FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 02-14-2012, 05:36 PM
Alex Efros
 
Default vmware broken on amd64 hardened

Hi!

I've just converted my system from x86 to amd64 (Core i7), and one of
things which become broken because of this is vmware. When I start any
guest my host immediately reset, and after booting I didn't see anything
in logs - neither in kernel nor in vmware's logs.

I've experimented with different kernels, and here is what I found:

- hardened-sources-3.2.2-r1 work ok on x86
- gentoo-sources-3.2.1-r2 work ok on amd64
- no one hardened-sources since 2.6.39-r8 work on amd64 (I didn't tried
older versions)

Disabling both GRSEC and PAX in hardened kernels doesn't solve this issue,
so this bug probably in that part of hardened patches which is active even
with disabled GRSEC and PAX config options.

I can't try gentoo-sources and hardened-sources with exactly same
vmware-modules, because of extra patches needed for vmware-modules to make
it compatible with hardened, and these patches incompatible with non-hardened.
So, gentoo-sources work ok with vmware-modules from main portage, while
hardened-sources work on x86 and doesn't work on amd64 with vmware-modules
patched using these 3 patches:
https://384739.bugs.gentoo.org/attachment.cgi?id=295017
https://384739.bugs.gentoo.org/attachment.cgi?id=295019
https://384739.bugs.gentoo.org/attachment.cgi?id=295021

I've also tried hardened-sources-3.2.1, both x86 and amd64 - vmware work
on x86 and didn't work on amd64. I've tried to keep .config same, but
there are a lot of differences anyway (I suppose they all should be
related to 32/64-bit).

So, here is diff between -gentoo and -hardened on amd64:

--- /tmp/config-amd64-gentoo 2012-02-14 20:33:31.579285488 +0200
+++ /tmp/config-amd64-hardened 2012-02-14 20:33:40.383285603 +0200
@@ -179,6 +179,7 @@
CONFIG_X86_L1_CACHE_SHIFT=6
CONFIG_X86_XADD=y
CONFIG_X86_WP_WORKS_OK=y
+CONFIG_X86_ALIGNMENT_16=y
CONFIG_X86_INTEL_USERCOPY=y
CONFIG_X86_USE_PPRO_CHECKSUM=y
CONFIG_X86_P6_NOP=y
@@ -599,7 +600,6 @@
CONFIG_NTFS_FS=y
CONFIG_PROC_FS=y
CONFIG_PROC_SYSCTL=y
-CONFIG_PROC_PAGE_MONITOR=y
CONFIG_SYSFS=y
CONFIG_TMPFS=y
CONFIG_CONFIGFS_FS=y
@@ -647,6 +647,7 @@
CONFIG_IO_DELAY_TYPE_NONE=3
CONFIG_IO_DELAY_0X80=y
CONFIG_DEFAULT_IO_DELAY_TYPE=0
+CONFIG_TASK_SIZE_MAX_SHIFT=47
CONFIG_SECURITY_DMESG_RESTRICT=y
CONFIG_SECURITY=y
CONFIG_DEFAULT_SECURITY_DAC=y

And here is diff between -hardened x86 and -hardened amd64:

