I've got VM (it's KVM with qemu-2.0.0-r1), with hardened-sources-3.15.{5-r2,8}. I'm observing a kind of memory corruption. After a couple of hours of uptime I'm starting seeing random segfaults, general protection traps especially when process uses a lot of CPU and do many I/O operations (masscheck scripts written in perl for spamassasin rules). In log I've got e.g.: 2014-08-25T13:05:23.243062+02:00 mohikanin kernel: [45571.239703] PAX: From 88.198.102.195: execution attempt in: (null), 00000000-00000000 00000000 2014-08-25T13:05:23.243088+02:00 mohikanin kernel: [45571.239707] PAX: terminating task: /usr/libexec/dovecot/pop3-login(pop3-login):2507, uid/euid: 105/105, PC: (nil), SP: 000003a8574e4c00 2014-08-25T13:05:23.243093+02:00 mohikanin kernel: [45571.239709] PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 2014-08-25T13:05:23.243095+02:00 mohikanin kernel: [45571.239735] PAX: bytes at SP-8: 0000000000000000 0000000000000000 00000059c6deceb0 0000000000000000 00000316027bc540 0000000000000001 000003160271dbb5 0000000000000000 0000000000000000 0000000000000000 0000000000000000 2014-08-25T13:24:42.943001+02:00 mohikanin kernel: [46730.931353] traps: spamd child[19681] general protection ip:2c572b6e163 sp:3ca7d000be0 error:0 in libc-2.19.so[2c572aee000+19e000] 2014-08-25T13:24:42.943007+02:00 mohikanin kernel: [46730.931371] grsec: Segmentation fault occurred at (nil) in /usr/sbin/spamd[spamd child:19681] uid/euid:999/999 gid/egid:100/100, parent /usr/sbin/spamd[/usr/sbin/spamd:1255] uid/euid:0/0 gid/egid:0/0 2014-08-25T13:55:22.383032+02:00 mohikanin kernel: [48570.375917] traps: freshclam[6594] general protection ip:344cceb368d sp:3d5f5ced520 error:0 in libclamav.so.6.1.23[344ccdf1000+9d1000] 2014-08-25T13:55:22.383050+02:00 mohikanin kernel: [48570.375968] grsec: Segmentation fault occurred at (nil) in /usr/bin/freshclam[freshclam:6594] uid/euid:104/104 gid/egid:115/115, parent /usr/bin/freshclam[freshclam:1159] uid/euid:104/104 gid/egid:115/115 Yesterday I switched kernel to gentoo-sources-3.14.14 and I don't see any unwanted behavior. (gcc is: gcc version 4.7.3 (Gentoo Hardened 4.7.3-r1 p1.4, pie-0.5.5) , with ld.gold) # grep -P "(GRK|PAX)" /boot/config-3.15.8-hardened CONFIG_PAX_KERNEXEC_PLUGIN=y CONFIG_PAX_PER_CPU_PGD=y CONFIG_PAX_USERCOPY_SLABS=y CONFIG_GRKERNSEC=y CONFIG_GRKERNSEC_CONFIG_AUTO=y # CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set CONFIG_GRKERNSEC_CONFIG_SERVER=y # CONFIG_GRKERNSEC_CONFIG_DESKTOP is not set # CONFIG_GRKERNSEC_CONFIG_VIRT_NONE is not set CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST=y # CONFIG_GRKERNSEC_CONFIG_VIRT_HOST is not set CONFIG_GRKERNSEC_CONFIG_VIRT_EPT=y # CONFIG_GRKERNSEC_CONFIG_VIRT_SOFT is not set # CONFIG_GRKERNSEC_CONFIG_VIRT_XEN is not set # CONFIG_GRKERNSEC_CONFIG_VIRT_VMWARE is not set CONFIG_GRKERNSEC_CONFIG_VIRT_KVM=y # CONFIG_GRKERNSEC_CONFIG_VIRT_VIRTUALBOX is not set CONFIG_GRKERNSEC_CONFIG_PRIORITY_PERF=y # CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY is not set CONFIG_GRKERNSEC_PROC_GID=55555 CONFIG_GRKERNSEC_TPE_TRUSTED_GID=55555 CONFIG_GRKERNSEC_SYMLINKOWN_GID=100 