Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Pappy's Kernel Seeds Part II <CLOSED>Please use new thread
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4, 5, 6 ... 22, 23, 24  Next  
This topic is locked: you cannot edit posts or make replies.    Gentoo Forums Forum Index Unsupported Software
View previous topic :: View next topic  
Author Message
pappy_mcfae
Watchman
Watchman


Joined: 27 Dec 2007
Posts: 5997
Location: Pomona, California.

PostPosted: Sun Dec 06, 2009 10:14 pm    Post subject: Reply with quote

At this point, I don't recommend the .32 kernel to anyone. While it's nice to have a means to simplify setting up the kernel, it's even better if the rest of the kernel isn't damaged to the point of un-usability. Having broken NFSv3 is a little more of a concern to me. When that gets fixed, perhaps I'll take a look at the rest of the story and see what happens.

Blessed be!
Pappy
_________________
This space left intentionally blank, except for these ASCII symbols.
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Mon Dec 07, 2009 8:49 pm    Post subject: Reply with quote

so regarding the 2.6.30 builds
I'd been steering well clear of 'em because of this vuln - to save some time, the "cheddar bay" nonsense.

Otherwise I'd be perfectly content to run a 2.6.30 build. Now understood *-sources revision not necessarily == vanilla-sources revision, but I'm not totally clear on which builds of *-sources (e.g. gentoo-sources, zen-sources, etc) have this vuln patched.

Looking at 2.6.30_p10 for zen at least, it's still .30

Code:

laptop02 zen-sources # emerge -pvf =sys-kernel/zen-sources-2.6.30_p10

<snipped to save space>
http://gentoo.osuosl.org/distfiles/2.6.30-zen10.patch.lzma http://downloads.zen-kernel.org/2.6.30/2.6.30-zen10.patch.lzma
http://gentoo.osuosl.org/distfiles/linux-2.6.30.tar.bz2


I may be overly paranoid in being so finicky about sticking with later revisions of .31 on a laptop, but am I off base to assume the aforementioned vuln would remain unpatched in 2.6.30_p10 or 2.6.30-* of zen and gentoo sources respectively?
Back to top
View user's profile Send private message
pappy_mcfae
Watchman
Watchman


Joined: 27 Dec 2007
Posts: 5997
Location: Pomona, California.

PostPosted: Mon Dec 07, 2009 10:19 pm    Post subject: Reply with quote

As I recall, that particular devil only comes out of the woodwork for those that use TAP/TUN. It resides in tun.c, and there is a patch available. If you don't use SELinux, it's not an issue. It has been fixed for quite some time, and I'm fairly certain the fix is included in everything from .30.3 on.

Blessed be!
Pappy
_________________
This space left intentionally blank, except for these ASCII symbols.
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2117
Location: Kentucky

PostPosted: Mon Dec 07, 2009 10:58 pm    Post subject: Reply with quote

So I am vulnerable since I use OpenVPN which uses TAP/TUN, or no I'm not vulnerable -- which?

I am running various kernels but the openvpn boxes are running 2.6.23-gentoo-r9 and 2.6.30-gentoo-r4, with the 2.6.23-gentoo-r9 box directly facing the big bad internet on an OC3 line to the backbone. :o

Do I need to patch anything? I hope not the kernel, because I am crippled due to the inability of genkernel to make an initrd for an LVM root filesystem right now. :cry:

Does anybody know when this genkernel bit rot is going to get fixed?
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Tue Dec 08, 2009 2:37 am    Post subject: Reply with quote

pappy_mcfae wrote:
As I recall, that particular devil only comes out of the woodwork for those that use TAP/TUN. It resides in tun.c, and there is a patch available. If you don't use SELinux, it's not an issue. It has been fixed for quite some time, and I'm fairly certain the fix is included in everything from .30.3 on.

Blessed be!
Pappy


.30.3 in which? mainline or gentoo sources or whereabouts?

EDIT: found it - you have a good memory!

http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.30.y.git;a=commit;h=3f8fd3f9f677ce452556aca82473b7fcac370830

This is something I've wondered for some time but not had the understanding myself to figure it out.

