| 1 |
On 19 Sep 2015 at 20:24, Alex Efros wrote: |
| 2 |
|
| 3 |
> On Sat, Sep 19, 2015 at 05:50:20PM +0200, PaX Team wrote: |
| 4 |
> > so there're two things left to do: |
| 5 |
> > 1. enable ELFRELOCS in your kernel config (and keep MPROTECT enforced |
| 6 |
> > on all binaries) |
| 7 |
> |
| 8 |
> Done. This works. I don't really like it, but let it be, at least for now. |
| 9 |
|
| 10 |
well, disabling MPROTECT is much worse, this way you can at least |
| 11 |
control which binaries can map libaries with textrels. |
| 12 |
|
| 13 |
> At a glance only difference is few messages in kernel log: |
| 14 |
> |
| 15 |
> grsec: denied text relocation in /usr/lib64/opengl/nvidia/lib/libGLdispatch.so.0, |
| 16 |
|
| 17 |
did you see only a single log per executable or two? i'm asking it |
| 18 |
because this method of runtime codegen would produce two messages |
| 19 |
(and the grsec log message is actually wrong as it's not a denial |
| 20 |
but rather the opposite, spender will fix it in the next patch ;). |
| 21 |
|
| 22 |
> RWX mprotect of /usr/lib64/opengl/nvidia/lib/libGL.so.355.11 by /opt/bin/nvidia-settings |
| 23 |
|
| 24 |
this is probably another attempt at runtime codegen by the using |
| 25 |
mmap/mprotect, if this didn't cause app failure then it means that |
| 26 |
their libGL has some fallback path to cope with this. |
| 27 |
|
| 28 |
> > 2. perhaps ask nvidia if this textrel marking is intentional |
| 29 |
> |
| 30 |
> Can you do this, please? I'm afraid such a question sent to their L1 |
| 31 |
> support using default form on website by someone who don't really |
| 32 |
> understand what he is talking about have too small chance to get |
| 33 |
> meaningful answer from competent person. |
| 34 |
|
| 35 |
unfortunately we have no direct contact to nvidia guys (anyone with |
| 36 |
access there feel free to speak up ;) so i can't do more than what |
| 37 |
you described above. in any case, this is not critical information, |
| 38 |
would just satisfy my own curiosity ;). |
| 39 |
|
| 40 |
> As for /proc/pid/maps - I'm not sure what I should check there. |
| 41 |
> Here is /proc/$(pidof xxkb)/maps: |
| 42 |
> |
| 43 |
> 00000000-00000000 r-xp 00000000 08:05 1461946 /usr/lib64/opengl/nvidia/lib/libGLdispatch.so.0 |
| 44 |
> 00000000-00000000 ---p 00000000 08:05 1461946 /usr/lib64/opengl/nvidia/lib/libGLdispatch.so.0 |
| 45 |
> 00000000-00000000 rw-p 00000000 08:05 1461946 /usr/lib64/opengl/nvidia/lib/libGLdispatch.so.0 |
| 46 |
|
| 47 |
the above shows that the r-x segment isn't split up which suggests |
| 48 |
that the whole textrel dance was done properly but then you should |
| 49 |
have seen two logs per executable... |
Archives