CONFIG_TASK_SIZE_MAX_SHIFT does not get defined unless grsecurity is selected. Reproducible: Always
Confirmed on the latest 3.4.4 grsec patches. Here's the death cry! yellow linux-3.4.4-hardened-r2 # make V=1 make -f scripts/Makefile.build obj=tools/gcc (cat /dev/null; ) > tools/gcc/modules.order make -f scripts/Makefile.build obj=arch/x86/syscalls all make[1]: Nothing to be done for `all'. make -f scripts/Makefile.build obj=arch/x86/tools relocs make[1]: Nothing to be done for `relocs'. rm -f include/config/kernel.release echo "3.4.4-hardened-r2$(/bin/sh /usr/src/linux-3.4.4-hardened-r2/scripts/setlocalversion /usr/src/linux-3.4.4-hardened-r2)" > include/config/kernel.release make -f /usr/src/linux-3.4.4-hardened-r2/scripts/Makefile.asm-generic \ obj=arch/x86/include/generated/asm set -e; : ' CHK include/linux/version.h'; mkdir -p include/linux/; (echo \#define LINUX_VERSION_CODE 197636; echo '#define KERNEL_VERSION(a,b,c) (((a) << 16) + ((b) << 8) + (c))';) < /usr/src/linux-3.4.4-hardened-r2/Makefile > include/linux/version.h.tmp; if [ -r include/linux/version.h ] && cmp -s include/linux/version.h include/linux/version.h.tmp; then rm -f include/linux/version.h.tmp; else : ' UPD include/linux/version.h'; mv -f include/linux/version.h.tmp include/linux/version.h; fi set -e; : ' CHK include/generated/utsrelease.h'; mkdir -p include/generated/; if [ `echo -n "3.4.4-hardened-r2" | wc -c ` -gt 64 ]; then echo '"3.4.4-hardened-r2" exceeds 64 characters' >&2; exit 1; fi; (echo \#define UTS_RELEASE \"3.4.4-hardened-r2\";) < include/config/kernel.release > include/generated/utsrelease.h.tmp; if [ -r include/generated/utsrelease.h ] && cmp -s include/generated/utsrelease.h include/generated/utsrelease.h.tmp; then rm -f include/generated/utsrelease.h.tmp; else : ' UPD include/generated/utsrelease.h'; mv -f include/generated/utsrelease.h.tmp include/generated/utsrelease.h; fi mkdir -p .tmp_versions ; rm -f .tmp_versions/* make -f scripts/Makefile.build obj=scripts/basic (cat /dev/null; ) > scripts/basic/modules.order rm -f .tmp_quiet_recordmcount make -f scripts/Makefile.build obj=. (cat /dev/null; ) > modules.order mkdir -p kernel/ mkdir -p arch/x86/kernel/ /bin/sh scripts/checksyscalls.sh gcc -Wp,-MD,./.missing-syscalls.d -nostdinc -isystem /usr/lib/gcc/x86_64-pc-linux-gnu/4.5.3/include -I/usr/src/linux-3.4.4-hardened-r2/arch/x86/include -Iarch/x86/include/generated -Iinclude -include /usr/src/linux-3.4.4-hardened-r2/include/linux/kconfig.h -D__KERNEL__ -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common -Werror-implicit-function-declaration -Wno-format-security -fno-delete-null-pointer-checks -O2 -m64 -mtune=generic -mno-red-zone -mcmodel=kernel -funit-at-a-time -maccumulate-outgoing-args -fstack-protector -DCONFIG_X86_X32_ABI -DCONFIG_AS_CFI=1 -DCONFIG_AS_CFI_SIGNAL_FRAME=1 -DCONFIG_AS_CFI_SECTIONS=1 -DCONFIG_AS_FXSAVEQ=1 -pipe -Wno-sign-compare -fno-asynchronous-unwind-tables -mno-sse -mno-mmx -mno-sse2 -mno-3dnow -mno-avx -Wframe-larger-than=2048 -fomit-frame-pointer -Wdeclaration-after-statement -Wno-pointer-sign -fno-strict-overflow -fconserve-stack -DCC_HAVE_ASM_GOTO -D"KBUILD_STR(s)=#s" -D"KBUILD_BASENAME=KBUILD_STR(missing_syscalls)" -D"KBUILD_MODNAME=KBUILD_STR(missing_syscalls)" make -f scripts/Makefile.build obj=scripts make -f scripts/Makefile.build obj=scripts/mod (cat /dev/null; ) > scripts/mod/modules.order (cat /dev/null; ) > scripts/modules.order make -f scripts/Makefile.build