(looks like anything built from 2.6.30.4 is fine)

One other bit - a snip from the sploit's comments (I have it handy, not linking here for obvious reasons):

EDIT: actually, I decided it was safe to leave the comments in tact, stripped the code out, can find it here - http://whitehathouston.com/kernstuff.txt

Quote:

Bypassing the null ptr dereference protection in the mainline kernel
via two methods ->
if SELinux is enabled, it allows pulseaudio to map at 0
UPDATE: not just that, SELinux lets any user in unconfined_t map at
0, overriding the mmap_min_addr restriction! pulseaudio is not
needed at all! Having SELinux enabled actually *WEAKENS* system
security for these kinds of exploits!
if SELinux is disabled, use personality SVR4 to auto-map at 0


That bit seems to hint that it works regardless of SELinux.

The other bit, so I guess maybe we could backtrack

Quote:

The commit that introduced the vulnerability (Feb 6th):
http://mirror.celinuxforum.org/gitstat/commit-detail.php?commit=33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554
Though it was committed before the release of the 2.6.29 kernel, it
did not (thankfully) make it into the 2.6.29 kernel. It first
appeared in 2.6.30.


EDIT: see above

I mean it's old enough, but in a very brief stint working for a webhost I saw box after box wrecked with this one (web servers that allowed file uploads, as most do)

I'll pop over and have a read through the GLSA's and see if I can find anything, will edit my post accordingly.


Last edited by cach0rr0 on Tue Dec 08, 2009 3:21 am; edited 2 times in total
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Tue Dec 08, 2009 2:56 am    Post subject: Reply with quote

Moriah wrote:
So I am vulnerable since I use OpenVPN which uses TAP/TUN, or no I'm not vulnerable -- which?

I am running various kernels but the openvpn boxes are running 2.6.23-gentoo-r9 and 2.6.30-gentoo-r4, with the 2.6.23-gentoo-r9 box directly facing the big bad internet on an OC3 line to the backbone. :o

Do I need to patch anything? I hope not the kernel, because I am crippled due to the inability of genkernel to make an initrd for an LVM root filesystem right now. :cry:

Does anybody know when this genkernel bit rot is going to get fixed?


What are the attack vectors? Who has access to login to this box locally?

Someone has to be able to either logon to the box and get a shell, or be able to upload files, in order to hurt you with this.

If only SSH and pptp are open, I would not be too worried - minimal attack vector, would have to be a vuln in those two services that allowed file upload or shell before they could go forward with the exploit I mentioned.



EDIT: To avoid clogging up the thread with another OT post, I'll recycle this one - was getting regular lockups on zen-2.6.31_p9. Would say it's a kernel panic, but nothing useful in the logs. Was happening at least twice an hour on the laptop. Either way, it's the "blinking light of death" on the laptop, indicating that indeed it's a hard lockup, not just X freezing.

I go back to zen-2.6.30_p10 and sure enough, things are rock solid. Even my network is stable again (bug with ath9k - if you google 'scanning two wiphys ath9k' youll no doubt find it). Hopefully packet injection still works reliably with ath9k under .30_p10 without compat-wireless.


Last edited by cach0rr0 on Tue Dec 08, 2009 6:57 am; edited 1 time in total
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2117
Location: Kentucky

PostPosted: Tue Dec 08, 2009 3:11 am    Post subject: Reply with quote

The OC3 facing box is first off running a kernel older than the commit date when the vuln was introduced.

The other box is at the other end of the VPN tunnel, and the routing is configured in such a way that you would have to either log into the first box to get to the second, or you would have to be behind the second box to get into it.

Furthermore, the first box has only the root user on it, and I am the only person who remembers the password. My wife occasionally has to log into it if I am not there, but she cannot type the password correctly even when I am telling it to her over the phone, as it is quite cryptic. 8)

No files can be uploaded to either box other than by scp, which implies that the uploader knows the root password anyway.

Neither box is running SE Linux.

So I guess I am secure for now. :)
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
pappy_mcfae
Watchman
Watchman


Joined: 27 Dec 2007
Posts: 5997
Location: Pomona, California.

PostPosted: Tue Dec 08, 2009 5:13 am    Post subject: Reply with quote

I'm impressed I recalled all that myself. I guess I learn this stuff even better than I thought. Cool.

Anyway, since that bug has been fixed, and the .30 kernels still allow one to be able to see their sensor readings without extra boot commands, I'll probably stick with the .30 for a while. I stuck with 2.6.29-zen2 for almost nine months with no ill effects. I'm sure I could get the same mileage out of 2.6.30-zen10.

