Go Back   nV News Forums > Linux Support Forums > NVIDIA Linux

Newegg Daily Deals

Reply
 
Thread Tools
Old 07-10-09, 08:54 AM   #1
konst
Registered User
 
Join Date: May 2006
Posts: 57
Default HELP "execution attempt in: /usr/lib64/opengl/nvidia/lib/libGLcore.so.180.60"

Nvidia people please help with this.
I use Gentoo Hardened kernel version 2.6.29.2 grsecurity ver 2.1.14

When I try to run a program that uses openGL, for example nvidia-settings, I get this:
PAX: execution attempt in: /usr/lib64/opengl/nvidia/lib/libGLcore.so.180.60
PAX: terminating task: /usr/bin/nvidia-settings(nvidia-settings):10867, uid/euid: 1000/1000, PC: 000070b18cbe4410, SP: 0000726bf6bf5fa8 PAX: bytes at PC: 64 48 8b 04 25 20 ff ff ff ff a0 10 08 00 00 cc cc cc cc cc PAX: bytes at SP-8: grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/bin/nvidia-settings

That happens with all apps that use openGL.
Please tell me how I can use your nvidia binary drivers to run openGL apps without downgrading my security. Disabling grsecurity and PAX is not an option cause that's like saying to a Windows user turn off all your antivirus and protections so you can run openGL.

So I hope you're not going to say something like "in order to use our products your have to downgrade security on your system and leave your system wide open crackers"

Nvidia developers whether you have a solution or not to this problem I would like you to state your position and opinions about it so I can decide what I should do in the future. Please reply back promptly. Thank you.

One more example:
I tried paxctl -spcm on amarok but it still doesn't start.

Also I found this on the grsecurity mail list:
"The 3rd party nvidia stuff has runtime execution code in the shared
object ( & drivers ) so any program that is directly linked to it and
calls whatever function in it is going to cause the same error. So just
use the chpax or paxctl on the glx{gears,info} or use the rbac system.

Anyway the root of the problem is in the 3rd party driver & app so it's
not something trivially we can fix. The vendor has to be persuaded to
release a non runtime exec compatible versions and I don't think they
really want to do that (yet).

> I know it doesn't make much sense to be using grsec with a desktop machine,

It makes complete sense to run grsec and PaX on a desktop just the same
as a server. Think about it for a sec.. Where do you ssh from into your
servers or whatever.. Most of the time your desktop, and if your desktop
gets owned then your going to be mega screwed."
konst is offline   Reply With Quote
Old 07-10-09, 10:10 AM   #2
AaronP
NVIDIA Corporation
 
AaronP's Avatar
 
Join Date: Mar 2005
Posts: 2,487
Default Re: HELP "execution attempt in: /usr/lib64/opengl/nvidia/lib/libGLcore.so.180.60"

The GL driver needs to generate code for performance reasons. I'll suggest it as a new feature request, but it's unlikely that we'll be able to provide a special driver specifically for PAX/grsec systems.
AaronP is offline   Reply With Quote
Old 07-10-09, 10:49 AM   #3
konst
Registered User
 
Join Date: May 2006
Posts: 57
Default Re: HELP "execution attempt in: /usr/lib64/opengl/nvidia/lib/libGLcore.so.180.60"

Quote:
Originally Posted by AaronP View Post
The GL driver needs to generate code for performance reasons. I'll suggest it as a new feature request, but it's unlikely that we'll be able to provide a special driver specifically for PAX/grsec systems.
Really are you serious? I thought the much faster GPU takes care of the performance rather than depending on a slow CPU to generate code for whatever situation it is. I don't know what the nvidia libGL is supposed to be doing but generating code doesn't sound efficient or performance enhancing.

Anyway, there must be some settings that would let it do what it does but still have security isn't there? What do I have to allow it to do in terms of PAX and grsecurity? Maybe I can find some settings that would work.
konst is offline   Reply With Quote
Old 07-10-09, 10:59 AM   #4
konst
Registered User
 
Join Date: May 2006
Posts: 57
Default Re: HELP "execution attempt in: /usr/lib64/opengl/nvidia/lib/libGLcore.so.180.60"

Quote:
Originally Posted by AaronP View Post
The GL driver needs to generate code for performance reasons. I'll suggest it as a new feature request, but it's unlikely that we'll be able to provide a special driver specifically for PAX/grsec systems.
By the way, I should add that if the fact that "GL driver needs to generate code for performance reasons" means it's a security risk then nvidia shouldn't be doing it that way and all the drivers you provide should be secure not just for people who use PAX/grsec systems.

You obviously would know about the cards; I use the 8800 GTX. Couldn't the huge processing power of the GPU do the code generation in the card's memory since I'm sure the nvidia libGL wouldn't need much memory for the code it generates?
konst is offline   Reply With Quote
Old 07-10-09, 12:16 PM   #5
AaronP
NVIDIA Corporation
 
AaronP's Avatar
 
Join Date: Mar 2005
Posts: 2,487
Default Re: HELP "execution attempt in: /usr/lib64/opengl/nvidia/lib/libGLcore.so.180.60"

Performance is a balancing act between the CPU and the GPU. Unoptimized CPU code can easily leave the GPU starved for work and sitting idle.
AaronP is offline   Reply With Quote
Old 07-10-09, 12:55 PM   #6
konst
Registered User
 
Join Date: May 2006
Posts: 57
Default Re: HELP "execution attempt in: /usr/lib64/opengl/nvidia/lib/libGLcore.so.180.60"

Quote:
Originally Posted by AaronP View Post
Performance is a balancing act between the CPU and the GPU. Unoptimized CPU code can easily leave the GPU starved for work and sitting idle.
Ok then. What about specific paxctl settings on nvidia files to make nvidia's opengl work?

