Bug 629062

Summary:	x11-drivers/nvidia-drivers-384.59-r1 has an outdated pax_kernel patch
Product:	Gentoo Linux	Reporter:	Alex Efros <powerman-asdf>
Component:	Hardened	Assignee:	The Gentoo Linux Hardened Team <hardened>
Status:	RESOLVED FIXED
Severity:	normal	CC:	norman.shulman, powerman-asdf
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	nvidia-drivers-384.47-pax.patch Don't modify const struct. User patch for nvidia-drivers-387.12 nvidia-drivers-387.22-pax.patch nvidia-drivers-387.22-pax.patch w/ uvm fix

Description Alex Efros 2017-08-27 13:40:04 UTC

Created attachment 490868 [details, diff]
nvidia-drivers-384.47-pax.patch

>>> Preparing source in /var/tmp/portage/x11-drivers/nvidia-drivers-384.59-r1/work ...
 * Using PAX patches is not supported. You will be asked to
 * use a standard kernel should you have issues. Should you
 * need support with these patches, contact the PaX team.
 * Applying nvidia-drivers-375.20-pax.patch ...
The text leading up to this was:
--------------------------
|diff -urp work.orig/kernel/nvidia-uvm/uvm_full_fault_buffer.h work/kernel/nvidia-uvm/uvm_full_fault_buffer.h
|--- work.orig/kernel/nvidia-uvm/uvm_full_fault_buffer.h        2016-11-27 21:56:50.399642330 +0100
|+++ work/kernel/nvidia-uvm/uvm_full_fault_buffer.h     2016-11-27 21:54:23.975709978 +0100
--------------------------
No file to patch.  Skipping patch.
2 out of 2 hunks ignored
 [ !! ]
 * ERROR: x11-drivers/nvidia-drivers-384.59-r1::gentoo failed (prepare phase):
 *   patch -p1  failed with /var/tmp/portage/x11-drivers/nvidia-drivers-384.59-r1/files/nvidia-drivers-375.20-pax.patch



Updated patch (attached) was downloaded from upstream (https://www.grsecurity.net/~paxguy1/) - looks like even after closing source of GrSecurity/PaX kernel patch this nvidia-drivers patch is still publicly available.

Only change required in nvidia-drivers-384.59-r1.ebuild and nvidia-drivers-384.69.ebuild is to replace patch version at line:

-		eapply "${FILESDIR}"/${PN}-375.20-pax.patch
+		eapply "${FILESDIR}"/${PN}-384.47-pax.patch

Comment 1 Norman Shulman 2017-10-05 20:25:28 UTC

Created attachment 497794 [details, diff]
Don't modify const struct.

Adding this user patch makes it possible to emerge x11-drivers/nvidia-drivers-384.90 on 4.9.52-grsecurity. Note: this works with the modeset module; don't know if it will work without it.

Comment 2 Norman Shulman 2017-10-25 16:32:24 UTC

Created attachment 500066 [details, diff]
User patch for nvidia-drivers-387.12

For use with nvidia-drivers-387.12-pax.patch from https://www.grsecurity.net/~paxguy1/

Comment 3 Alex Efros 2017-11-22 21:35:19 UTC

Created attachment 505864 [details, diff]
nvidia-drivers-387.22-pax.patch

This patch is prepared from nvidia-drivers-387.12-pax.patch, only offsets and one context line was changed, so patch is actually the same.

Comment 4 Balázs Kalmár 2017-11-25 13:11:46 UTC

Created attachment 506564 [details, diff]
nvidia-drivers-387.22-pax.patch w/ uvm fix

Thank you very much Alex, this helped me a great deal.
I added an uvm fix to the patch you attached.
source: https://forums.grsecurity.net/viewtopic.php?f=3&t=4654

Comment 5 Larry the Git Cow gentoo-dev

2019-01-16 10:32:16 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=421d7dc6fb791f8edde480dc6d989ade59c54710

commit 421d7dc6fb791f8edde480dc6d989ade59c54710
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2019-01-16 10:24:43 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2019-01-16 10:32:11 +0000

    x11-drivers/nvidia-drivers: Drop USE=pax_kernel
    
    Closes: https://bugs.gentoo.org/551366
    Closes: https://bugs.gentoo.org/593624
    Closes: https://bugs.gentoo.org/600156
    Closes: https://bugs.gentoo.org/629062
    Closes: https://bugs.gentoo.org/633738
    Closes: https://bugs.gentoo.org/650482
    Package-Manager: Portage-2.3.56, Repoman-2.3.12
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 .../files/nvidia-drivers-331.13-pax-usercopy.patch |  52 ---
 .../files/nvidia-drivers-337.12-pax-constify.patch |  25 --
 .../files/nvidia-drivers-375.20-pax.patch          | 406 ---------------------
 x11-drivers/nvidia-drivers/metadata.xml            |   4 -
 .../nvidia-drivers/nvidia-drivers-340.107.ebuild   |  12 +-
 .../nvidia-drivers/nvidia-drivers-390.87.ebuild    |  11 +-
 .../nvidia-drivers/nvidia-drivers-410.93.ebuild    |   9 +-
 .../nvidia-drivers/nvidia-drivers-415.25.ebuild    |   9 +-
 .../nvidia-drivers/nvidia-drivers-415.27.ebuild    |   9 +-
 9 files changed, 7 insertions(+), 530 deletions(-)