Blessed be!
Pappy
_________________
This space left intentionally blank, except for these ASCII symbols.
Back to top
View user's profile Send private message
pappy_mcfae
Watchman
Watchman


Joined: 27 Dec 2007
Posts: 5997
Location: Pomona, California.

PostPosted: Tue Dec 08, 2009 5:15 am    Post subject: Reply with quote

It seems that the last few exploits were worse for SELinux users than for those of us who aren't afraid of others breaking into our systems. I find a certain irony in that.

Blessed be!
Pappy
_________________
This space left intentionally blank, except for these ASCII symbols.
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2117
Location: Kentucky

PostPosted: Tue Dec 08, 2009 6:23 am    Post subject: Reply with quote

Well, as I recall, SE_LINUX was developed by Red Hat to meet certification requirements of FIPS and the NSA. Maybe you *ARE* better off not building a system that the NSA certifies, as that just could mean they can get into it! 8O
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Tue Dec 08, 2009 8:44 am    Post subject: Reply with quote

pappy_mcfae wrote:
There is a bug with the .32 kernels. NFSv3 doesn't work properly. For those interested, here is the bug report. I guess perhaps it should have been in the shop another week so they could work on that before they released it. Hmm.

Blessed be!
Pappy


Further to this, a user reported the same in this thread:

https://forums.gentoo.org/viewtopic-t-805745.html

Citing the following RH bugzilla entry:

https://bugzilla.redhat.com/show_bug.cgi?id=538077

Seems there's a solution/workaround:

Vorlon wrote:

Mounting with the "-o vers=3" option fixed the problem.


Nice change to slip through ;x

Still a bit skittish about the prospects of .32 after my stability issues on .31_p9 of zen-sources (see my post seconding another user's noticed behaviour[/url]
Back to top
View user's profile Send private message
pappy_mcfae
Watchman
Watchman


Joined: 27 Dec 2007
Posts: 5997
Location: Pomona, California.

PostPosted: Wed Dec 09, 2009 6:31 am    Post subject: Reply with quote

aramis_qc wrote:
I'm currently running 2.6.32 in my unstable environment. I'll try localmodconfig as soon as an RC version is available. Instead of using oldconfig, I'll create a .config from a seed and then run the localmodconfig. Is it good sense ?


I can't see as it will hurt anything to do so. I've thought about testing the command, but I'm dealing with my own full plate. Be sure to keep a functional kernel in reserve, and let me know how it works out.

Blessed be!
Pappy
_________________
This space left intentionally blank, except for these ASCII symbols.
Back to top
View user's profile Send private message
pappy_mcfae
Watchman
Watchman


Joined: 27 Dec 2007
Posts: 5997
Location: Pomona, California.

PostPosted: Wed Dec 09, 2009 7:14 am    Post subject: Reply with quote

cach0rr0 wrote:

Seems there's a solution/workaround:

Vorlon wrote:

Mounting with the "-o vers=3" option fixed the problem.


Nice change to slip through ;x

Still a bit skittish about the prospects of .32 after my stability issues on .31_p9 of zen-sources (see my post seconding another user's noticed behaviour[/url]


I just made the change to the file that controls my autofs mounts. It seems that adding nfsvers=3 to all my mounts has stopped that error in its tracks. Thanks for the heads-up on this one.

Blessed be!
Pappy
_________________
This space left intentionally blank, except for these ASCII symbols.
Back to top
View user's profile Send private message
pappy_mcfae
Watchman
Watchman


Joined: 27 Dec 2007
Posts: 5997
Location: Pomona, California.

PostPosted: Wed Dec 09, 2009 9:51 am    Post subject: Reply with quote

I've got the links page done. I've also added .configs for 2.6.27.40, 2.6.27.41, and 2.6.31.7 in both x86 and x86_64 flavors. The failover is also updated, just in case.

Blessed be!
Pappy
_________________
This space left intentionally blank, except for these ASCII symbols.
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Sat Dec 12, 2009 4:36 am    Post subject: Reply with quote

pappy

somewhat OT again, you heard anything about this?

http://www.desktoplinux.com/news/NS3428410650.html

article wrote:
The somewhat controversial "Devtmpfs" boot system, meanwhile, was said to be favored by Torvalds. Devtmpfs "should mean that the Linux kernel boots faster and no longer requires udev, while new make targets will allow testers to easily generate kernel configurations adapted to their systems," writes Leemhuis


be nice to both have a faster boot, and get rid of udev. I have no doubt that's still so very experimental, but I'm about to do a 2.6.32-zen build and was curious.
Back to top
View user's profile Send private message
pappy_mcfae
Watchman
Watchman


Joined: 27 Dec 2007
Posts: 5997
Location: Pomona, California.