--- /tmp/config-x86 2012-02-14 20:31:08.183283609 +0200
+++ /tmp/config-amd64 2012-02-14 20:30:53.192283412 +0200
@@ -1,26 +1,31 @@
-CONFIG_X86_32=y
+CONFIG_64BIT=y
+CONFIG_X86_64=y
CONFIG_X86=y
CONFIG_INSTRUCTION_DECODER=y
-CONFIG_OUTPUT_FORMAT="elf32-i386"
-CONFIG_ARCH_DEFCONFIG="arch/x86/configs/i386_defconfig"
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
CONFIG_GENERIC_CMOS_UPDATE=y
CONFIG_CLOCKSOURCE_WATCHDOG=y
CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
CONFIG_LOCKDEP_SUPPORT=y
CONFIG_STACKTRACE_SUPPORT=y
CONFIG_HAVE_LATENCYTOP_SUPPORT=y
CONFIG_MMU=y
CONFIG_ZONE_DMA=y
+CONFIG_NEED_DMA_MAP_STATE=y
CONFIG_NEED_SG_DMA_LENGTH=y
CONFIG_GENERIC_ISA_DMA=y
CONFIG_GENERIC_IOMAP=y
CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
CONFIG_GENERIC_HWEIGHT=y
CONFIG_ARCH_MAY_HAVE_PC_FDC=y
CONFIG_RWSEM_XCHGADD_ALGORITHM=y
CONFIG_ARCH_HAS_CPU_IDLE_WAIT=y
CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
CONFIG_ARCH_HAS_CPU_RELAX=y
CONFIG_ARCH_HAS_DEFAULT_IDLE=y
CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
@@ -29,13 +34,14 @@
CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
CONFIG_ARCH_HIBERNATION_POSSIBLE=y
CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ZONE_DMA32=y
CONFIG_ARCH_POPULATES_NODE_MAP=y
+CONFIG_AUDIT_ARCH=y
CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
-CONFIG_X86_32_SMP=y
+CONFIG_X86_64_SMP=y
CONFIG_X86_HT=y
-CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-ecx -fcall-saved-edx"
-CONFIG_KTIME_SCALAR=y
+CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"
CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
CONFIG_HAVE_IRQ_WORK=y
CONFIG_IRQ_WORK=y
@@ -131,7 +137,6 @@
CONFIG_HAVE_PERF_EVENTS_NMI=y
CONFIG_HAVE_ARCH_JUMP_LABEL=y
CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
-CONFIG_HAVE_GENERIC_DMA_COHERENT=y
CONFIG_SLABINFO=y
CONFIG_RT_MUTEXES=y
CONFIG_BASE_SMALL=0
@@ -140,9 +145,9 @@
CONFIG_MODULE_FORCE_UNLOAD=y
CONFIG_STOP_MACHINE=y
CONFIG_BLOCK=y
-CONFIG_LBDAF=y
CONFIG_BLK_DEV_BSG=y
CONFIG_BLK_DEV_THROTTLING=y
+CONFIG_BLOCK_COMPAT=y
CONFIG_IOSCHED_NOOP=y
CONFIG_IOSCHED_DEADLINE=y
CONFIG_IOSCHED_CFQ=y
@@ -174,26 +179,24 @@
CONFIG_X86_L1_CACHE_SHIFT=6
CONFIG_X86_XADD=y
CONFIG_X86_WP_WORKS_OK=y
-CONFIG_X86_INVLPG=y
-CONFIG_X86_BSWAP=y
-CONFIG_X86_POPAD_OK=y
CONFIG_X86_ALIGNMENT_16=y
CONFIG_X86_INTEL_USERCOPY=y
CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_P6_NOP=y
CONFIG_X86_TSC=y
CONFIG_X86_CMPXCHG64=y
CONFIG_X86_CMOV=y
-CONFIG_X86_MINIMUM_CPU_FAMILY=5
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
CONFIG_X86_DEBUGCTLMSR=y
CONFIG_CPU_SUP_INTEL=y
-CONFIG_CPU_SUP_CYRIX_32=y
CONFIG_CPU_SUP_AMD=y
CONFIG_CPU_SUP_CENTAUR=y
-CONFIG_CPU_SUP_TRANSMETA_32=y
-CONFIG_CPU_SUP_UMC_32=y
CONFIG_HPET_TIMER=y
CONFIG_HPET_EMULATE_RTC=y
CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+CONFIG_SWIOTLB=y
+CONFIG_IOMMU_HELPER=y
