Calculating dependencies... done! [ebuild N ~] app-admin/paxtest-0.9.14::gentoo 0 KiB Total: 1 package (1 new), Size of downloads: 0 KiB Would you like to merge these packages? [Yes/No] y >>> Verifying ebuild manifests >>> Emerging (1 of 1) app-admin/paxtest-0.9.14::gentoo * paxtest-0.9.14.tar.gz SHA256 SHA512 WHIRLPOOL size ;-) ... [ ok ] >>> Unpacking source... >>> Unpacking paxtest-0.9.14.tar.gz to /var/tmp/portage/app-admin/paxtest-0.9.14/work >>> Source unpacked in /var/tmp/portage/app-admin/paxtest-0.9.14/work >>> Preparing source in /var/tmp/portage/app-admin/paxtest-0.9.14/work/paxtest-0.9.14 ... * Applying paxtest-0.9.13-Makefile.patch ... [ ok ] >>> Source prepared. >>> Configuring source in /var/tmp/portage/app-admin/paxtest-0.9.14/work/paxtest-0.9.14 ... >>> Source configured. >>> Compiling source in /var/tmp/portage/app-admin/paxtest-0.9.14/work/paxtest-0.9.14 ... make -j5 RUNDIR=/usr/lib/paxtest armv7a-hardfloat-linux-gnueabi-gcc -O2 -pipe -mcpu=cortex-a7 -mfpu=neon-vfpv4 -mfloat-abi=hard -mtls-dialect=gnu2 -Wa,--noexecstack -D_FORTIFY_SOURCE=0 -DRUNDIR=\"/usr/lib/paxtest\" -fno-stack-protector -o chpax-0.7/aout.o -c chpax-0.7/aout.c armv7a-hardfloat-linux-gnueabi-gcc -O2 -pipe -mcpu=cortex-a7 -mfpu=neon-vfpv4 -mfloat-abi=hard -mtls-dialect=gnu2 -Wa,--noexecstack -D_FORTIFY_SOURCE=0 -DRUNDIR=\"/usr/lib/paxtest\" -fno-stack-protector -o chpax-0.7/chpax.o -c chpax-0.7/chpax.c armv7a-hardfloat-linux-gnueabi-gcc -O2 -pipe -mcpu=cortex-a7 -mfpu=neon-vfpv4 -mfloat-abi=hard -mtls-dialect=gnu2 -Wa,--noexecstack -D_FORTIFY_SOURCE=0 -DRUNDIR=\"/usr/lib/paxtest\" -fno-stack-protector -o chpax-0.7/elf32.o -c chpax-0.7/elf32.c armv7a-hardfloat-linux-gnueabi-gcc -O2 -pipe -mcpu=cortex-a7 -mfpu=neon-vfpv4 -mfloat-abi=hard -mtls-dialect=gnu2 -Wa,--noexecstack -D_FORTIFY_SOURCE=0 -DRUNDIR=\"/usr/lib/paxtest\" -fno-stack-protector -o chpax-0.7/elf64.o -c chpax-0.7/elf64.c armv7a-hardfloat-linux-gnueabi-gcc -O2 -pipe -mcpu=cortex-a7 -mfpu=neon-vfpv4 -mfloat-abi=hard -mtls-dialect=gnu2 -Wa,--noexecstack -D_FORTIFY_SOURCE=0 -DRUNDIR=\"/usr/lib/paxtest\" -fno-stack-protector -o chpax-0.7/flags.o -c chpax-0.7/flags.c <command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined <built-in>: note: this is the location of the previous definition <command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined <built-in>: note: this is the location of the previous definition <command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined <built-in>: note: this is the location of the previous definition <command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined <built-in>: note: this is the location of the previous definition <command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined <built-in>: note: this is the location of the previous definition armv7a-hardfloat-linux-gnueabi-gcc -O2 -pipe -mcpu=cortex-a7 -mfpu=neon-vfpv4 -mfloat-abi=hard -mtls-dialect=gnu2 -Wa,--noexecstack -D_FORTIFY_SOURCE=0 -DRUNDIR=\"/usr/lib/paxtest\" -fno-stack-protector -o chpax-0.7/io.o -c chpax-0.7/io.c armv7a-hardfloat-linux-gnueabi-gcc -O2 -pipe -mcpu=cortex-a7 -mfpu=neon-vfpv4 -mfloat-abi=hard -mtls-dialect=gnu2 -Wa,--noexecstack -D_FORTIFY_SOURCE=0 -DRUNDIR=\"/usr/lib/paxtest\" -fno-stack-protector -fPIC -o shlibtest.o -c shlibtest.c <command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined <built-in>: note: this is the location of the