[gentoo-hardened] VMware-related bug

[gentoo-hardened] VMware-related bug

[Alex Efros]

Hi!

While discussing inability to run 64-bit VMware guests on 32-bit Gentoo
Hardened host I got reply: it's because of GrSec/Pax bug related to

    "way that vmap(..., VM_PAGE_KERNEL_EXEC) may map a page as
    non-executable, despite the flag requesting an executable mapping":
    http://communities.vmware.com/message/1567187#1567187

I wonder which hardened-source will include fix for this issue?
Is candidate for next stable (2.6.32-r?) have it?

-- 
			WBR, Alex.

Re: [gentoo-hardened] VMware-related bug

[Brian Kroth]

[-- Attachment #1: Type: text/plain, Size: 786 bytes --]

Alex Efros <powerman@powerman.name> 2010-07-08 21:36:
> Hi!
> 
> While discussing inability to run 64-bit VMware guests on 32-bit Gentoo
> Hardened host I got reply: it's because of GrSec/Pax bug related to
> 
>     "way that vmap(..., VM_PAGE_KERNEL_EXEC) may map a page as
>     non-executable, despite the flag requesting an executable mapping":
>     http://communities.vmware.com/message/1567187#1567187
> 
> I wonder which hardened-source will include fix for this issue?
> Is candidate for next stable (2.6.32-r?) have it?
> 
> -- 
> 			WBR, Alex.

So far as I know KVM works and in my experience has performed much
better than VMWare Workstation/Server.  You might want to give that a
try.  libvirt and virt-manager make it fairly easy to deal with.

Brian

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-hardened] VMware-related bug

[pageexec]

On 8 Jul 2010 at 21:36, Alex Efros wrote:

> Hi!
> 
> While discussing inability to run 64-bit VMware guests on 32-bit Gentoo
> Hardened host I got reply: it's because of GrSec/Pax bug related to
> 
>     "way that vmap(..., VM_PAGE_KERNEL_EXEC) may map a page as
>     non-executable, despite the flag requesting an executable mapping":
>     http://communities.vmware.com/message/1567187#1567187
> 
> I wonder which hardened-source will include fix for this issue?
> Is candidate for next stable (2.6.32-r?) have it?

the problem with vmap handling was fixed on i386 last year iirc (but definitely
later than your .28, that's very old ;), on amd64 only recently after we'd talked
to a vmware engineer.

so in general .32+ should work, as far as this problem is concerned. unfortunately
i couldn't find a working ebuild for vmware 7 yet, so i can't tell if there're more
problems or not.

Re: [gentoo-hardened] VMware-related bug

[Alex Efros]

Hi!

On Fri, Jul 09, 2010 at 12:15:36AM +0200, pageexec@freemail.hu wrote:
> so in general .32+ should work, as far as this problem is concerned. unfortunately
> i couldn't find a working ebuild for vmware 7 yet, so i can't tell if there're more
> problems or not.

it's in layman's "vmware" overlay

-- 
			WBR, Alex.

Re: [gentoo-hardened] VMware-related bug

[pageexec]

On 9 Jul 2010 at 2:04, Alex Efros wrote:

> On Fri, Jul 09, 2010 at 12:15:36AM +0200, pageexec@freemail.hu wrote:
> > so in general .32+ should work, as far as this problem is concerned. unfortunately
> > i couldn't find a working ebuild for vmware 7 yet, so i can't tell if there're more
> > problems or not.
> 
> it's in layman's "vmware" overlay

cool, looks like it works now, it didn't when i tried it some months ago ;). also
vmware-modules needs a patch as vmmon miscalculates the kernel's huge page size and
refuses to start a vm, i'll open a bugzilla entry about it.