CONFIG_NR_CPUS=8
CONFIG_SCHED_MC=y
CONFIG_PREEMPT_VOLUNTARY=y
@@ -201,27 +204,25 @@
CONFIG_X86_IO_APIC=y
CONFIG_X86_MCE=y
CONFIG_X86_MCE_INTEL=y
-CONFIG_X86_MCE_AMD=y
CONFIG_X86_MCE_THRESHOLD=y
CONFIG_X86_THERMAL_VECTOR=y
-CONFIG_VM86=y
CONFIG_X86_MSR=y
CONFIG_X86_CPUID=y
-CONFIG_HIGHMEM64G=y
-CONFIG_PAGE_OFFSET=0xC0000000
-CONFIG_HIGHMEM=y
-CONFIG_X86_PAE=y
CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
CONFIG_ARCH_DMA_ADDR_T_64BIT=y
-CONFIG_ARCH_FLATMEM_ENABLE=y
+CONFIG_DIRECT_GBPAGES=y
CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
CONFIG_ARCH_SELECT_MEMORY_MODEL=y
-CONFIG_ILLEGAL_POINTER_VALUE=0
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
CONFIG_SELECT_MEMORY_MODEL=y
-CONFIG_FLATMEM_MANUAL=y
-CONFIG_FLATMEM=y
-CONFIG_FLAT_NODE_MEM_MAP=y
-CONFIG_SPARSEMEM_STATIC=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
+CONFIG_SPARSEMEM_VMEMMAP=y
CONFIG_HAVE_MEMBLOCK=y
CONFIG_PAGEFLAGS_EXTENDED=y
CONFIG_SPLIT_PTLOCK_CPUS=4
@@ -247,7 +248,7 @@
CONFIG_HZ=1000
CONFIG_SCHED_HRTICK=y
CONFIG_PHYSICAL_START=0x1000000
-CONFIG_PHYSICAL_ALIGN=0x400000
+CONFIG_PHYSICAL_ALIGN=0x1000000
CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
CONFIG_PM_RUNTIME=y
CONFIG_PM=y
@@ -266,8 +267,6 @@
CONFIG_CPU_IDLE_GOV_LADDER=y
CONFIG_INTEL_IDLE=y
CONFIG_PCI=y
-CONFIG_PCI_GOANY=y
-CONFIG_PCI_BIOS=y
CONFIG_PCI_DIRECT=y
CONFIG_PCI_MMCONFIG=y
CONFIG_PCI_DOMAINS=y
@@ -282,8 +281,12 @@
CONFIG_ISA_DMA_API=y
CONFIG_AMD_NB=y
CONFIG_BINFMT_ELF=y
-CONFIG_HAVE_AOUT=y
-CONFIG_HAVE_ATOMIC_IOMAP=y
+CONFIG_COMPAT_BINFMT_ELF=y
+CONFIG_IA32_EMULATION=y
+CONFIG_IA32_AOUT=y
+CONFIG_COMPAT=y
+CONFIG_COMPAT_FOR_U64_ALIGNMENT=y
+CONFIG_SYSVIPC_COMPAT=y
CONFIG_HAVE_TEXT_POKE_SMP=y
CONFIG_NET=y
CONFIG_PACKET=y
@@ -351,6 +354,7 @@
CONFIG_RPS=y
CONFIG_RFS_ACCEL=y
CONFIG_XPS=y
+CONFIG_HAVE_BPF_JIT=y
CONFIG_FIB_RULES=y
CONFIG_NET_9P=y
CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
@@ -547,7 +551,6 @@
CONFIG_USB_STORAGE=y
CONFIG_USB_UAS=y
CONFIG_EDAC=y
-CONFIG_EDAC_DECODE_MCE=y
CONFIG_EDAC_MM_EDAC=y
CONFIG_RTC_LIB=y
CONFIG_RTC_CLASS=y
@@ -559,7 +562,6 @@
CONFIG_RTC_INTF_DEV_UIE_EMUL=y
CONFIG_RTC_DRV_CMOS=y
CONFIG_DMADEVICES=y
-CONFIG_CLKSRC_I8253=y
CONFIG_CLKEVT_I8253=y
CONFIG_I8253_LOCK=y
CONFIG_CLKBLD_I8253=y
@@ -638,7 +640,6 @@
CONFIG_STRICT_DEVMEM=y
CONFIG_X86_VERBOSE_BOOTUP=y
CONFIG_EARLY_PRINTK=y
-CONFIG_DOUBLEFAULT=y
CONFIG_HAVE_MMIOTRACE_SUPPORT=y
CONFIG_IO_DELAY_TYPE_0X80=0
CONFIG_IO_DELAY_TYPE_0XED=1
@@ -646,7 +647,7 @@
CONFIG_IO_DELAY_TYPE_NONE=3
CONFIG_IO_DELAY_0X80=y
CONFIG_DEFAULT_IO_DELAY_TYPE=0
-CONFIG_PAX_ENABLE_PAE=y
+CONFIG_TASK_SIZE_MAX_SHIFT=47
CONFIG_SECURITY_DMESG_RESTRICT=y
CONFIG_SECURITY=y
CONFIG_DEFAULT_SECURITY_DAC=y
@@ -687,7 +688,6 @@
CONFIG_CRC_ITU_T=y
CONFIG_CRC32=y
CONFIG_LIBCRC32C=y
-CONFIG_AUDIT_GENERIC=y
CONFIG_ZLIB_INFLATE=y
CONFIG_ZLIB_DEFLATE=y
CONFIG_HAS_IOMEM=y


