hashkill 0.3.1 and git do not build for ati on grsec/pax kernel

[ZeroChaos-]

gen 2 i5 with intel and nvidia graphics on gentoo hardened
nvidia-drivers-304.64

> > > Unpacking source...
> > > Unpacking hashkill-0.3.1.tar.gz to /var/tmp/portage/app-crypt/hashkill-0.3.1/work
> > > Source unpacked in /var/tmp/portage/app-crypt/hashkill-0.3.1/work
> > > Preparing source in /var/tmp/portage/app-crypt/hashkill-0.3.1/work/hashkill-0.3.1 ...
> > > - Running eautoreconf in '/var/tmp/portage/app-crypt/hashkill-0.3.1/work/hashkill-0.3.1' ...
> > > - Running libtoolize --install --copy --force --automake ...            [ ok ]
> > > - Running aclocal -I m4 ...                                             [ ok ]
> > > - Running autoconf ...                                                  [ ok ]
> > > - Running automake --add-missing --copy --foreign ...                   [ ok ]
> > > - Running elibtoolize in: hashkill-0.3.1/
> > > -   Applying portage/1.2.0 patch ...
> > > -   Applying sed/1.5.6 patch ...
> > > -   Applying as-needed/2.4.2 patch ...
> > >   Source prepared.
> > >   Configuring source in /var/tmp/portage/app-crypt/hashkill-0.3.1/work/hashkill-0.3.1 ...
> > > - econf: updating hashkill-0.3.1/config.guess with /usr/share/gnuconfig/config.guess
> > > - econf: updating hashkill-0.3.1/config.sub with /usr/share/gnuconfig/config.sub
> > >   ./configure --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --libdir=/usr/lib64 --disable-dependency-tracking
> > >   configure: loading site script /usr/share/config.site
> > >   checking build system type... x86_64-pc-linux-gnu
> > >   checking host system type... x86_64-pc-linux-gnu
> > >   checking how to print strings... printf
> > >   checking for x86_64-pc-linux-gnu-gcc... x86_64-pc-linux-gnu-gcc
> > >   checking whether the C compiler works... yes
> > >   checking for C compiler default output file name... a.out
> > >   checking for suffix of executables... 
> > >   checking whether we are cross compiling... no
> > >   checking for suffix of object files... o
> > >   checking whether we are using the GNU C compiler... yes
> > >   checking whether x86_64-pc-linux-gnu-gcc accepts -g... yes
> > >   checking for x86_64-pc-linux-gnu-gcc option to accept ISO C89... none needed
> > >   checking for a sed that does not truncate output... /bin/sed
> > >   checking for grep that handles long lines and -e... /bin/grep
> > >   checking for egrep... /bin/grep -E
> > >   checking for fgrep... /bin/grep -F
> > >   checking for ld used by x86_64-pc-linux-gnu-gcc... /usr/x86_64-pc-linux-gnu/bin/ld
> > >   checking if the linker (/usr/x86_64-pc-linux-gnu/bin/ld) is GNU ld... yes
> > >   checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
> > >   checking the name lister (/usr/bin/nm -B) interface... BSD nm
> > >   checking whether ln -s works... yes
> > >   checking the maximum length of command line arguments... 1572864
> > >   checking whether the shell understands some XSI constructs... yes
> > >   checking whether the shell understands "+="... yes
> > >   checking how to convert x86_64-pc-linux-gnu file names to x86_64-pc-linux-gnu format... func_convert_file_noop
> > >   checking how to convert x86_64-pc-linux-gnu file names to toolchain format... func_convert_file_noop
> > >   checking for /usr/x86_64-pc-linux-gnu/bin/ld option to reload object files... -r
> > >   checking for x86_64-pc-linux-gnu-objdump... x86_64-pc-linux-gnu-objdump
> > >   checking how to recognize dependent libraries... pass_all
> > >   checking for x86_64-pc-linux-gnu-dlltool... x86_64-pc-linux-gnu-dlltool
> > >   checking how to associate runtime and link libraries... printf %s\n
> > >   checking for x86_64-pc-linux-gnu-ar... x86_64-pc-linux-gnu-ar
> > >   checking for archiver @FILE support... @
> > >   checking for x86_64-pc-linux-gnu-strip... x86_64-pc-linux-gnu-strip
> > >   checking for x86_64-pc-linux-gnu-ranlib... x86_64-pc-linux-gnu-ranlib
> > >   checking for gawk... gawk
> > >   checking command to parse /usr/bin/nm -B output from x86_64-pc-linux-gnu-gcc object... ok
> > >   checking for sysroot... no
> > >   checking for x86_64-pc-linux-gnu-mt... no
> > >   checking for mt... no