PostPosted: Sat Dec 12, 2009 5:53 am    Post subject: Reply with quote

No, but I do find it interesting. I fixed the nfs issue on this machine, and the others are soon to follow. I've read of a fix for the lm_sensors issues. I've been wanting to try it, but the web pages take some time to set up.

The .32 kernel on this machine seems to boot rapidly, but I haven't run a side-by-side with 2.6.30-zen10 to see if this is real, or just a wishful thought. I might see if I can see a difference. It should be interesting.

Blessed be!
Pappy
_________________
This space left intentionally blank, except for these ASCII symbols.
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2117
Location: Kentucky

PostPosted: Sat Dec 12, 2009 2:32 pm    Post subject: Reply with quote

For most applications, boot time should not be an issue. We only boot these things to upgrade the kernel, or to fix or upgrade the hardware. I average a couple of months between reboots. Who cares if it takes 60 seconds or 55 seconds?
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Sat Dec 12, 2009 8:34 pm    Post subject: Reply with quote

Moriah wrote:
For most applications, boot time should not be an issue. We only boot these things to upgrade the kernel, or to fix or upgrade the hardware. I average a couple of months between reboots. Who cares if it takes 60 seconds or 55 seconds?


well no, for servers of course it's not important :P

but I've managed to get my laptop's boot time down from average 71 seconds to 33 seconds (most of that came from migrating to OpenRC/baselayout-2).

This is a big big deal for me - an awesome deal! Using 2.6.32-zen1, baselayout-2, openrc-9999.
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2117
Location: Kentucky

PostPosted: Sun Dec 13, 2009 1:11 am    Post subject: Reply with quote

I have a laptop -- an HP nw8240 -- that I started putting gentoo on, but I keep getting interrupted by dumb things like work. :?

I might have a little break around Christmas to fiddle some more with it. My goal is to have the thing running Gentoo with wifi, bluetooth, sound, and Pantech PCMCIA Sprint broadband wireless internet (looks like a pair of USB devices). I also want sleep and hibernation working, and all the power management stuff so that batteries last a long time.

The main reason I am running Microsloth Windoze XP on the other laptops is for customer compatibility, and because all that laptop stuff "just works". With vmware, I run Gentoo on those boxes, but I could turn that around and boot Gentoo then run vmware to get the Microsloth stuff when I needed it.

I also want whole disk encryption with a boot token (USB flash drive, flash card like a camera, or mini CD).

If all this works, then I will convert my current main laptop to run the same way. It is a Lenovo W500 with 4GB ram and 256 GB SSD. I can bump the ram to 8 GB; all it take is money. :wink:
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
plice
Tux's lil' helper
Tux's lil' helper


Joined: 09 Nov 2009
Posts: 84
Location: Poland

PostPosted: Tue Dec 15, 2009 1:47 am    Post subject: Reply with quote

Hello,

I'm trying again to make nvidia onboard network card working. hardened-gentoo. Can someone pls explain when i use mini installation cd, the network card works fine, but configuring kernel gentoo-hardened it panics on loading forcedeth.
To my understanding gentoo-hardened will have same code + add security features (etc) and tweaks, so that the network drivers code should be the same as in standard kernel yes? Just asking because there were many problems (same as mine now) on older gentoo versions, like in 2006. Confusing :/

Thank you :)

old post:

Got acer aspire x1700 dual core 64bit with nvidia motherboard. Live CD boots fine, uses FORCEDETH and its working fine.
Yet after I will choose FORCEDETH in kernel, i get kernel panics once net.eth0 is starting. The eth0 is:
00:0f.0 Ethernet controller: nVidia Corporation MCP73 Ethernet (rev a2)
(all motherboard based on MCP73)
Back to top
View user's profile Send private message
pappy_mcfae
Watchman
Watchman


Joined: 27 Dec 2007
Posts: 5997
Location: Pomona, California.

