| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
On 18.05.2012 09:18, Matthew Thode wrote: |
| 5 |
> On 05/17/2012 01:42 PM, RB wrote: |
| 6 |
>> On Thu, May 17, 2012 at 6:04 AM, Anthony G. Basile |
| 7 |
>> <basile@××××××××××××××.edu> wrote: |
| 8 |
>>> Please open a bug, attach both config files. It would be |
| 9 |
>>> useful if you also identify on which options it breaks. |
| 10 |
>>> Liberte, last I looked, has quite a few hardening features off. |
| 11 |
>>> Pay attention to GRKERNSEC_IO, PAX_PAGEEXEC, PAX_KERNEXEC, |
| 12 |
>>> PAX_MEMORY_UDEREF. |
| 13 |
>> |
| 14 |
>> It took less time to work it out than I expected; a bit of a |
| 15 |
>> binary search through the grsecurity/PaX options I had enabled |
| 16 |
>> pretty clearly indicates the culprint is PAX_MEMORY_UDEREF. |
| 17 |
>> Using both xf86-video-intel-2.17.0-r3 and 2.19.0 and |
| 18 |
>> xorg-server-1.11.3 and 1.12.1, there's a bug introduced between |
| 19 |
>> hardened-sources-3.2.2-r1 and |
| 20 |
>>> =3.2.11 that by enabling PAX_MEMORY_UDEREF the i915/i965 |
| 21 |
>>> kernel |
| 22 |
>> module gets a "BUG: unable to handle kernel NULL pointer |
| 23 |
>> dereference" in i915_gem_execbuffer_reserve when starting X. |
| 24 |
>> |
| 25 |
>> I'll submit a bug shortly. |
| 26 |
>> |
| 27 |
> must be why I never hit it (I enable kernexec but leave uderef |
| 28 |
> disabled for virt). |
| 29 |
> |
| 30 |
|
| 31 |
For me X works fine with UDEREF enabled. I'm using xorg-server-1.12.1 |
| 32 |
and xf86-video-intel-2.19.0. (2 laptops, 1 core2 duo, 1 first |
| 33 |
generation i5, if that has got something to do with it) |
| 34 |
|
| 35 |
WKR |
| 36 |
Hinnerk |
| 37 |
|
| 38 |
|
| 39 |
PS: Issuing grep -i pax on my .config I get: |
| 40 |
|
| 41 |
# PaX |
| 42 |
CONFIG_PAX_KERNEXEC_PLUGIN=y |
| 43 |
CONFIG_PAX_PER_CPU_PGD=y |
| 44 |
CONFIG_PAX=y |
| 45 |
# PaX Control |
| 46 |
# CONFIG_PAX_SOFTMODE is not set |
| 47 |
CONFIG_PAX_EI_PAX=y |
| 48 |
CONFIG_PAX_PT_PAX_FLAGS=y |
| 49 |
CONFIG_PAX_XATTR_PAX_FLAGS=y |
| 50 |
# CONFIG_PAX_NO_ACL_FLAGS is not set |
| 51 |
CONFIG_PAX_HAVE_ACL_FLAGS=y |
| 52 |
# CONFIG_PAX_HOOK_ACL_FLAGS is not set |
| 53 |
CONFIG_PAX_NOEXEC=y |
| 54 |
CONFIG_PAX_PAGEEXEC=y |
| 55 |
# CONFIG_PAX_EMUTRAMP is not set |
| 56 |
CONFIG_PAX_MPROTECT=y |
| 57 |
# CONFIG_PAX_MPROTECT_COMPAT is not set |
| 58 |
# CONFIG_PAX_ELFRELOCS is not set |
| 59 |
CONFIG_PAX_KERNEXEC=y |
| 60 |
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y |
| 61 |
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="bts" |
| 62 |
CONFIG_PAX_ASLR=y |
| 63 |
CONFIG_PAX_RANDKSTACK=y |
| 64 |
CONFIG_PAX_RANDUSTACK=y |
| 65 |
CONFIG_PAX_RANDMMAP=y |
| 66 |
CONFIG_PAX_MEMORY_STACKLEAK=y |
| 67 |
CONFIG_PAX_MEMORY_UDEREF=y |
| 68 |
CONFIG_PAX_REFCOUNT=y |
| 69 |
CONFIG_PAX_USERCOPY=y |
| 70 |
# CONFIG_PAX_SIZE_OVERFLOW is not set |
| 71 |
|
| 72 |
|
| 73 |
|
| 74 |
|
| 75 |
-----BEGIN PGP SIGNATURE----- |
| 76 |
Version: GnuPG v2.0.19 (GNU/Linux) |
| 77 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ |
| 78 |
|
| 79 |
iQEcBAEBAgAGBQJPtgQaAAoJEJwwOFaNFkYcQ6sH/0JevLNBb1GJWoOvmwzFl8Vw |
| 80 |
TCOkwOj7b3iHLXANHt3D3JzPAyLFoSs6kj9MTSHF8IsDfYv8A51f5glFw8nnfjVh |
| 81 |
+JmD19S0PLSI4u2P6jZbze7/ugI2E8QUUpHE+BVD0VQ1l5sSZ0Ydul5+9sOoH6WY |
| 82 |
XMzAHCxiXGmahtANM2I5pdCv1ZVCFCDqm5n6Z9hiijC58WeYPRDQgUgXRaWKm34q |
| 83 |
4JZrfShPxOnMO4W0ceCSVCF4E1oECPzD7lwNiu+jmdWCb3uGgVkO3l15I4RM+w3T |
| 84 |
TnH9iqV9t/6vAG0bv6K70H6jDCI5aKhPKxXiI/dXUxA2c1eAzckfp4qJxhVydzk= |
| 85 |
=Ez18 |
| 86 |
-----END PGP SIGNATURE----- |
Archives