1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
On 18.05.2012 09:18, Matthew Thode wrote: |
5 |
> On 05/17/2012 01:42 PM, RB wrote: |
6 |
>> On Thu, May 17, 2012 at 6:04 AM, Anthony G. Basile |
7 |
>> <basile@××××××××××××××.edu> wrote: |
8 |
>>> Please open a bug, attach both config files. It would be |
9 |
>>> useful if you also identify on which options it breaks. |
10 |
>>> Liberte, last I looked, has quite a few hardening features off. |
11 |
>>> Pay attention to GRKERNSEC_IO, PAX_PAGEEXEC, PAX_KERNEXEC, |
12 |
>>> PAX_MEMORY_UDEREF. |
13 |
>> |
14 |
>> It took less time to work it out than I expected; a bit of a |
15 |
>> binary search through the grsecurity/PaX options I had enabled |
16 |
>> pretty clearly indicates the culprint is PAX_MEMORY_UDEREF. |
17 |
>> Using both xf86-video-intel-2.17.0-r3 and 2.19.0 and |
18 |
>> xorg-server-1.11.3 and 1.12.1, there's a bug introduced between |
19 |
>> hardened-sources-3.2.2-r1 and |
20 |
>>> =3.2.11 that by enabling PAX_MEMORY_UDEREF the i915/i965 |
21 |
>>> kernel |
22 |
>> module gets a "BUG: unable to handle kernel NULL pointer |
23 |
>> dereference" in i915_gem_execbuffer_reserve when starting X. |
24 |
>> |
25 |
>> I'll submit a bug shortly. |
26 |
>> |
27 |
> must be why I never hit it (I enable kernexec but leave uderef |
28 |
> disabled for virt). |
29 |
> |
30 |
|
31 |
For me X works fine with UDEREF enabled. I'm using xorg-server-1.12.1 |
32 |
and xf86-video-intel-2.19.0. (2 laptops, 1 core2 duo, 1 first |
33 |
generation i5, if that has got something to do with it) |
34 |
|
35 |
WKR |
36 |
Hinnerk |
37 |
|
38 |
|
39 |
PS: Issuing grep -i pax on my .config I get: |
40 |
|
41 |
# PaX |
42 |
CONFIG_PAX_KERNEXEC_PLUGIN=y |
43 |
CONFIG_PAX_PER_CPU_PGD=y |
44 |
CONFIG_PAX=y |
45 |
# PaX Control |
46 |
# CONFIG_PAX_SOFTMODE is not set |
47 |
CONFIG_PAX_EI_PAX=y |
48 |
CONFIG_PAX_PT_PAX_FLAGS=y |
49 |
CONFIG_PAX_XATTR_PAX_FLAGS=y |
50 |
# CONFIG_PAX_NO_ACL_FLAGS is not set |
51 |
CONFIG_PAX_HAVE_ACL_FLAGS=y |
52 |
# CONFIG_PAX_HOOK_ACL_FLAGS is not set |
53 |
CONFIG_PAX_NOEXEC=y |
54 |
CONFIG_PAX_PAGEEXEC=y |
55 |
# CONFIG_PAX_EMUTRAMP is not set |
56 |
CONFIG_PAX_MPROTECT=y |
57 |
# CONFIG_PAX_MPROTECT_COMPAT is not set |
58 |
# CONFIG_PAX_ELFRELOCS is not set |
59 |
CONFIG_PAX_KERNEXEC=y |
60 |
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y |
61 |
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="bts" |
62 |
CONFIG_PAX_ASLR=y |
63 |
CONFIG_PAX_RANDKSTACK=y |
64 |
CONFIG_PAX_RANDUSTACK=y |
65 |
CONFIG_PAX_RANDMMAP=y |
66 |
CONFIG_PAX_MEMORY_STACKLEAK=y |
67 |
CONFIG_PAX_MEMORY_UDEREF=y |
68 |
CONFIG_PAX_REFCOUNT=y |
69 |
CONFIG_PAX_USERCOPY=y |
70 |
# CONFIG_PAX_SIZE_OVERFLOW is not set |
71 |
|
72 |
|
73 |
|
74 |
|
75 |
-----BEGIN PGP SIGNATURE----- |
76 |
Version: GnuPG v2.0.19 (GNU/Linux) |
77 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ |
78 |
|
79 |
iQEcBAEBAgAGBQJPtgQaAAoJEJwwOFaNFkYcQ6sH/0JevLNBb1GJWoOvmwzFl8Vw |
80 |
TCOkwOj7b3iHLXANHt3D3JzPAyLFoSs6kj9MTSHF8IsDfYv8A51f5glFw8nnfjVh |
81 |
+JmD19S0PLSI4u2P6jZbze7/ugI2E8QUUpHE+BVD0VQ1l5sSZ0Ydul5+9sOoH6WY |
82 |
XMzAHCxiXGmahtANM2I5pdCv1ZVCFCDqm5n6Z9hiijC58WeYPRDQgUgXRaWKm34q |
83 |
4JZrfShPxOnMO4W0ceCSVCF4E1oECPzD7lwNiu+jmdWCb3uGgVkO3l15I4RM+w3T |
84 |
TnH9iqV9t/6vAG0bv6K70H6jDCI5aKhPKxXiI/dXUxA2c1eAzckfp4qJxhVydzk= |
85 |
=Ez18 |
86 |
-----END PGP SIGNATURE----- |