PostPosted: Tue Dec 15, 2009 5:30 am    Post subject: Reply with quote

Sure. Post your .config, the results of lspci -n and cat /proc/cpuinfo as well as your /etc/fstab file.

Blessed be!
Pappy
_________________
This space left intentionally blank, except for these ASCII symbols.
Back to top
View user's profile Send private message
plice
Tux's lil' helper
Tux's lil' helper


Joined: 09 Nov 2009
Posts: 84
Location: Poland

PostPosted: Tue Dec 15, 2009 6:01 am    Post subject: Reply with quote

Pappy,

I found it, hardened kernel .28 comes with forcedeth.c version 0.61. (kernel panic on this one). Nvidia brought out later one, 0.63 but it came only for 2 or 3 distros. I have tried to use the sourcefile from them , but pops out with compile errors.

latest standard kernel comes with forcedeth.c 0.64 and it works out of box.
I guess i can run normal kernel and will wait for newest hardened version.
Should I notify somebody? Is it possible (somehow) to copy forcedeth.c from .31 kernel to the .28 hardened one? I have tried that but it came out with compile errors.

Pls advise.

thanks :)
Back to top
View user's profile Send private message
pappy_mcfae
Watchman
Watchman


Joined: 27 Dec 2007
Posts: 5997
Location: Pomona, California.

PostPosted: Tue Dec 15, 2009 7:46 am    Post subject: Reply with quote

plice wrote:
Pappy,

I found it, hardened kernel .28 comes with forcedeth.c version 0.61. (kernel panic on this one). Nvidia brought out later one, 0.63 but it came only for 2 or 3 distros. I have tried to use the sourcefile from them , but pops out with compile errors.


That is good to know, and this is a good place to post that information. Thanks.

Quote:
latest standard kernel comes with forcedeth.c 0.64 and it works out of box.
I guess i can run normal kernel and will wait for newest hardened version.
Should I notify somebody? Is it possible (somehow) to copy forcedeth.c from .31 kernel to the .28 hardened one? I have tried that but it came out with compile errors.

Pls advise.

thanks :)


While my view shows lots of differences between the two files, I think you might be able to directly copy the newer code into the older kernel, and not lose anything in the translation. It may also be that there would be some undefined symbols, and that would make the newer forcedeth.c fail to compile. It doesn't hurt to try, as long as you are careful.

Part of being careful is keeping pristine kernel so you can boot into a known working situation if the experimentation results in errors. Hacking code can be fun, even kernel code; if you take your time, keep one kernel out of the fray.

If that doesn't work, then you'll have to balance out whether it's more important to use hardened sources, or to go with another, more recent source kernel, or whether it's worth it to buy some add on net device and use it instead.

Good luck, and welcome to kernel code hacking.

Blessed be!
Pappy
_________________
This space left intentionally blank, except for these ASCII symbols.
Back to top
View user's profile Send private message
pappy_mcfae
Watchman
Watchman


Joined: 27 Dec 2007
Posts: 5997
Location: Pomona, California.

PostPosted: Tue Dec 15, 2009 9:33 am    Post subject: Reply with quote

It's an all out kernel source stampede! I just added new .configs for 2.6.31.8, 2.6.32.1, 2.6.31-gentoo-r7, 2.6.31-tuxonice-r7, and 2.6.32-zen1 in both x86 and x86_64 flavors. Enjoy!

Blessed be!
Pappy
_________________
This space left intentionally blank, except for these ASCII symbols.
Back to top
View user's profile Send private message
moonhead
n00b
n00b


Joined: 17 Dec 2009
Posts: 3
Location: the bottom of a bottle

PostPosted: Thu Dec 17, 2009 9:49 pm    Post subject: Reply with quote

pappy,

i was referred here from the IRC channel. someone thought that you might know if there is an issue with some kernels/xorg and the intel hardware/driver?

here is the xorg log: http://dpaste.com/134729/
here is my lspci output: http://dpaste.com/134737
i'm not using a xorg.conf file. please let me know if you need more. i appreciate it! :)
Back to top
View user's profile Send private message
Display posts from previous:   
This topic is locked: you cannot edit posts or make replies.    Gentoo Forums Forum Index Unsupported Software All times are GMT
Goto page Previous  1, 2, 3, 4, 5, 6 ... 22, 23, 24  Next
Page 5 of 24

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum