2.4.20-wolk4.16-fullkernel.tar.gz df534ef29470a8adebd6a1521020c72c linux-2.4.20-wolk4.16s.patch.bz2 5c8caf47df994f13680388861d038d39 linux-2.4.20-wolk4.16s.patch.gz c4bd94089d71c40caf114ac69d419d8f linux-2.4.20-wolk4.15s-to-4.16s.patch.bz2 9fa91b097da9906fa02426183648b08d linux-2.4.20-wolk4.15s-to-4.16s.patch.gz Have fun =) -- Kind regards Marc-Christian Petersen http://sourceforge.net/projects/wolk PGP/GnuPG Key: 1024D/569DE2E3DB441A16 Fingerprint: 3469 0CF8 CA7E 0042 7824 080A 569D E2E3 DB44 1A16 Key available at http://pgp.mit.edu. Encrypted e-mail preferred |
From: Marc-Christian P. <m....@wo...> - 2004-09-05 14:44:58
|
On Sunday 05 September 2004 08:51, Carl Hagmueller wrote: Hi Carl, > Just wanted to point out two things I noticed while testing 4.16. > Compile error when CONFIG_ATM_CLIP is set: > netsyms.c:479: `clip_tbl_hook' undeclared here (not in a function) > netsyms.c:479: initializer element is not constant > netsyms.c:479: (near initialization for `__ksymtab_clip_tbl_hook.value') > make[2]: *** [netsyms.o] Error 1 > make[2]: Leaving directory oops. Fixed :) > Also a couple of configure errors (I use xconfig when I don't edit the > config file directly: > When selecting 'Processor type and features' -> > 'Local APIC support on uniprocessors' > (CONFIG_X86_UP_APIC) > > The next option, 'Do not report APIC errors on CPU' > (CONFIG_X86_UP_APIC_ERRORS) is unresponsive and is not written to the > config file. > > The same happens for 'Character devices' -> 'Direct Rendering Manager' > (CONFIG_DRM) > if you select 'Build drivers for XFree 4.3 DRM' (CONFIG_DRM_43) the options > to select the > various drivers are unresponsive: > '3dfx Banshee/Voodoo3+' (CONFIG_DRM_TDFX). > 'ATI Rage 128' (CONFIG_DRM_R128). > 'ATI Radeon' (CONFIG_DRM_RADEON). > 'Intel I810' (CONFIG_DRM_I810). > 'Intel 830M' (CONFIG_DRM_I830). > 'Matrox g200/g400' (CONFIG_DRM_MGA). welcome to the wonderful world of totally fucked up xconfig ;) ciao, Marc |
From: Carl H. <cha...@qu...> - 2004-09-05 06:51:57
|
Hi Marc, Just wanted to point out two things I noticed while testing 4.16. Compile error when CONFIG_ATM_CLIP is set: make[2]: Entering directory `/home/chagmuel/devel/RPM/BUILD/kernel-2.4.20/linux-2.4.20/net' gcc -D__KERNEL__ -I/home/chagmuel/devel/RPM/BUILD/kernel-2.4.20/linux-2.4.20/include -Wall -Wstrict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common -Wno-unused -finline-limit=2000 -Os -fomit-frame-pointer -mpreferred-stack-boundary=2 -march=i686 -fno-optimize-sibling-calls -Wno-unused -nostdinc -iwithprefix include -DKBUILD_BASENAME=socket -c -o socket.o socket.c gcc -D__KERNEL__ -I/home/chagmuel/devel/RPM/BUILD/kernel-2.4.20/linux-2.4.20/include -Wall -Wstrict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common -Wno-unused -finline-limit=2000 -Os -fomit-frame-pointer -mpreferred-stack-boundary=2 -march=i686 -fno-optimize-sibling-calls -Wno-unused -nostdinc -iwithprefix include -DKBUILD_BASENAME=netsyms -DEXPORT_SYMTAB -c netsyms.c netsyms.c:479: `clip_tbl_hook' undeclared here (not in a function) netsyms.c:479: initializer element is not constant netsyms.c:479: (near initialization for `__ksymtab_clip_tbl_hook.value') make[2]: *** [netsyms.o] Error 1 make[2]: Leaving directory `/home/chagmuel/devel/RPM/BUILD/kernel-2.4.20/linux-2.4.20/net' make[1]: *** [first_rule] Error 2 make[1]: Leaving directory `/home/chagmuel/devel/RPM/BUILD/kernel-2.4.20/linux-2.4.20/net' Also a couple of configure errors (I use xconfig when I don't edit the config file directly: When selecting 'Processor type and features' -> 'Local APIC support on uniprocessors' (CONFIG_X86_UP_APIC) The next option, 'Do not report APIC errors on CPU' (CONFIG_X86_UP_APIC_ERRORS) is unresponsive and is not written to the config file. The same happens for 'Character devices' -> 'Direct Rendering Manager' (CONFIG_DRM) if you select 'Build drivers for XFree 4.3 DRM' (CONFIG_DRM_43) the options to select the various drivers are unresponsive: '3dfx Banshee/Voodoo3+' (CONFIG_DRM_TDFX). 'ATI Rage 128' (CONFIG_DRM_R128). 'ATI Radeon' (CONFIG_DRM_RADEON). 'Intel I810' (CONFIG_DRM_I810). 'Intel 830M' (CONFIG_DRM_I830). 'Matrox g200/g400' (CONFIG_DRM_MGA). This is not the case if (CONFIG_DRM_41) or the default DRM 4.0 Drivers are selected where everything behaves as expected. The Distro is RedHat Enterprise Linux 3, compiler is gcc 3.2.3 Config file is attached. I hope I've provided enough info as I'll be away on vacation until the 15th, and won't be able to follow up, sorry about that. -- Carl |