| 1 |
On 18 Mar 2007 at 14:56, Charles Taylor wrote: |
| 2 |
|
| 3 |
> grsecurity and PaX are disabled and the same .config |
| 4 |
> that builds this disaster builds a perfectly working |
| 5 |
> kernel using gentoo-sources (2.6.19-gentoo-r5) on the |
| 6 |
> same machine. |
| 7 |
|
| 8 |
PaX changes certain things even without being explicitly |
| 9 |
enabled. among others, it makes some important data structures |
| 10 |
read-only. since you also enabled DEBUG_RODATA, the kernel |
| 11 |
will enforce it. the problem with that is that some of these |
| 12 |
data structures (in your case, the GDT) need to be written |
| 13 |
from time to time. PaX itself has special code that allows |
| 14 |
this when KERNEXEC is enabled (which is the feature that |
| 15 |
also enforces read-only data, among many other things). of |
| 16 |
course the special code isn't even compiled in when KERNEXEC |
| 17 |
is disabled, so you get an oops like this. the proper solution |
| 18 |
is to use KERNEXEC if you really want read-only kernel data, |
| 19 |
or disable DEBUG_RODATA. |
| 20 |
|
| 21 |
-- |
| 22 |
gentoo-hardened@g.o mailing list |
Archives