1 |
On 18 Mar 2007 at 14:56, Charles Taylor wrote: |
2 |
|
3 |
> grsecurity and PaX are disabled and the same .config |
4 |
> that builds this disaster builds a perfectly working |
5 |
> kernel using gentoo-sources (2.6.19-gentoo-r5) on the |
6 |
> same machine. |
7 |
|
8 |
PaX changes certain things even without being explicitly |
9 |
enabled. among others, it makes some important data structures |
10 |
read-only. since you also enabled DEBUG_RODATA, the kernel |
11 |
will enforce it. the problem with that is that some of these |
12 |
data structures (in your case, the GDT) need to be written |
13 |
from time to time. PaX itself has special code that allows |
14 |
this when KERNEXEC is enabled (which is the feature that |
15 |
also enforces read-only data, among many other things). of |
16 |
course the special code isn't even compiled in when KERNEXEC |
17 |
is disabled, so you get an oops like this. the proper solution |
18 |
is to use KERNEXEC if you really want read-only kernel data, |
19 |
or disable DEBUG_RODATA. |
20 |
|
21 |
-- |
22 |
gentoo-hardened@g.o mailing list |