| 1 |
Thanks! |
| 2 |
|
| 3 |
Worked like a charm. |
| 4 |
|
| 5 |
What is the purpose of DEBUG_RODATA?? It sounded like |
| 6 |
a good idea when I read its description. |
| 7 |
|
| 8 |
I will not pretend to have anything more than an |
| 9 |
superficial understanding of the various protected |
| 10 |
mode descriptor tables, I'm just curious. |
| 11 |
|
| 12 |
--- pageexec@××××××××.hu wrote: |
| 13 |
|
| 14 |
> On 18 Mar 2007 at 14:56, Charles Taylor wrote: |
| 15 |
> |
| 16 |
> > grsecurity and PaX are disabled and the same |
| 17 |
> .config |
| 18 |
> > that builds this disaster builds a perfectly |
| 19 |
> working |
| 20 |
> > kernel using gentoo-sources (2.6.19-gentoo-r5) on |
| 21 |
> the |
| 22 |
> > same machine. |
| 23 |
> |
| 24 |
> PaX changes certain things even without being |
| 25 |
> explicitly |
| 26 |
> enabled. among others, it makes some important data |
| 27 |
> structures |
| 28 |
> read-only. since you also enabled DEBUG_RODATA, the |
| 29 |
> kernel |
| 30 |
> will enforce it. the problem with that is that some |
| 31 |
> of these |
| 32 |
> data structures (in your case, the GDT) need to be |
| 33 |
> written |
| 34 |
> from time to time. PaX itself has special code that |
| 35 |
> allows |
| 36 |
> this when KERNEXEC is enabled (which is the feature |
| 37 |
> that |
| 38 |
> also enforces read-only data, among many other |
| 39 |
> things). of |
| 40 |
> course the special code isn't even compiled in when |
| 41 |
> KERNEXEC |
| 42 |
> is disabled, so you get an oops like this. the |
| 43 |
> proper solution |
| 44 |
> is to use KERNEXEC if you really want read-only |
| 45 |
> kernel data, |
| 46 |
> or disable DEBUG_RODATA. |
| 47 |
> |
| 48 |
> -- |
| 49 |
> gentoo-hardened@g.o mailing list |
| 50 |
> |
| 51 |
> |
| 52 |
|
| 53 |
-- |
| 54 |
gentoo-hardened@g.o mailing list |
Archives