On Tue, Jul 16, 2013 at 03:39:35PM +0200, Reindl Harald wrote: iirc, it was disabled in the past because it broke the build, and no-one had the time to fix up the broken drivers. Dave

Am 22.07.2013 22:29, schrieb Paul Bolle: honestly i have no idea i started to use checksec / hardening-check for make sure any of my network services are proper hardened and saw this below and thought no mistake to ask :-) [root@srv-rhsoft:~]$ checksec --help Usage: checksec [OPTION] Options: --file <executable-file> --dir <directory> [-v] --proc <process name> --proc-all --proc-libs <process ID> --kernel --fortify-file <executable-file> --fortify-proc <process ID> --version --help [root@srv-rhsoft:~]$ checksec --kernel * Kernel protection information: Description - List the status of kernel protection mechanisms. Rather than inspect kernel mechanisms that may aid in the prevention of exploitation of userspace processes, this option lists the status of kernel configuration options that harden the kernel itself against attack. Kernel config: /boot/config-3.9.10-200.fc18.x86_64 Warning: The config on disk may not represent running kernel config! GCC stack protector support: Enabled Strict user copy checks: Disabled Enforce read-only kernel data: Enabled Restrict /dev/mem access: Enabled Restrict /dev/kmem access: Enabled * grsecurity / PaX: No GRKERNSEC The grsecurity / PaX patchset is available here: http://grsecurity.net/ * Kernel Heap Hardening: No KERNHEAP The KERNHEAP hardening patchset is available here: https://www.subreption.com/kernheap/

On Mon, 2013-07-22 at 22:29 +0200, Paul Bolle wrote: That seems to be caused by commit 2fb0815c9ee6b9ac50e15dd8360ec76d9fa46a22 ("gcc4: disable __compiletime_object_size for GCC 4.6+"), which was indeed released with v3.10. So, apparently, the copy_from_user() checks need a GCC fix to be useful in the first place, at least for current Fedora releases (as Fedora 18 is already at GCC 4.7.2). Paul Bolle