previous definition armv7a-hardfloat-linux-gnueabi-gcc -O2 -pipe -mcpu=cortex-a7 -mfpu=neon-vfpv4 -mfloat-abi=hard -mtls-dialect=gnu2 -Wa,--noexecstack -D_FORTIFY_SOURCE=0 -DRUNDIR=\"/usr/lib/paxtest\" -fno-stack-protector -fPIC -o shlibtest2.o -c shlibtest2.c armv7a-hardfloat-linux-gnueabi-gcc -O2 -pipe -mcpu=cortex-a7 -mfpu=neon-vfpv4 -mfloat-abi=hard -mtls-dialect=gnu2 -Wa,--noexecstack -D_FORTIFY_SOURCE=0 -DRUNDIR=\"/usr/lib/paxtest\" -fno-stack-protector -o body.o -c body.c armv7a-hardfloat-linux-gnueabi-gcc -O2 -pipe -mcpu=cortex-a7 -mfpu=neon-vfpv4 -mfloat-abi=hard -mtls-dialect=gnu2 -Wa,--noexecstack -D_FORTIFY_SOURCE=0 -DRUNDIR=\"/usr/lib/paxtest\" -fno-stack-protector -o shlibbss.o -c shlibbss.c <command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined <built-in>: note: this is the location of the previous definition <command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined <built-in>: note: this is the location of the previous definition <command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined <built-in>: note: this is the location of the previous definition {standard input}: Assembler messages: {standard input}:29: Error: alignment too large: 15 assumed Makefile:237: recipe for target 'shlibtest2.o' failed make: *** [shlibtest2.o] Error 1 make: *** Waiting for unfinished jobs.... {standard input}: Assembler messages: {standard input}:29: Error: alignment too large: 15 assumed Makefile:237: recipe for target 'shlibtest.o' failed make: *** [shlibtest.o] Error 1 <command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined <built-in>: note: this is the location of the previous definition * ERROR: app-admin/paxtest-0.9.14::gentoo failed (compile phase): * emake failed * * If you need support, post the output of `emerge --info '=app-admin/paxtest-0.9.14::gentoo'`, * the complete build log and the output of `emerge -pqv '=app-admin/paxtest-0.9.14::gentoo'`. * The complete build log is located at '/var/tmp/portage/app-admin/paxtest-0.9.14/temp/build.log'. * The ebuild environment file is located at '/var/tmp/portage/app-admin/paxtest-0.9.14/temp/environment'. * Working directory: '/var/tmp/portage/app-admin/paxtest-0.9.14/work/paxtest-0.9.14' * S: '/var/tmp/portage/app-admin/paxtest-0.9.14/work/paxtest-0.9.14' >>> Failed to emerge app-admin/paxtest-0.9.14, Log file: >>> '/var/tmp/portage/app-admin/paxtest-0.9.14/temp/build.log' emerge --info =app-admin/paxtest-0.9.14::gentoo Portage 2.2.26 (python 2.7.10-final-0, hardened/linux/arm/armv7a, gcc-4.9.3, glibc-2.21-r2, 4.4.6-raspberrypi-v7+ armv7l) ================================================================= System Settings ================================================================= System uname: Linux-4.4.6-raspberrypi-v7+-armv7l-with-gentoo-2.2 KiB Mem: 943288 total, 723512 free KiB Swap: 1023996 total, 1023996 free Timestamp of repository gentoo: Tue, 12 Apr 2016 04:42:44 +0000 sh bash 4.3_p42-r1 ld GNU ld (Gentoo 2.25.1 p1.1) 2.25.1 app-shells/bash: 4.3_p42-r1::gentoo dev-lang/perl: 5.20.2::gentoo dev-lang/python: 2.7.10-r1::gentoo, 3.4.3-r1::gentoo dev-util/pkgconfig: 0.28-r2::gentoo sys-apps/baselayout: 2.2::gentoo sys-apps/openrc: 0.19.1::gentoo sys-apps/sandbox: 2.10-r1::gentoo sys-devel/autoconf: 2.69::gentoo sys-devel/automake: 1.14.1::gentoo, 1.15::gentoo sys-devel/binutils: 2.25.1-r1::gentoo sys-devel/gcc: 4.9.3::gentoo sys-devel/gcc-config: 