> > >   checking if : is a manifest tool... no
> > >   checking how to run the C preprocessor... x86_64-pc-linux-gnu-gcc -E
> > >   checking for ANSI C header files... yes
> > >   checking for sys/types.h... yes
> > >   checking for sys/stat.h... yes
> > >   checking for stdlib.h... yes
> > >   checking for string.h... yes
> > >   checking for memory.h... yes
> > >   checking for strings.h... yes
> > >   checking for inttypes.h... yes
> > >   checking for stdint.h... yes
> > >   checking for unistd.h... yes
> > >   checking for dlfcn.h... yes
> > >   checking for objdir... .libs
> > >   checking if x86_64-pc-linux-gnu-gcc supports -fno-rtti -fno-exceptions... no
> > >   checking for x86_64-pc-linux-gnu-gcc option to produce PIC... -fPIC -DPIC
> > >   checking if x86_64-pc-linux-gnu-gcc PIC flag -fPIC -DPIC works... yes
> > >   checking if x86_64-pc-linux-gnu-gcc static flag -static works... yes
> > >   checking if x86_64-pc-linux-gnu-gcc supports -c -o file.o... yes
> > >   checking if x86_64-pc-linux-gnu-gcc supports -c -o file.o... (cached) yes
> > >   checking whether the x86_64-pc-linux-gnu-gcc linker (/usr/x86_64-pc-linux-gnu/bin/ld -m elf_x86_64) supports shared libraries... yes
> > >   checking whether -lc should be explicitly linked in... no
> > >   checking dynamic linker characteristics... GNU/Linux ld.so
> > >   checking how to hardcode library paths into programs... immediate
> > >   checking whether stripping libraries is possible... yes
> > >   checking if libtool supports shared libraries... yes
> > >   checking whether to build shared libraries... yes
> > >   checking whether to build static libraries... yes
> > >   checking for a BSD-compatible install... /usr/bin/install -c
> > >   checking whether build environment is sane... yes
> > >   checking for a thread-safe mkdir -p... /bin/mkdir -p
> > >   checking whether make sets $(MAKE)... yes
> > >   checking for style of include used by make... GNU
> > >   checking dependency style of x86_64-pc-linux-gnu-gcc... none
> > >   configure: creating ./config.status
> > >   config.status: creating Makefile
> > >   config.status: creating src/Makefile
> > >   config.status: creating man/Makefile
> > >   config.status: executing libtool commands
> > >   config.status: executing depfiles commands
> > >   checking for x86_64-pc-linux-gnu-gcc... (cached) x86_64-pc-linux-gnu-gcc
> > >   checking whether we are using the GNU C compiler... (cached) yes
> > >   checking whether x86_64-pc-linux-gnu-gcc accepts -g... (cached) yes
> > >   checking for x86_64-pc-linux-gnu-gcc option to accept ISO C89... (cached) none needed
> > >   checking whether x86_64-pc-linux-gnu-gcc and cc understand -c and -o together... yes
> > >   checking dependency style of x86_64-pc-linux-gnu-gcc... none
> > >   checking termios.h usability... yes
> > >   checking termios.h presence... yes
> > >   checking for termios.h... yes
> > >   checking sys/param.h usability... yes
> > >   checking sys/param.h presence... yes
> > >   checking for sys/param.h... yes
> > >   checking fcntl.h usability... yes
> > >   checking fcntl.h presence... yes
> > >   checking for fcntl.h... yes
> > >   checking for stdlib.h... (cached) yes
> > >   checking pthread.h usability... yes
> > >   checking pthread.h presence... yes
> > >   checking for pthread.h... yes
> > >   checking for dlfcn.h... (cached) yes
> > >   checking for string.h... (cached) yes
> > >   checking for unistd.h... (cached) yes
> > >   checking openssl/md5.h usability... yes
> > >   checking openssl/md5.h presence... yes
> > >   checking for openssl/md5.h... yes
> > >   checking arpa/inet.h usability... yes
> > >   checking arpa/inet.h presence... yes
> > >   checking for arpa/inet.h... yes
> > >   checking zlib.h usability... yes
> > >   checking zlib.h presence... yes
> > >   checking for zlib.h... yes
> > >   checking openssl/sha1.h usability... no
> > >   checking openssl/sha1.h presence... no
> > >   checking for openssl/sha1.h... no
> > >   checking wchar.h usability... yes
> > >   checking wchar.h presence... yes
> > >   checking for wchar.h... yes
> > >   checking stddef.h usability... yes
