Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 603188 - =sys-kernel/hardened-sources-4.8.11 panic with zfs, HARDENED_USERCOPY can't be turned off
Summary: =sys-kernel/hardened-sources-4.8.11 panic with zfs, HARDENED_USERCOPY can't b...
Status: RESOLVED CANTFIX
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: The Gentoo Linux Hardened Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-12-20 12:04 UTC by Chris Henhawke
Modified: 2017-11-18 06:43 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
4.3.4 config (4.3.4.config,73.99 KB, text/x-mpsub)
2016-12-20 16:57 UTC, Chris Henhawke
Details
4.8.11 config (4.8.11.config,77.21 KB, text/x-mpsub)
2016-12-20 16:57 UTC, Chris Henhawke
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Henhawke 2016-12-20 12:04:31 UTC
Tried upgrading from hardened 4.3.4 to 4.8.11 and I got a panic on boot.

After inspection of my kernel config, it would seem that enabling grsec also enables the new in-kernel HARDENED_USERCOPY, the one provided by grsec was disabled on my 4.3.4 config.

Since the option is hidden and enabled by enabling grsec itself, I can't turn it off, so I can't boot a new kernel if I'm using zfs.

A screenshot with the panic - http://i.imgur.com/GJza8rL.jpg
4.3.4 config - https://paste.pound-python.org/show/0msGOEagGFI5M4YXa7WK/
4.8.11 config - https://paste.pound-python.org/show/O0a4F1RN2CJwl6gZCYPQ/
diff of the configs - https://www.diffchecker.com/IT899b1l

Bug also filed over on the zfs github - https://github.com/zfsonlinux/zfs/issues/5468

Thanks
Comment 1 Anthony Basile gentoo-dev 2016-12-20 12:32:34 UTC
Did you apply any extra patches to =sys-kernel/hardened-sources-4.8.11?
Comment 2 Chris Henhawke 2016-12-20 12:37:40 UTC
Not that I know of.  This was a direct upgrade by installing the ebuild, copying the 4.3.4 /proc/config.gz to .config, and running make.

Thanks
Comment 3 Anthony Basile gentoo-dev 2016-12-20 16:54:16 UTC
(In reply to Chris Henhawke from comment #2)
> Not that I know of.  This was a direct upgrade by installing the ebuild,
> copying the 4.3.4 /proc/config.gz to .config, and running make.
> 
> Thanks

okay i'll pass this along to the pax/grsec team.  also, you should really upload your config files to the bug and not pastebin them because pastebins go away and we want to have all the records remain intact.
Comment 4 Chris Henhawke 2016-12-20 16:57:20 UTC
Created attachment 456894 [details]
4.3.4 config
Comment 5 Chris Henhawke 2016-12-20 16:57:44 UTC
Created attachment 456896 [details]
4.8.11 config
Comment 6 Chris Henhawke 2017-01-14 21:49:16 UTC
I'm going to close this as I was also having problems upgrading to hardened 4.7 and 4.4, and I've since been able to boot into hardened 4.4.  It might be possible I was doing something wrong.
Comment 7 PaX Team 2017-01-15 10:51:40 UTC
what we would need is dmesg as your screenshot is just missing the lines where USERCOPY reported the slab cache name that was caught during a usercopy operation. my guess is that one/some of zfs's own slabs should be created via kmem_cache_create_usercopy/KMEM_CACHE_USERCOPY instead of kmem_cache_create/KMEM_CACHE. as for disabling HARDENED_USERCOPY, i think it's caused by the def_bool in security/Kconfig, the following patch should fix it:

--- a/security/Kconfig   2017-01-01 23:37:07.038614134 +0100
+++ b/security/Kconfig    2017-01-15 11:49:38.737320407 +0100
@@ -913,7 +913,7 @@
          copy_to_user() and copy_from_user().

 config HARDENED_USERCOPY
-       def_bool y
+       bool
        select BUG if BROKEN_SECURITY

 config HARDENED_USERCOPY_PAGESPAN
Comment 8 Chris Henhawke 2017-01-15 12:52:14 UTC
I'll pass that along to the ZFS folks, but unfortunately I can't keep rebooting that machine for testing, so hopefully someone else can pick up where I left off.

https://github.com/zfsonlinux/zfs/issues/5468
Comment 9 Chris Henhawke 2017-11-18 06:43:51 UTC
Closing stale bug as CANTFIX since hardened-sources has been removed from portage.