1.7.3::gentoo sys-devel/libtool: 2.4.6::gentoo sys-devel/make: 4.1-r1::gentoo sys-kernel/linux-headers: 4.3::gentoo (virtual/os-headers) sys-libs/glibc: 2.21-r2::gentoo Repositories: gentoo location: /usr/portage sync-type: git sync-uri: https://github.com/gentoo-mirror/gentoo priority: -1000 ACCEPT_KEYWORDS="arm" ACCEPT_LICENSE="* -@EULA" CBUILD="armv7a-hardfloat-linux-gnueabi" CFLAGS="-O2 -pipe -mcpu=cortex-a7 -mfpu=neon-vfpv4 -mfloat-abi=hard -mtls-dialect=gnu2" CHOST="armv7a-hardfloat-linux-gnueabi" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -pipe -mcpu=cortex-a7 -mfpu=neon-vfpv4 -mfloat-abi=hard -mtls-dialect=gnu2" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe -march=armv7-a" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe -march=armv7-a" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="ru_RU.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" USE="aac acl alsa arm armv5te armv6 armv6t2 berkdb bluetoot bzip2 cli cracklib crypt cups cxx dbus dri ffmpeg flac gdbm gles gles2 gnutls hardened iconv ipv6 jpeg jpeg2k lame libv4l mad modules mp3 mpeg ncurses neon nfs nls nptl ogg openmp pam pax_kernel pcre pic pie png quota readline samba seccomp session ssl ssp syslog tcpd threads unicode urandom v4l vim-syntax vorbis xattr xtpax zlib" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CURL_SSL="gnutls" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="ru en ru_RU" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby20 ruby21" USERLAND="GNU" VIDEO_CARDS="exynos fbdev omap omapfb dummy v4l" XTABLES_ADDONS="account chaos condition delude dhcpmac fuzzy geoip iface ipmark ipp2p ipv4options length2 logmark lscan pknock psd quota2 sysrq tarpit gradm" Unset: CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
(In reply to kpanic from comment #0) > armv7a-hardfloat-linux-gnueabi-gcc -O2 -pipe -mcpu=cortex-a7 > -mfpu=neon-vfpv4 -mfloat-abi=hard -mtls-dialect=gnu2 -Wa,--noexecstack > -D_FORTIFY_SOURCE=0 -DRUNDIR=\"/usr/lib/paxtest\" -fno-stack-protector -o > shlibbss.o -c shlibbss.c > <command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined > <built-in>: note: this is the location of the previous definition > <command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined > <built-in>: note: this is the location of the previous definition > <command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined > <built-in>: note: this is the location of the previous definition > {standard input}: Assembler messages: > {standard input}:29: Error: alignment too large: 15 assumed > Makefile:237: recipe for target 'shlibtest2.o' failed > make: *** [shlibtest2.o] Error 1 > make: *** Waiting for unfinished jobs.... > {standard input}: Assembler messages: > {standard input}:29: Error: alignment too large: 15 assumed > Makefile:237: recipe for target 'shlibtest.o' failed > make: *** [shlibtest.o] Error 1 > <command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined > <built-in>: note: this is the location of the previous definition Looks like the alignment is too big for arm. Can you give me the results of the following two tests: 1) gcc -x c -c - <<< "char data[0x10000] __attribute__((aligned(0x10000))) = { 'A' };" 2) gcc -x c -c - <<< "char data[0x8000] __attribute__((aligned(0x8000))) = { 'A' };" @pipacs, the test should be fine on all archs if we drop the PAGE_SIZE_MAX to 0x8000 = 2^15 no?