> > >   checking stddef.h presence... yes
> > >   checking for stddef.h... yes
> > >   checking for size_t... yes
> > >   checking for uint64_t... yes
> > >   checking for uint32_t... yes
> > >   checking for uint16_t... yes
> > >   checking for uint8_t... yes
> > >   checking for int64_t... yes
> > >   checking for int32_t... yes
> > >   checking for int16_t... yes
> > >   checking for int8_t... yes
> > >   checking for ssize_t... yes
> > >   checking for uid_t in sys/types.h... yes
> > >   checking for ptrdiff_t... yes
> > >   checking for inline... inline
> > >   checking for stdbool.h that conforms to C99... yes
> > >   checking for _Bool... yes
> > >   checking for stdlib.h... (cached) yes
> > >   checking for GNU libc compatible malloc... yes
> > >   checking for bzero... yes
> > >   checking for strstr... yes
> > >   checking for sysinfo... yes
> > >   checking for strerror... yes
> > >   checking for endpwent... yes
> > >   checking for getcwd... yes
> > >   checking for strchr... yes
> > >   checking for strcspn... yes
> > >   checking for strtoul... yes
> > >   checking for memset... yes
> > >   checking for strtol... yes
> > >   checking for atexit... yes
> > >   checking for memmove... yes
> > >   checking for mkdir... yes
> > >   checking for munmap... yes
> > >   checking for setenv... yes
> > >   checking for memchr... yes
> > >   checking for stdlib.h... (cached) yes
> > >   checking for GNU libc compatible realloc... yes
> > >   checking for stdlib.h... (cached) yes
> > >   checking for unistd.h... (cached) yes
> > >   checking for sys/param.h... (cached) yes
> > >   checking for getpagesize... yes
> > >   checking for working mmap... yes
> > >   checking for working alloca.h... yes
> > >   checking for alloca... yes
> > >   checking whether lstat correctly handles trailing slash... yes
> > >   checking for x86 cpuid 0x00000001 output... 206a7:3100800:1fbae3bf:bfebfbff
> > >   checking whether sse2 is supported... yes
> > >   checking whether C compiler accepts -msse2... yes
> > >   checking if json-c is available... yes
> > >   checking for json_tokener_parse in -ljson... yes
> > >   checking json/json.h usability... yes
> > >   checking json/json.h presence... yes
> > >   checking for json/json.h... yes
> > >   checking jsonlib in ... ok
> > >   checking for x86_64-pc-linux-gnu-pkg-config... no
> > >   checking for pkg-config... /usr/bin/pkg-config
> > >   checking pkg-config is at least version 0.9.0... yes
> > >   checking for DEPS... yes
> > >   checking for DEPS... yes
> > >   configure: creating ./config.status
> > >   config.status: creating Makefile
> > >   config.status: creating src/Makefile
> > >   config.status: creating man/Makefile
> > >   config.status: executing libtool commands
> > >   config.status: executing depfiles commands
> > >   Source configured.
> > >   Compiling source in /var/tmp/portage/app-crypt/hashkill-0.3.1/work/hashkill-0.3.1 ...
> > >   make -j5 -l4 
> > >   Making all in src
> > >   make[1]: Entering directory `/var/tmp/portage/app-crypt/hashkill-0.3.1/work/hashkill-0.3.1/src'
> > >   Making all in kernels/compiler
> > >   make[2]: Entering directory`/var/tmp/portage/app-crypt/hashkill-0.3.1/work/hashkill-0.3.1/src/kernels/compiler'
> > >   # AMD
> > >   cc -o amd-compiler amd-compiler.c ../../lzma/7zFile.c ../../lzma/7zStream.c ../../lzma/LzmaDec.c ../../lzma/LzmaEnc.c ../../lzma/Alloc.c ../../lzma/LzFind.c ../../lzma/lzma.c -I../.. ../../ocl-base.c -Wno-unused-result -D_7ZIP_ST -ldl 
> > >   cc -o nvidia-compiler nvidia-compiler.c ../../lzma/7zFile.c ../../lzma/7zStream.c ../../lzma/LzmaDec.c ../../lzma/LzmaEnc.c ../../lzma/Alloc.c ../../lzma/LzFind.c ../../lzma/lzma.c -I../.. ../../ocl-base.c -Wno-unused-result -D_7ZIP_ST -ldl
> > >   /bin/sh: line 1: 17494 Segmentation fault      ./amd-compiler amd_ipb2_long n
> > >   make[2]: **\* [build] Error 139
> > >   make[2]: Leaving directory `/var/tmp/portage/app-crypt/hashkill-0.3.1/work/hashkill-0.3.1/src/kernels/compiler'
> > >   make[1]: *** [all-recursive] Error 1
> > >   make[1]: Leaving directory`/var/tmp/portage/app-crypt/hashkill-0.3.1/work/hashkill-0.3.1/src'
> > >   make: **\* [all-recursive] Error 1'''