Maybe this is same bug as https://bugs.gentoo.org/show_bug.cgi?id=382793

--
WBR, Alex.
 
Old 02-14-2012, 06:30 PM
Alex Efros
 
Default vmware broken on amd64 hardened

Hi!

I've just tried virtualbox-bin-4.1.8 on 3.2.2-hardened-r1 (with enabled
GRSEC and PAX) - it doesn't reset host, but refused to run as non-root,
and even as root it didn't work anyway: when I try to start new just
created guest it says 'some error happens, see logs' and do nothing. And
it logs are huge and I can't find actual error message.

Is anyone have working vmware/virtualbox on hardened amd64?

--
WBR, Alex.
 
Old 02-15-2012, 11:18 AM
 
Default vmware broken on amd64 hardened

On 14 Feb 2012 at 20:36, Alex Efros wrote:

> I've just converted my system from x86 to amd64 (Core i7), and one of
> things which become broken because of this is vmware. When I start any
> guest my host immediately reset, and after booting I didn't see anything
> in logs - neither in kernel nor in vmware's logs.

it's likely the same problem as bug 382793.

> I can't try gentoo-sources and hardened-sources with exactly same
> vmware-modules, because of extra patches needed for vmware-modules to make
> it compatible with hardened, and these patches incompatible with non-hardened.

what error do you get with the patched vmware modules under non-hardened?
they simply move some structure initialization around, that should not be
affected by the toolchain.

> +CONFIG_IA32_AOUT=y

btw, i don't think you need/want a.out support anywhere these days
 
Old 02-15-2012, 06:23 PM
Alex Efros
 
Default vmware broken on amd64 hardened

Hi!

On Wed, Feb 15, 2012 at 02:18:59PM +0200, pageexec@freemail.hu wrote:
> > I can't try gentoo-sources and hardened-sources with exactly same
> > vmware-modules, because of extra patches needed for vmware-modules to make
> > it compatible with hardened, and these patches incompatible with non-hardened.
> what error do you get with the patched vmware modules under non-hardened?
> they simply move some structure initialization around, that should not be
> affected by the toolchain.

Actually there is no error anymore. I've replaced my previous
3.2.0-compatibility patch with similar patch from main portage, and now
vmware-modules with these 3 hardened-compatibility patches was compiled
without errors both for hardened kernel and 3.2.1-gentoo-r2.

So, I've just tested hardened vs non-hardened kernels using exactly same
vmware-modules. Result is same: on hardened kernel vmware reset host,
on gentoo kernel vmware works ok.