> Looks like the alignment is too big for arm. Can you give me the results of > the following two tests: > > 1) gcc -x c -c - <<< "char data[0x10000] __attribute__((aligned(0x10000))) = > { 'A' };" > > 2) gcc -x c -c - <<< "char data[0x8000] __attribute__((aligned(0x8000))) = { > 'A' };" > localhost ~ # gcc -x c -c - <<< "char data[0x10000] __attribute__((aligned(0x10000))) = { 'A' };" /tmp/cccHVGj0.s: Assembler messages: /tmp/cccHVGj0.s:17: Error: alignment too large: 15 assumed localhost ~ # gcc -x c -c - <<< "char data[0x8000] __attribute__((aligned(0x8000))) = { 'A' };" localhost ~ # > @pipacs, the test should be fine on all archs if we drop the PAGE_SIZE_MAX > to 0x8000 = 2^15 no? I changed PAGE_SIZE_MAX 0x8000 source build successfully
paxtest result raspberry pi 2 grsec enable PaXtest - Copyright(c) 2003-2014 by Peter Busser <peter@adamantix.org> and Brad Spengler <spender@grsecurity.net> Released under the GNU Public Licence version 2 or later Writing output to paxtest.log It may take a while for the tests to complete Test results: PaXtest - Copyright(c) 2003-2014 by Peter Busser <peter@adamantix.org> and Brad Spengler <spender@grsecurity.net> Released under the GNU Public Licence version 2 or later Mode: blackhat Linux localhost 4.4.6-grsec-v7+ #1 SMP Tue Apr 12 10:42:57 MSK 2016 armv7l BCM2709 GNU/Linux Executable anonymous mapping : Killed Executable bss : Killed Executable data : Killed Executable heap : Killed Executable stack : Killed Executable shared library bss : Killed Executable shared library data : Killed Executable anonymous mapping (mprotect) : Killed Executable bss (mprotect) : Killed Executable data (mprotect) : Killed Executable heap (mprotect) : Killed Executable stack (mprotect) : Killed Executable shared library bss (mprotect) : Killed Executable shared library data (mprotect): Killed Writable text segments : Killed Anonymous mapping randomization test : 16 quality bits (guessed) Heap randomization test (ET_EXEC) : 24 quality bits (guessed) Heap randomization test (PIE) : 24 quality bits (guessed) Main executable randomization (ET_EXEC) : 16 quality bits (guessed) Main executable randomization (PIE) : 16 quality bits (guessed) Shared library randomization test : 16 quality bits (guessed) ./getvdso: Success VDSO randomization test : Stack randomization test (SEGMEXEC) : 24 quality bits (guessed) Stack randomization test (PAGEEXEC) : 24 quality bits (guessed) Arg/env randomization test (SEGMEXEC) : 28 quality bits (guessed) Arg/env randomization test (PAGEEXEC) : 28 quality bits (guessed) Randomization under memory exhaustion @~0: 17 bits (guessed) Randomization under memory exhaustion @0 : No randomization Return to function (strcpy) : paxtest: return address contains a NULL byte. Return to function (memcpy) : Vulnerable Return to function (strcpy, PIE) : Vulnerable Return to function (memcpy, PIE) : Vulnerable grsec disabled PaXtest - Copyright(c) 2003-2014 by Peter Busser <peter@adamantix.org> and Brad Spengler <spender@grsecurity.net> Released under the GNU Public Licence version 2 or later Writing output to paxtest.log It may take a while for the tests to complete Test results: PaXtest - Copyright(c) 2003-2014 by Peter Busser <peter@adamantix.org> and Brad Spengler <spender@grsecurity.net> Released under the GNU Public Licence version 2 or later Mode: blackhat Linux localhost 4.4.6-raspberrypi-v7+ #5 SMP Tue Mar 29 00:59:16 MSK 2016 armv7l BCM2709 GNU/Linux Executable anonymous mapping : Killed Executable bss : Killed Executable data : Killed Executable heap : Killed Executable stack : Killed Executable shared library bss : Killed Executable shared library data : Killed Executable anonymous mapping (mprotect) : Vulnerable Executable bss (mprotect) : Vulnerable Executable data (mprotect) : Vulnerable Executable heap (mprotect) : Vulnerable Executable stack (mprotect) : Vulnerable Executable shared library bss (mprotect) : Vulnerable Executable shared library data (mprotect): Vulnerable Writable text segments : Vulnerable Anonymous mapping randomization test : 8 quality bits (guessed) Heap randomization test (ET_EXEC) : 13 quality bits (guessed) Heap randomization test (PIE) : 13 quality bits (guessed) Main executable randomization (ET_EXEC) : 8 quality bits (guessed) Main executable randomization (PIE) : 8 quality bits (guessed) Shared library randomization test : 8 quality bits (guessed) VDSO randomization test : 9 quality bits (guessed) Stack randomization test (SEGMEXEC) : 11 quality bits (guessed) Stack randomization test (PAGEEXEC) : 11 quality bits (guessed) Arg/env randomization test (SEGMEXEC) : 11 quality bits (guessed) Arg/env randomization test (PAGEEXEC) : 11 quality bits (guessed) Randomization under memory exhaustion @~0: No randomization Randomization under memory exhaustion @0 : No randomization Return to function (strcpy) : Vulnerable Return to function (memcpy) : Vulnerable Return to function (strcpy, PIE) : Vulnerable Return to function (memcpy, PIE) : Vulnerable
(In reply to Anthony Basile from comment #1) > @pipacs, the test should be fine on all archs if we drop the PAGE_SIZE_MAX > to 0x8000 = 2^15 no? no, it's not going to achieve what we want here on all archs. we'd like to ensure that the declared variables end up in the proper sections (bss vs. data) no matter what the kernel's minimal page size is (on some archs it's configurable) and we found that 64k covered those we care about. now you could say that we should use getpagesize/sysconf(_SC_PAGESIZE) instead but the problem with them is that detecting this at runtime is too late as we need this information when building the binaries already, not when we run them (not to mention that the kernel building the binaries may be different from the kernel running them, especially with cross-compilation). if anyone has a better idea, we're all ears ;).
(In reply to PaX Team from comment #4) > (In reply to Anthony Basile from comment #1) > > @pipacs, the test should be fine on all archs if we drop the PAGE_SIZE_MAX > > to 0x8000 = 2^15 no? > no, it's not going to achieve what we want here on all archs. we'd like to > ensure that the declared variables end up in the proper sections (bss vs. > data) no matter what the kernel's minimal page size is (on some archs it's > configurable) and we found that 64k covered those we care about. now you > could say that we should use getpagesize/sysconf(_SC_PAGESIZE) instead but > the problem with them is that detecting this at runtime is too late as we > need this information when building the binaries already, not when we run > them (not to mention that the kernel building the binaries may be different > from the kernel running them, especially with cross-compilation). if anyone > has a better idea, we're all ears ;). okay so `getconf PAGE_SIZE` at build time?
(In reply to Anthony Basile from comment #5) > okay so `getconf PAGE_SIZE` at build time? well, if that gives a reliable value (i.e., matching the running kernel's PAGE_SIZE, this will need testing across libc/arch/kernel configs) then it would work as long as the binaries are not moved and run on a kernel with a different PAGE_SIZE. i wonder if there's a programmatic way to learn the maximum small page size a given arch can support or if we should just #ifdef some...
(In reply to PaX Team from comment #6) > (In reply to Anthony Basile from comment #5) > > okay so `getconf PAGE_SIZE` at build time? > well, if that gives a reliable value (i.e., matching the running kernel's > PAGE_SIZE, this will need testing across libc/arch/kernel configs) across libc's I can say that getconf will work on uclibc and glibc for most arches --- most being at least amd64, arm, mips, ppc and x86 because i use it all the time on native hardware. on musl you have to provide your own getconf. alpine linux (musl based distor which also uses a pax kernel) does and gentoo-musl will as soon as i get unlazy :) then it > would work as long as the binaries are not moved and run on a kernel with a > different PAGE_SIZE. am i reading your right here. so, suppose i build with a 4k pagesize kernel and then switch to a 16k kernel but don't rebuild paxtest, then i could be in trouble because the binaries are assuming 4k while we have an active 16k kernel. that's a good point and i'm not sure how we'd deal with that. i wonder if there's a programmatic way to learn the > maximum small page size a given arch can support or if we should just #ifdef > some... maybe save ourselves headaches and just do some #ifdef heuristics.