CONFIG_PAX=y # CONFIG_PAX_SOFTMODE is not set # CONFIG_PAX_PT_PAX_FLAGS is not set CONFIG_PAX_XATTR_PAX_FLAGS=y # CONFIG_PAX_NO_ACL_FLAGS is not set CONFIG_PAX_HAVE_ACL_FLAGS=y # CONFIG_PAX_HOOK_ACL_FLAGS is not set CONFIG_PAX_NOEXEC=y CONFIG_PAX_PAGEEXEC=y CONFIG_PAX_EMUTRAMP=y CONFIG_PAX_MPROTECT=y # CONFIG_PAX_MPROTECT_COMPAT is not set # CONFIG_PAX_ELFRELOCS is not set CONFIG_PAX_KERNEXEC=y CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="bts" CONFIG_PAX_ASLR=y CONFIG_PAX_RANDKSTACK=y CONFIG_PAX_RANDUSTACK=y CONFIG_PAX_RANDMMAP=y # CONFIG_PAX_MEMORY_SANITIZE is not set CONFIG_PAX_MEMORY_STACKLEAK=y CONFIG_PAX_MEMORY_STRUCTLEAK=y CONFIG_PAX_MEMORY_UDEREF=y CONFIG_PAX_REFCOUNT=y CONFIG_PAX_CONSTIFY_PLUGIN=y CONFIG_PAX_USERCOPY=y # CONFIG_PAX_USERCOPY_DEBUG is not set CONFIG_PAX_SIZE_OVERFLOW=y CONFIG_PAX_LATENT_ENTROPY=y CONFIG_GRKERNSEC_KMEM=y CONFIG_GRKERNSEC_IO=y CONFIG_GRKERNSEC_JIT_HARDEN=y CONFIG_GRKERNSEC_PERF_HARDEN=y CONFIG_GRKERNSEC_RAND_THREADSTACK=y CONFIG_GRKERNSEC_PROC_MEMMAP=y CONFIG_GRKERNSEC_KSTACKOVERFLOW=y # CONFIG_GRKERNSEC_BRUTE is not set CONFIG_GRKERNSEC_MODHARDEN=y CONFIG_GRKERNSEC_HIDESYM=y CONFIG_GRKERNSEC_RANDSTRUCT=y CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE=y # CONFIG_GRKERNSEC_KERN_LOCKOUT is not set CONFIG_GRKERNSEC_NO_RBAC=y # CONFIG_GRKERNSEC_ACL_HIDEKERN is not set CONFIG_GRKERNSEC_ACL_MAXTRIES=3 CONFIG_GRKERNSEC_ACL_TIMEOUT=30 CONFIG_GRKERNSEC_PROC=y CONFIG_GRKERNSEC_PROC_USER=y CONFIG_GRKERNSEC_PROC_ADD=y CONFIG_GRKERNSEC_LINK=y CONFIG_GRKERNSEC_SYMLINKOWN=y CONFIG_GRKERNSEC_FIFO=y CONFIG_GRKERNSEC_SYSFS_RESTRICT=y # CONFIG_GRKERNSEC_ROFS is not set CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y CONFIG_GRKERNSEC_CHROOT=y CONFIG_GRKERNSEC_CHROOT_MOUNT=y CONFIG_GRKERNSEC_CHROOT_DOUBLE=y CONFIG_GRKERNSEC_CHROOT_PIVOT=y CONFIG_GRKERNSEC_CHROOT_CHDIR=y CONFIG_GRKERNSEC_CHROOT_CHMOD=y CONFIG_GRKERNSEC_CHROOT_FCHDIR=y CONFIG_GRKERNSEC_CHROOT_MKNOD=y CONFIG_GRKERNSEC_CHROOT_SHMAT=y CONFIG_GRKERNSEC_CHROOT_UNIX=y CONFIG_GRKERNSEC_CHROOT_FINDTASK=y CONFIG_GRKERNSEC_CHROOT_NICE=y CONFIG_GRKERNSEC_CHROOT_SYSCTL=y CONFIG_GRKERNSEC_CHROOT_CAPS=y CONFIG_GRKERNSEC_CHROOT_INITRD=y # CONFIG_GRKERNSEC_AUDIT_GROUP is not set # CONFIG_GRKERNSEC_EXECLOG is not set CONFIG_GRKERNSEC_RESLOG=y # CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set # CONFIG_GRKERNSEC_AUDIT_PTRACE is not set # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set CONFIG_GRKERNSEC_AUDIT_MOUNT=y CONFIG_GRKERNSEC_SIGNAL=y CONFIG_GRKERNSEC_FORKFAIL=y CONFIG_GRKERNSEC_TIME=y CONFIG_GRKERNSEC_PROC_IPADDR=y CONFIG_GRKERNSEC_RWXMAP_LOG=y CONFIG_GRKERNSEC_DMESG=y CONFIG_GRKERNSEC_HARDEN_PTRACE=y CONFIG_GRKERNSEC_PTRACE_READEXEC=y CONFIG_GRKERNSEC_SETXID=y CONFIG_GRKERNSEC_HARDEN_IPC=y CONFIG_GRKERNSEC_TPE=y CONFIG_GRKERNSEC_TPE_ALL=y CONFIG_GRKERNSEC_TPE_INVERT=y CONFIG_GRKERNSEC_TPE_GID=55555 CONFIG_GRKERNSEC_RANDNET=y CONFIG_GRKERNSEC_BLACKHOLE=y CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y # CONFIG_GRKERNSEC_SOCKET is not set CONFIG_GRKERNSEC_SYSCTL=y # CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set CONFIG_GRKERNSEC_SYSCTL_ON=y CONFIG_GRKERNSEC_FLOODTIME=10 CONFIG_GRKERNSEC_FLOODBURST=6