If you've any ideas how to debug/fix this issue - I'm ready to test
anything you need. VMware is critical tool for my work, so without it
chances are I'll have to convert my system back to x86.

> > +CONFIG_IA32_AOUT=y
> btw, i don't think you need/want a.out support anywhere these days

Who knows. It shouldn't make any harm, anyway. I can remember about two
cases in last ~2-3 years when I did something with a.out. Don't remember
details, and that was surely very strange tasks, but it happens.

--
WBR, Alex.
 
Old 02-16-2012, 04:31 PM
"Anthony G. Basile"
 
Default vmware broken on amd64 hardened

On 02/14/2012 02:30 PM, Alex Efros wrote:

Hi!

I've just tried virtualbox-bin-4.1.8 on 3.2.2-hardened-r1 (with enabled
GRSEC and PAX) - it doesn't reset host, but refused to run as non-root,
and even as root it didn't work anyway: when I try to start new just
created guest it says 'some error happens, see logs' and do nothing. And
it logs are huge and I can't find actual error message.

Is anyone have working vmware/virtualbox on hardened amd64?


Please open a bug

--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535


Thu Feb 16 20:30:02 2012
Return-path: <devel-bounces@lists.fedoraproject.org>
Envelope-to: tom@linux-archive.org
Delivery-date: Thu, 16 Feb 2012 19:34:36 +0200
Received: from bastion01.fedoraproject.org ([209.132.181.2]:60509 helo=bastion.fedoraproject.org)
by s2.java-tips.org with esmtp (Exim 4.69)
(envelope-from <devel-bounces@lists.fedoraproject.org>)
id 1Ry5E4-0007eu-LK
for tom@linux-archive.org; Thu, 16 Feb 2012 19:34:36 +0200
Received: from lists.fedoraproject.org (collab03.vpn.fedoraproject.org [192.168.1.70])
by bastion01.phx2.fedoraproject.org (Postfix) with ESMTP id 90FE721380;
Thu, 16 Feb 2012 17:34:40 +0000 (UTC)
Received: from collab03.fedoraproject.org (localhost [127.0.0.1])
by lists.fedoraproject.org (Postfix) with ESMTP id 3007D40A70;
Thu, 16 Feb 2012 17:34:38 +0000 (UTC)
X-Original-To: devel@lists.fedoraproject.org
Delivered-To: devel@lists.fedoraproject.org
Received: from smtp-mm02.fedoraproject.org (smtp-mm02.fedoraproject.org
[66.35.62.164])
by lists.fedoraproject.org (Postfix) with ESMTP id BCE2040A23
for <devel@lists.fedoraproject.org>;
Thu, 16 Feb 2012 17:34:36 +0000 (UTC)
Received: from mail-lpp01m010-f45.google.com (mail-lpp01m010-f45.google.com
[209.85.215.45])
by smtp-mm02.fedoraproject.org (Postfix) with ESMTP id 1011B4176D
for <devel@lists.fedoraproject.org>;
Thu, 16 Feb 2012 17:34:37 +0000 (UTC)
Received: by lahi5 with SMTP id i5so3396446lah.32
for <devel@lists.fedoraproject.org>;
Thu, 16 Feb 2012 09:34:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
h=message-id:date:from:user-agent:mime-version:to:subject:references
:in-reply-to:content-type:content-transfer-encoding;
bh=xHbZA7uf8zGw+PWRTJ0QVTsjARIW1AwvQ+5LbGF9i5w=;
