On Sun, 22 Feb 2015, Kenan Avdic wrote: > Hi Ben, thanks for looking into this. > > Here's the full invocation for the error: > gcc > -Wp,-MD,/home/xyko/openafs/openafs-git/src/libafs/MODLOAD-3.2.65-hardened-r2-MP/.rand-fortuna-kernel.o.d > -nostdinc -isystem /usr/lib/gcc/x86_64-pc-linux-gnu/4.8.3/include > -I/usr/src/linux-3.2.65-hardened-r2/arch/x86/include > -Iarch/x86/include/generated -Iinclude -include > /usr/src/linux-3.2.65-hardened-r2/include/linux/kconfig.h -D__KERNEL__ > -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs -fno-strict-aliasing > -fno-common -Werror-implicit-function-declaration -Wno-format-security > -fno-delete-null-pointer-checks -O2 --param=allow-store-data-races=0 > -m64 -mtune=generic -mno-red-zone -mcmodel=kernel -funit-at-a-time > -maccumulate-outgoing-args -ffreestanding -DCONFIG_AS_CFI=1 > -DCONFIG_AS_CFI_SIGNAL_FRAME=1 -DCONFIG_AS_CFI_SECTIONS=1 > -DCONFIG_AS_FXSAVEQ=1 -pipe -Wno-sign-compare > -fno-asynchronous-unwind-tables -mno-sse -mno-mmx -mno-sse2 -mno-3dnow > -Wframe-larger-than=2048 -fno-stack-protector > -Wno-unused-but-set-variable -fomit-frame-pointer > -fno-var-tracking-assignments -Wdeclaration-after-statement > -Wno-pointer-sign -fno-strict-overflow -fconserve-stack > -DCC_HAVE_ASM_GOTO > -fplugin=/usr/src/linux-3.2.65-hardened-r2/tools/gcc/stackleak_plugin.so > -DSTACKLEAK_PLUGIN -fplugin-arg-stackleak_plugin-track-lowest-sp=100 > -fplugin=/usr/src/linux-3.2.65-hardened-r2/tools/gcc/kernexec_plugin.so > -fplugin-arg-kernexec_plugin-method="or" -DKERNEXEC_PLUGIN > -fplugin=/usr/src/linux-3.2.65-hardened-r2/tools/gcc/colorize_plugin.so > -fplugin=/usr/src/linux-3.2.65-hardened-r2/tools/gcc/size_overflow_plugin/size_overflow_plugin.so > -DSIZE_OVERFLOW_PLUGIN > -fplugin=/usr/src/linux-3.2.65-hardened-r2/tools/gcc/latent_entropy_plugin.so > -DLATENT_ENTROPY_PLUGIN > -fplugin=/usr/src/linux-3.2.65-hardened-r2/tools/gcc/randomize_layout_plugin.so
Quoting from http://www.grsecurity.net/~spender/randomize_layout_plugin.patch: +config GRKERNSEC_RANDSTRUCT + bool "Randomize layout of sensitive kernel structures" + help + If you say Y here, the layouts of a number of sensitive kernel + structures (task, fs, cred, etc) and all structures composed entirely + of function pointers (aka "ops" structs) will be randomized at compile-time. + This can introduce the requirement of an additional infoleak + vulnerability for exploits targeting these structure types. + + Enabling this feature will introduce some performance impact, slightly + increase memory usage, and prevent the use of forensic tools like + Volatility against the system (unless the kernel source tree isn't + cleaned after kernel installation). + + The seed used for compilation is located at tools/gcc/randstruct.seed. + It remains after a make clean to allow for external modules to be compiled + with the existing seed and will be removed by a make mrproper or + make distclean. I suspect that the struct layout randomization code is triggering on the RAND_METHOD structure (see, e.g., is_pure_ops_struct() on the linked patch), and the use of an ordered initializer is incompatible with the layout randomization. The bulk of the linked patch is converting struct initializers to the C99 .member syntax, which is compatible with the random layout. OpenAFS cannot switch to that C99 syntax because it is not fully supported on all the platforms OpenAFS attempts to support. (This code is actually code imported from Heimdal, anyway, so Heimdal would need to make the change first.) I guess the obvious thing for you to do is configure the