obj=init /bin/sh /usr/src/linux-3.4.4-hardened-r2/scripts/mkcompile_h include/generated/compile.h \ "x86_64" "y" "y" "gcc -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common -Werror-implicit-function-declaration -Wno-format-security -fno-delete-null-pointer-checks -O2 -m64 -mtune=generic -mno-red-zone -mcmodel=kernel -funit-at-a-time -maccumulate-outgoing-args -fstack-protector -DCONFIG_X86_X32_ABI -DCONFIG_AS_CFI=1 -DCONFIG_AS_CFI_SIGNAL_FRAME=1 -DCONFIG_AS_CFI_SECTIONS=1 -DCONFIG_AS_FXSAVEQ=1 -pipe -Wno-sign-compare -fno-asynchronous-unwind-tables -mno-sse -mno-mmx -mno-sse2 -mno-3dnow -mno-avx -Wframe-larger-than=2048 -fomit-frame-pointer -Wdeclaration-after-statement -Wno-pointer-sign -fno-strict-overflow -fconserve-stack -DCC_HAVE_ASM_GOTO -fplugin=/usr/src/linux-3.4.4-hardened-r2/tools/gcc/constify_plugin.so -DCONSTIFY_PLUGIN -fplugin=/usr/src/linux-3.4.4-hardened-r2/tools/gcc/colorize_plugin.so " (cat /dev/null; ) > init/modules.order make -f scripts/Makefile.build obj=usr /bin/sh /usr/src/linux-3.4.4-hardened-r2/scripts/gen_initramfs_list.sh -l -d > usr/.initramfs_data.cpio.d (cat /dev/null; ) > usr/modules.order make -f scripts/Makefile.build obj=arch/x86 make -f scripts/Makefile.build obj=arch/x86/crypto (cat /dev/null; echo kernel/arch/x86/crypto/aes-x86_64.ko; echo kernel/arch/x86/crypto/camellia-x86_64.ko; echo kernel/arch/x86/crypto/blowfish-x86_64.ko; echo kernel/arch/x86/crypto/twofish-x86_64.ko; echo kernel/arch/x86/crypto/twofish-x86_64-3way.ko; echo kernel/arch/x86/crypto/salsa20-x86_64.ko; echo kernel/arch/x86/crypto/serpent-sse2-x86_64.ko; echo kernel/arch/x86/crypto/aesni-intel.ko; echo kernel/arch/x86/crypto/ghash-clmulni-intel.ko; echo kernel/arch/x86/crypto/crc32c-intel.ko; echo kernel/arch/x86/crypto/sha1-ssse3.ko;) > arch/x86/crypto/modules.order make -f scripts/Makefile.build obj=arch/x86/ia32 (cat /dev/null; ) > arch/x86/ia32/modules.order make -f scripts/Makefile.build obj=arch/x86/kernel gcc -Wp,-MD,arch/x86/kernel/.process_64.o.d -nostdinc -isystem /usr/lib/gcc/x86_64-pc-linux-gnu/4.5.3/include -I/usr/src/linux-3.4.4-hardened-r2/arch/x86/include -Iarch/x86/include/generated -Iinclude -include /usr/src/linux-3.4.4-hardened-r2/include/linux/kconfig.h -D__KERNEL__ -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common -Werror-implicit-function-declaration -Wno-format-security -fno-delete-null-pointer-checks -O2 -m64 -mtune=generic -mno-red-zone -mcmodel=kernel -funit-at-a-time -maccumulate-outgoing-args -fstack-protector -DCONFIG_X86_X32_ABI -DCONFIG_AS_CFI=1 -DCONFIG_AS_CFI_SIGNAL_FRAME=1 -DCONFIG_AS_CFI_SECTIONS=1 -DCONFIG_AS_FXSAVEQ=1 -pipe -Wno-sign-compare -fno-asynchronous-unwind-tables -mno-sse -mno-mmx -mno-sse2 -mno-3dnow -mno-avx -Wframe-larger-than=2048 -fomit-frame-pointer -Wdeclaration-after-statement -Wno-pointer-sign -fno-strict-overflow -fconserve-stack -DCC_HAVE_ASM_GOTO -fplugin=/usr/src/linux-3.4.4-hardened-r2/tools/gcc/constify_plugin.so -DCONSTIFY_PLUGIN -fplugin=/usr/src/linux-3.4.4-hardened-r2/tools/gcc/colorize_plugin.so -D"KBUILD_STR(s)=#s" -D"KBUILD_BASENAME=KBUILD_STR(process_64)" -D"KBUILD_MODNAME=KBUILD_STR(process_64)" -c -o arch/x86/kernel/process_64.o arch/x86/kernel/process_64.c arch/x86/kernel/process_64.c: In function ‘do_arch_prctl’: arch/x86/kernel/process_64.c:458:15: error: ‘CONFIG_TASK_SIZE_MAX_SHIFT’ undeclared (first use in this function) arch/x86/kernel/process_64.c:458:15: note: each undeclared identifier is reported only once for each function it appears in make[2]: *** [arch/x86/kernel/process_64.o] Error 1 make[1]: *** [arch/x86/kernel] Error 2 make: *** [arch/x86] Error 2
can you reproduce it with pax or grsec alone (i.e., no other hardened patches applied)? also what does the failing .config look like?
*** Bug 424996 has been marked as a duplicate of this bug. ***
Created attachment 317486 [details] Failing config file with CONFIG_GRKERNSEC not set This is vanilla 3.4.4 plus grsecurity-2.9.1-3.4.4-201207021921.
(In reply to comment #4) > Created attachment 317486 [details] > Failing config file with CONFIG_GRKERNSEC not set > > This is vanilla 3.4.4 plus grsecurity-2.9.1-3.4.4-201207021921. Sorry I should emphasize: no other patches were applied.
oh, i see what's going on: spender made the entire PaX submenu (and associated config items) depend on GRKERNSEC which is a bad idea for TASK_SIZE_MAX_SHIFT. in the meantime people should enable grsec if they went to the trouble of patching their kernel with it ;).
This change also causes problem with our patch that allowed one to enable PaX without grsec.
This confused me because I thought I was already running grsecurity so that explains that. Neatly explains my bug too. Nice catch and "wtf are you doing, spender". But as an aside I've stuck with hardened sources because I've always treated it (correctly or otherwise) as a more 'stable' branch of the kernel as opposed to the normal gentoo-sources.
If CONFIG_GRKERNSEC=n, no, you were not using grsecurity. BTW, it's never been the case that using PaX alone was recommended, due to ASLR bruteforcing and infoleaks. I will correct the build error, but the placement of the custom PaX menu will remain inside the grsecurity menu. -Brad
(In reply to comment #9) > If CONFIG_GRKERNSEC=n, no, you were not using grsecurity. BTW, it's never > been the case that using PaX alone was recommended, due to ASLR bruteforcing > and infoleaks. I will correct the build error, but the placement of the > custom PaX menu will remain inside the grsecurity menu. > > -Brad I agree that using PaX alone is *not* a good idea. But 1) we have crazy users and 2) for debugging at my end, it is useful. *I* can live without it.
Re: Comment#6 by PaX Team I was under the -apparently false- impression that hardened-sources included other patches/improvements beyond just grsecurity and PaX. If that's not the case I might as well switch to gentoo-sources, since I never bothered messing with these two...
(In reply to comment #11) > Re: Comment#6 by PaX Team > > I was under the -apparently false- impression that hardened-sources included > other patches/improvements beyond just grsecurity and PaX. If that's not > the case I might as well switch to gentoo-sources, since I never bothered > messing with these two... note that we have features/changes outside of .config control as well, so you do get improvements (including backports of security fixes that upstream misses or sits on for longer than we like) beyond what you see in menuconfig ;).
(In reply to comment #11) > Re: Comment#6 by PaX Team > > I was under the -apparently false- impression that hardened-sources included > other patches/improvements beyond just grsecurity and PaX. If that's not > the case I might as well switch to gentoo-sources, since I never bothered > messing with these two... It does. Why do you think this?
This is fixed in the newer sources.