Do you have an idea of what settings and on what files I need to set with paxctl to get opengl to work?
konst is offline   Reply With Quote
Old 07-10-09, 02:48 PM   #7
AaronP
NVIDIA Corporation
 
AaronP's Avatar
 
Join Date: Mar 2005
Posts: 2,487
Default Re: HELP "execution attempt in: /usr/lib64/opengl/nvidia/lib/libGLcore.so.180.60"

I don't know about paxctl. I'd suggest looking at the selinux workarounds in nvidia-installer. You can hopefully do something similar with paxctl.
AaronP is offline   Reply With Quote
Old 07-10-09, 04:31 PM   #8
konst
Registered User
 
Join Date: May 2006
Posts: 57
Default Re: HELP "execution attempt in: /usr/lib64/opengl/nvidia/lib/libGLcore.so.180.60"

Quote:
Originally Posted by AaronP View Post
I don't know about paxctl. I'd suggest looking at the selinux workarounds in nvidia-installer. You can hopefully do something similar with paxctl.
There's not really anything about SELinux in the installer.

PAX protects against things SELinux doesn't like preventing programs from writing code in their data region and thexecuting it like the nvidia driver apparently does. You can see why that is a security risk.

This is what PAX can do to any file:
Flag Name Description
P PAGEEXEC Refuse code execution on writable pages based on the NX bit (or emulated NX bit)
S SEGMEXEC Refuse code execution on writable pages based on the segmentation logic of IA-32
E EMUTRAMP Allow known code execution sequences on writable pages that should not cause any harm
M MPROTECT Prevent the creation of new executable code to the process address space
R RANDMMAP Randomize the stack base to prevent certain stack overflow attacks from being successful
X RANDEXEC Randomize the address where the application maps to to prevent certain attacks from being exploitable

Currently PAX is preventing the nvidia driver from doing all those.
Can you tell me what the relevant files in the nvidia driver requires for opengl to work?
konst is offline   Reply With Quote

Old 07-11-09, 03:35 AM   #9
Dragoran
Registered User
 
Join Date: May 2004
Posts: 711
Default Re: HELP "execution attempt in: /usr/lib64/opengl/nvidia/lib/libGLcore.so.180.60"

Quote:
PAX protects against things SELinux doesn't like preventing programs from writing code in their data region and thexecuting it like the nvidia driver apparently does. You can see why that is a security risk.
Selinux does the same, programs are not allowed to execute code unless explicitly granted.

The nvidia-installer labels the files "textrel_shlib_t" which let selinux allow it to do what it does.
Dragoran is offline   Reply With Quote
Old 07-11-09, 07:39 AM   #10
konst
Registered User
 
Join Date: May 2006
Posts: 57
Default Re: HELP "execution attempt in: /usr/lib64/opengl/nvidia/lib/libGLcore.so.180.60"

Quote:
Originally Posted by Dragoran View Post
Selinux does the same, programs are not allowed to execute code unless explicitly granted.

The nvidia-installer labels the files "textrel_shlib_t" which let selinux allow it to do what it does.
PAX and grsecurity do much more than not allowing programs to execute code. SELinux is a type of access control list system. PAX and grsecurity is different but could be used with it.

Currently PAX is not letting the nvidia driver libGL execute code it wrote to data memory. Can you imagine what a hacker/cracker would do if he could put code in a memory location that has been mark as data and then execute it? They could get control of the whole system and you wouldn't even know it.

Nvidia's way of doing this driver, at least the way things are done now with Xorg and everything, is a BIG security risk and everyone is at risk. What if there are security holes in the Nvidia driver? A hacker/cracker could exploit that and get root access and you can kiss your system goodbye
.
konst is offline   Reply With Quote
Old 07-11-09, 10:59 AM   #11
Dragoran
Registered User
 
Join Date: May 2004
Posts: 711
Default Re: HELP "execution attempt in: /usr/lib64/opengl/nvidia/lib/libGLcore.so.180.60"

Quote:
Currently PAX is not letting the nvidia driver libGL execute code it wrote to data memory
That is exactly what I was referring too. (ie. its what selinux disallow by default too)

Besides the nvidia driver is not the only app that does this. (flash/java/mono do the same).
Dragoran is offline   Reply With Quote
Old 07-11-09, 02:56 PM   #12
konst
Registered User
 
Join Date: May 2006
Posts: 57
Default Re: HELP "execution attempt in: /usr/lib64/opengl/nvidia/lib/libGLcore.so.180.60"

Quote:
Originally Posted by Dragoran View Post
That is exactly what I was referring too. (ie. its what selinux disallow by default too)

Besides the nvidia driver is not the only app that does this. (flash/java/mono do the same).
Actually, SELinux is a access control mechanism. GRsecurity prevents actually prevents unknown bugs from being exploited plus it has an access control mechanism. You can actually use both GRsecurity and SELinux together.

Im aware that flash/java/mono do the same thing (flash being the most dangerous in my opinion). I'm not sure they have root access like the Nvidia driver has which is more dangerous.

I wonder what the NVidia driver has to write code for performance reasons. Java and mono have decreased performance when they have to write code but that's a different situation.

This is one of the reasons why the Nvidia specs and driver should be open source.
konst is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -5. The time now is 01:34 AM.


Powered by vBulletin® Version 3.7.1
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Copyright 1998 - 2014, nV News.