kernel without GRKERNSEC_RANDSTRUCT. -Ben > -DRANDSTRUCT_PLUGIN > -fplugin-arg-randomize_layout_plugin-performance-mode -D__KERNEL__ > -DKERNEL -D_KERNEL -DMODULE > -I/home/xyko/openafs/openafs-git/src/libafs/MODLOAD-3.2.65-hardened-r2-MP/. > -I/home/xyko/openafs/openafs-git/src/libafs/MODLOAD-3.2.65-hardened-r2-MP/../ > -I/home/xyko/openafs/openafs-git/src/config > -I/home/xyko/openafs/openafs-git/src/rx > -I/home/xyko/openafs/openafs-git/src/rxstat > -I/home/xyko/openafs/openafs-git/src/libafs/MODLOAD-3.2.65-hardened-r2-MP/. > -I/home/xyko/openafs/openafs-git/src/libafs/MODLOAD-3.2.65-hardened-r2-MP/.. > -I/home/xyko/openafs/openafs-git/src/libafs/MODLOAD-3.2.65-hardened-r2-MP/../nfs > -I/home/xyko/openafs/openafs-git/src/crypto/hcrypto/kernel > -I/home/xyko/openafs/openafs-git/src > -I/home/xyko/openafs/openafs-git/src/afs > -I/home/xyko/openafs/openafs-git/src/afs/LINUX > -I/home/xyko/openafs/openafs-git/src/config > -I/home/xyko/openafs/openafs-git/src/rx/LINUX > -I/home/xyko/openafs/openafs-git/src/external/heimdal > -I/home/xyko/openafs/openafs-git/src > -I/home/xyko/openafs/openafs-git/src/afs > -I/home/xyko/openafs/openafs-git/src/afs/LINUX > -I/home/xyko/openafs/openafs-git/src/config > -I/home/xyko/openafs/openafs-git/src/fsint > -I/home/xyko/openafs/openafs-git/src/vlserver > -I/home/xyko/openafs/openafs-git/src/auth > -I/home/xyko/openafs/openafs-git/include > -I/home/xyko/openafs/openafs-git/include/afs > -I/home/xyko/openafs/openafs-git/src/external/heimdal/hcrypto > -DMODULE -D"KBUILD_STR(s)=#s" > -D"KBUILD_BASENAME=KBUILD_STR(rand_fortuna_kernel)" -c -o > /home/xyko/openafs/openafs-git/src/libafs/MODLOAD-3.2.65-hardened-r2-MP/.tmp_rand-fortuna-kernel.o > /home/xyko/openafs/openafs-git/src/libafs/MODLOAD-3.2.65-hardened-r2-MP/rand-fortuna-kernel.c > /home/xyko/openafs/openafs-git/src/libafs/MODLOAD-3.2.65-hardened-r2-MP/rand-fortuna-kernel.c:643:5: > error: invalid initializer > fortuna_seed, > > /Kenan > > On 20 February 2015 at 22:27, Benjamin Kaduk <[email protected]> wrote: > > On Thu, 19 Feb 2015, Kenan Avdic wrote: > > > >> Hi, > >> > >> I'm having some strange problems compiling openafs from git master. I > >> am on gentoo hardened, kernel 3.2.65 and gcc 4.8.3 hardened. > >> > >> Compilation of the kernel module fails with: > >> Building in directory: MODLOAD-3.2.65-hardened-r2-MP > >> make[4]: Entering directory > >> '/home/xyko/openafs/openafs-git/src/libafs/MODLOAD-3.2.65-hardened-r2-MP' > >> env EXTRA_CFLAGS="" > >> /home/xyko/openafs/openafs-git/src/libafs/make_kbuild_makefile.pl > >> MODLOAD-3.2.65-hardened-r2-MP libafs.ko > >> /home/xyko/openafs/openafs-git/src/config/Makefile.config Makefile.afs > >> Makefile.common > >> ( env EXTRA_CFLAGS="" \ > >> make -C /lib/modules/3.2.65-hardened-r2/build > >> M=/home/xyko/openafs/openafs-git/src/libafs/MODLOAD-3.2.65-hardened-r2-MP > >> modules 2>&1 \ > >> || echo "FAILURE: make exit code $?" ) | tee .makelog > >> make[5]: Entering directory '/usr/src/linux-3.2.65-hardened-r2' > >> CC [M] > >> /home/xyko/openafs/openafs-git/src/libafs/MODLOAD-3.2.65-hardened-r2-MP/rand-fortuna-kernel.o > > > > Can you get the full compiler invocation (i.e., V=0 or similar)? > > > > I do not see anything obviously out of place, either. > > (I do note that clang's error messages tend to be a bit more helpful than > > gcc's, but maybe clang would not error out here, either.) > > > > -Ben Kaduk > > > > -- > Kenan Avdic, M.Sc Most people would sooner die than think; > [email protected] in fact, they do so. /Russell > _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