Portage 2.2.8-r1 (hardened/linux/amd64, gcc-4.7.3, glibc-2.19-r1, 3.15.8-hardened x86_64) ================================================================= System uname: Linux-3.15.8-hardened-x86_64-Intel_Xeon_E312xx_-Sandy_Bridge-with-gentoo-2.2 KiB Mem: 2366892 total, 118100 free KiB Swap: 524284 total, 464692 free Timestamp of tree: Thu, 04 Sep 2014 04:15:01 +0000 ld GNU gold (Gentoo 2.23.2 p1.0 2.23.2) 1.11 ccache version 3.1.9 [enabled] app-shells/bash: 4.2_p45 dev-lang/python: 2.7.7, 3.3.5-r1 dev-util/ccache: 3.1.9-r3 dev-util/pkgconfig: 0.28-r1 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.12.4 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.69 sys-devel/automake: 1.13.4 sys-devel/binutils: 2.23.2 sys-devel/gcc: 4.7.3-r1 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4.2-r1 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.13 (virtual/os-headers) sys-libs/glibc: 2.19-r1 Repositories: gentoo ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -march=core2 -mtune=native -frecord-gcc-switches -fno-unwind-tables -fno-asynchronous-unwind-tables -fpeel-loops -ftracer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.5/ext-active/ /etc/php/cgi-php5.5/ext-active/ /etc/php/cli-php5.5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -pipe -march=core2 -mtune=native -frecord-gcc-switches -fno-unwind-tables -fno-asynchronous-unwind-tables -fpeel-loops -ftracer" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs ccache cgroup collision-protect compressdebug config-protect-if-modified distlocks ebuild-locks fixlafiles news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://gentoo.mirror.pw.edu.pl/ http://ftp.vectranet.pl/gentoo/" LANG="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--sort-common" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_EXTRA_OPTS="-O" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" USE="acl acpi amd64 bash-completion caps cli cracklib crypt cxx dri hardened iconv idn justify mmx mmxext modules multilib ncurses nls nptl openmp pax_kernel pcre postgres readline session sse sse2 sse3 ssse3 threads unicode urandom vhosts vim-syntax xattr xtpax" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authz_host dir mime unique_id" APACHE2_MPMS="itk" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" NGINX_MODULES_HTTP="access auth_basic browser charset fastcgi gzip gzip_static headers_more limit_conn limit_req proxy realip referer rewrite userid" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-4" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python3_3" RUBY_TARGETS="ruby19 ruby20" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="tarpit" USE_PYTHON="3.3" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS
Wierd, since your settup is almost identical (if not actually identical) to mine and I'm not seeing this. Maybe some hardware difference in the host? I'm cc-ing upstream.
does your cpu have INVPCID support? check dmesg (both on the host and the guest), PaX prints out PCID/INVPCID detection on boot.
On host I'm using gentoo-sources, in dmesg there is no information about PCID: ~ # dmesg |grep PCID ~ # Information about CPU on host: processor : 7 vendor_id : GenuineIntel cpu family : 6 model : 58 model name : Intel(R) Xeon(R) CPU E3-1230 V2 @ 3.30GHz stepping : 9 microcode : 0x19 cpu MHz : 1598.437 cache size : 8192 KB physical id : 0 siblings : 8 core id : 3 cpu cores : 4 apicid : 7 initial apicid : 7 fpu : yes fpu_exception : yes cpuid level : 13 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm ida arat epb xsaveopt pln pts dtherm tpr_shadow vnmi flexpriority ept vpid fsgsbase smep erms bogomips : 6584.91 clflush size : 64 cache_alignment : 64 address sizes : 36 bits physical, 48 bits virtual power management: In guest I can see: # dmesg |grep PCID [ 0.020000] PAX: PCID detected [ 0.020000] PAX: PCID detected [ 0.020000] PAX: PCID detected And cpuinfo looks like below: processor : 2 vendor_id : GenuineIntel cpu family : 6 model : 42 model name : Intel Xeon E312xx (Sandy Bridge) stepping : 1 microcode : 0x1 cpu MHz : 3292.514 cache size : 4096 KB physical id : 2 siblings : 1 core id : 0 cpu cores : 1 apicid : 2 initial apicid : 2 fpu : yes fpu_exception : yes cpuid level : 13 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx rdtscp lm constant_tsc arch_perfmon rep_good nopl eagerfpu pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm xsaveopt fsgsbase smep erms bogomips : 6585.02 clflush size : 64 cache_alignment : 64 address sizes : 40 bits physical, 48 bits virtual power management:
so i have a couple of questions... 1. can you boot the guest with 'nopcid' on the kernel command line and see if UDEREF still produces these errors? 2. i'm wondering how the guest kernel was able to detect and enable PCID usage as this is only possible if the host kernel enables PCID too (this is the reason why this enabling code is unconditional in PaX itself but vanilla kernels don't have such code AFAIK). 3. what happens if you use a PaX/grsec kernel on the host (no need to enable any specific feature, patching it in is enough)? 4. does the host kernel version matter for the problem to show up in the guests?
Sorry for delay but it isn't something I can reproduce ad hoc. A.d. 1. As for know I can say that with "nopcid" parameter I can't reproduce problem. A.d. 2. I have no idea... A.d. 3&4. I didn't try it yet.
Ad.3. I've booted host with kernel: 3.15.8-hardened, dmesg shows: # dmesg |grep PAX [ 0.016224] PAX: PCID detected [ 0.016291] PAX: strong UDEREF enabled [ 0.133194] PAX: PCID detected [ 0.133196] PAX: strong UDEREF enabled [ 0.146933] PAX: PCID detected [ 0.146935] PAX: strong UDEREF enabled [ 0.160558] PAX: PCID detected [ 0.160559] PAX: strong UDEREF enabled [ 0.174280] PAX: PCID detected [ 0.174281] PAX: strong UDEREF enabled [ 0.187974] PAX: PCID detected [ 0.187976] PAX: strong UDEREF enabled [ 0.201667] PAX: PCID detected [ 0.201668] PAX: strong UDEREF enabled [ 0.222950] PAX: PCID detected [ 0.222951] PAX: strong UDEREF enabled It doesn't change behavior on guest: *** Error in `/usr/bin/perl': free(): invalid size: 0x0000002904917770 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x78d5d)[0x334e8d25d5d] /lib64/libc.so.6(+0x7e926)[0x334e8d2b926] /lib64/libc.so.6(+0x7fb02)[0x334e8d2cb02] /usr/lib64/libperl.so.5.18(Perl_vivify_ref+0x1c6)[0x334e91a2296] ======= Memory map: ======== 28fe33d000-28fe33f000 r-xp 00000000 08:02 33106 /usr/bin/perl5.18.2 28fe33f000-28fe340000 rw-p 00001000 08:02 33106 /usr/bin/perl5.18.2 28fe340000-2902170000 ---p 00000000 00:00 0 2902170000-2905f7c000 rw-p 00000000 00:00 0 [heap] 2905f7c000-2920fcb000 rw-p 00000000 00:00 0 [heap] [...] Two days ago I set more memory for guest (~4.2GB instead ~2.2GB) and I couldn't reproduce issue. When I changed memory size back to ~2.2GB I could reproduce it. I'm wondering if memory pressure have any meaning or is it a incident? A.d.4 I can say the problem appears at lest with two different kernels:) 3.15.8-hardened and 3.14.14-gentoo.
I see the same issue here. I have gentoo-sources-3.12.6 on the host and different hardened-sources within kvm. As soon as I enable some hardening features (even with only the chroot options enabled), it starts to behave weird... As I test with only 512mb ram, it fails quite early during an "emerge cmake" for example. I shouldn't reboot the host that often.... And as it doesn't seem to be PCID/INVPCID I doubt that using hardened-sources on the host would change that much... maybe just a newer version!? Is there any other memory related option that could influence grsecurity??
can you guys test the latest grsec patch and see if it helps?
(In reply to PaX Team from comment #9) > can you guys test the latest grsec patch and see if it helps? I don't know if latest grsec patch is in hardened-sources-3.17.2 but with mentioned kernel I can't even boot OS - I'm getting: *** Error in '/sbin/rc': free(): invalid size: 0x00000044ee5aa5c0 ***
(In reply to Marcin Mirosław from comment #10) > (In reply to PaX Team from comment #9) > > can you guys test the latest grsec patch and see if it helps? > > I don't know if latest grsec patch is in hardened-sources-3.17.2 but with > mentioned kernel I can't even boot OS - I'm getting: > *** Error in '/sbin/rc': free(): invalid size: 0x00000044ee5aa5c0 *** hardened-sources-3.17.2 = vanilla-3.17.2 + genpatches-3.17.4 + grsecurity-3.0-3.17.2-201410312213 So yes its the latest.
(In reply to Anthony Basile from comment #11) > (In reply to Marcin Mirosław from comment #10) > > (In reply to PaX Team from comment #9) > > > can you guys test the latest grsec patch and see if it helps? > > > > I don't know if latest grsec patch is in hardened-sources-3.17.2 but with > > mentioned kernel I can't even boot OS - I'm getting: > > *** Error in '/sbin/rc': free(): invalid size: 0x00000044ee5aa5c0 *** > > hardened-sources-3.17.2 = vanilla-3.17.2 + genpatches-3.17.4 + > grsecurity-3.0-3.17.2-201410312213 > > So yes its the latest. The latest is now hardened-sources-3.17.4-r1.ebuild = vanilla-3.17.4 + genpatches-3.17-7 + grsecurity-3.0-3.17.4-201411260107
With hardened-sources-3.17.4-r1 no changes, even init scripts are segfaulting: * /run/lock: creating directory rc: malloc.c:2839: mremap_chunk: Assertion `((size + offset) & (_rtld_global_ro._dl_pagesize - 1)) == 0` failed. and so on.
this should be fixed in the latest grsec version, can you guys give it a try? until then if you disable PARAVIRT, UDEREF/PCID should also work.
(In reply to PaX Team from comment #14) > this should be fixed in the latest grsec version, can you guys give it a > try? until then if you disable PARAVIRT, UDEREF/PCID should also work. The latest version just hit the tree: hardened-sources-3.17.7-r1 = grsecurity-3.0-3.17.7-201412211910 hardened-sources-3.14.27-r1 = grsecurity-3.0-3.14.27-201412211908 hardened-sources-3.2.65-r2 = grsecurity-3.0-3.2.65-201412211905 Please test as I want to rapid stabilize these.
Due to Xmas time I can't test it before 28.12.
# uname -r 3.17.7-hardened-r1 # dmesg |grep PCID [ 0.020000] PAX: PCID detected [ 0.020000] PAX: PCID detected [ 0.020000] PAX: PCID detected # uptime 10:14:13 up 10:55, 1 user, load average: 2.33, 2.16, 2.13 and still no problem.
(In reply to Marcin Mirosław from comment #17) > # uname -r > 3.17.7-hardened-r1 > # dmesg |grep PCID > [ 0.020000] PAX: PCID detected > [ 0.020000] PAX: PCID detected > [ 0.020000] PAX: PCID detected > > # uptime > 10:14:13 up 10:55, 1 user, load average: 2.33, 2.16, 2.13 > > and still no problem. Its in the tree stable now. Reopen if its still a problem. Thanks!
Thanks for fix.