b=YqhwE/2dWLmbTdiIYK5BuQFaNTnQ+NEgYr4Pc+7h2cjhX0KXiTm8H5uz FywpmfYC4p
vU9eL2KrRpRx1X+SzaPdUnfVFTjCQ2KKIbt188LS41WGwd3Jd2 1lZlUMYuHyzD3wShny
FkQEiptOIcqPN3EceqNKN6WaS0A1T+LbQ7Lgo=
Received: by 10.152.109.193 with SMTP id hu1mr2724591lab.38.1329413676992;
Thu, 16 Feb 2012 09:34:36 -0800 (PST)
Received: from localhost.localdomain (85-220-55-128.dsl.dynamic.simnet.is.
[85.220.55.128])
by mx.google.com with ESMTPS id ny9sm6782727lab.6.2012.02.16.09.34.35
(version=SSLv3 cipher=OTHER); Thu, 16 Feb 2012 09:34:35 -0800 (PST)
Message-ID: <4F3D3DE2.8020902@gmail.com>
Date: Thu, 16 Feb 2012 17:33:22 +0000
From: =?UTF-8?B?IkrDs2hhbm4gQi4gR3XDsG11bmRzc29uIg==?=
<johannbg@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
rv:10.0.1) Gecko/20120209 Thunderbird/10.0.1
MIME-Version: 1.0
To: devel@lists.fedoraproject.org
Subject: Re: /usrmove? -> about the future
References: <4F31CB0C.4020701@gmail.com> <4F331525.2040304@j2solutions.net>
<4F33FAEA.4010307@freenet.de>
<CA+0bQbEaayWvhnUzLFSeimF1FfQOYUZ7r-2E-Yu=wp69hy+1OA@mail.gmail.com>
<4F34A0E1.40203@freenet.de> <4F34DE26.4060202@gmail.com>
<4F3502BA.7080205@thelounge.net>
<CAM+Wa1ddK5u6=g0gQCQSYuKsG19rPfBfoRAwrJvhi65eWrBC UA@mail.gmail.com>
<4F3509D9.2080308@thelounge.net> <1328893514.12979.4.camel@adam>
<4F355222.4050105@thelounge.net>
<CA+XZ3vUeJYwek_d5CoDBD-hKnA5gr+4VmaW1HJM9WzFOXZ9ahA@mail.gmail.com>
<alpine.LFD.2.02.1202141122540.11098@pceet030>
<4F3B7F49.7060402@thelounge.net> <4F3B8DB0.1040409@laiskiainen.org>
<4F3B98D9.3040107@netwolves.com> <4F3BE6F8.9050104@thelounge.net>
<1329337856.5335.11.camel@adam>
<CAOCAAm7YvtxMSV0whYvrYEwYBRADsZ6uRuaqvauwL4b4Yfi9 pA@mail.gmail.com>
<4F3C4C7C.2020607@netwolves.com>
<CANnLRdj4n0MKVWwvVrdku2sHKnGtqDnXTV=oo5O=Ai9VB1jt 3Q@mail.gmail.com>
<CAGQAGehq8LD-XafQumF_QhRf+A7Sx3oX7AFfPmECoY7arcUJPQ@mail.gmail. com>
<4F3D3C34.4040109@redhat.com>
In-Reply-To: <4F3D3C34.4040109@redhat.com>
X-BeenThere: devel@lists.fedoraproject.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Development discussions related to Fedora
<devel@lists.fedoraproject.org>
List-Id: Development discussions related to Fedora
<devel.lists.fedoraproject.org>
List-Unsubscribe: <https://admin.fedoraproject.org/mailman/options/devel>,
<mailto:devel-request@lists.fedoraproject.org?subject=unsubscrib e>
List-Archive: <http://lists.fedoraproject.org/pipermail/devel/>
List-Post: <mailto:devel@lists.fedoraproject.org>
List-Help: <mailto:devel-request@lists.fedoraproject.org?subject=help>
List-Subscribe: <https://admin.fedoraproject.org/mailman/listinfo/devel>,
<mailto:devel-request@lists.fedoraproject.org?subject=subscribe>
Content-Transfer-Encoding: base64
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Sender: devel-bounces@lists.fedoraproject.org
Errors-To: devel-bounces@lists.fedoraproject.org

T24gMDIvMTYvMjAxMiAwNToyNiBQTSwgRGFuaWVsIEogV2Fsc2 ggd3JvdGU6Cj4gSXMgdGhlcmUg
YSB3YXkgdG8gZGlzYWJsZSB0aGlzLiAgQmFzaWNhbGx5IGkgZG 9uJ3Qgd2FudCBhbnkgYmFzaAo+
IGNvbXBsZXRpb24gdG8gdXNlIHRoZSBuZXR3b3JrLgoKY29tcG xldGUgLXIgaWYgbWVtb3J5IHNl
cnZlcyBtZSBjb3JyZWN0IHRoZW4gYWdhaW4gSSdtIGdldHRpbm cgb2xkIGFuZCAKZnJhZ2lsZS4u
LgoKSkJHCi0tIApkZXZlbCBtYWlsaW5nIGxpc3QKZGV2ZWxAbG lzdHMuZmVkb3JhcHJvamVjdC5v
cmcKaHR0cHM6Ly9hZG1pbi5mZWRvcmFwcm9qZWN0Lm9yZy9tYW lsbWFuL2xpc3RpbmZvL2RldmVs
 
Old 02-24-2012, 12:41 PM
"PaX Team"
 
Default vmware broken on amd64 hardened

On 15 Feb 2012 at 21:23, Alex Efros wrote:

> So, I've just tested hardened vs non-hardened kernels using exactly same
> vmware-modules. Result is same: on hardened kernel vmware reset host,
> on gentoo kernel vmware works ok.
>
> If you've any ideas how to debug/fix this issue - I'm ready to test
> anything you need. VMware is critical tool for my work, so without it
> chances are I'll have to convert my system back to x86.

well, as i suggested it in bugzilla, i'd need to capture information about
the crash (probably triple fault), and the best approach would be some nested
virtualization setup. i have no idea how to do it easily (one way would be to
use bochs to run vmware if its vmx emulation is good enough but i guess the
resulting speed would be unbearable).

another (but still time consuming) approach would be to do a binary search on
vmmon by stopping it at various points as it is about to launch a virtual machine,
that would eventually narrow down the failing code too.

> > > +CONFIG_IA32_AOUT=y
> > btw, i don't think you need/want a.out support anywhere these days
>
> Who knows. It shouldn't make any harm, anyway. I can remember about two
> cases in last ~2-3 years when I did something with a.out. Don't remember
> details, and that was surely very strange tasks, but it happens.

that's weird, i don't think the toolchain can even produce anything but
ELF for some time now . as for harm, the a.out loader has had its share
of security vulnerabilities and has usually been disabled by security
conscious distros such as Owl for many years now. but it's your risk&call .
 
Old 02-24-2012, 10:47 PM
Alex Efros
 
Default vmware broken on amd64 hardened

Hi!

On Fri, Feb 24, 2012 at 03:41:27PM +0200, PaX Team wrote:
> well, as i suggested it in bugzilla, i'd need to capture information about
> the crash (probably triple fault), and the best approach would be some nested
> virtualization setup. i have no idea how to do it easily (one way would be to
> use bochs to run vmware if its vmx emulation is good enough but i guess the
> resulting speed would be unbearable).

That sounds too complex and slow.

> another (but still time consuming) approach would be to do a binary search on
> vmmon by stopping it at various points as it is about to launch a virtual machine,
> that would eventually narrow down the failing code too.

I probably can do this if you give me an example of how this should be
done - i.e. example of code snippet to insert into vmmon source to stop at
various point and start/end lines in code or involved function names where
to place that snippet.

BTW, I think it probably makes more sense to do a binary search from other
side - remove parts of hardened changes in kernel. We already know it's
not related to code disabled when PAX and GRSEC completely disabled in
kernel config, so probably there is not so many hardened changes left
which still active and may affect virtualization.

--
WBR, Alex.
 

Thread Tools




All times are GMT. The time now is 12:48 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org