from dmesg
'''[118699.957950] amd-compiler[17494]: segfault at 735ea6979d90 ip 0000735ea676024c sp 0000798c2cdad210 error 7 in ld-2.15.so[735ea6759000+21000]
[118699.957961] grsec: Segmentation fault occurred at 0000735ea6979d90 in /var/tmp/portage/app-crypt/hashkill-0.3.1/work/hashkill-0.3.1/src/kernels/compiler/amd-compiler[amd-compiler:17494] uid/euid:250/250 gid/egid:250/250, parent /bin/bash[sh:17493] uid/euid:250/250 gid/egid:250/250
[118699.957971] grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /var/tmp/portage/app-crypt/hashkill-0.3.1/work/hashkill-0.3.1/src/kernels/compiler/amd-compiler[amd-compiler:17494] uid/euid:250/250 gid/egid:250/250, parent /bin/bash[sh:17493] uid/euid:250/250 gid/egid:250/250```

[blshkv]

here is a better formatted output from ZeroChaos :
http://slexy.org/view/s20wm8aHbz

[gat3way]

Hm that's strange, the AMD compiler should be bailing out instantly if no AMD driver is installed. Can you check if you have previously installed fglrx on that host?

[ZeroChaos-]

it was at some point installed with the package manager, and it's no longer installed so all the files should be gone.

[blshkv]

That check is in place and it does skip on my system:

Compiling amd_ipb2_long without flags...
Could not find an AMD platform. Exiting.

Compiling amd_ipb2 without flags...
Could not find an AMD platform. Exiting.

and so on

Let's see what's so special about ZC setup.

[gat3way]

It might have forgotten to remove some files (even the Catalyst uninstaller itself tends to forget about some files left on the disk). I would rather check libOpenCL.so files/symlinks in /usr/lib as well as the ICD stuff that is in /etc/OpenCL/vendors.

[gat3way]

Hm, I think the output from clinfo will be also useful to debug the problem (it should come with nvidia's drivers I think). If it crashes or detects an AMD platform, this would be a strong indication that catalyst was not uninstalled properly.

[ZeroChaos-]

zero@ozzie ~ % clinfo
zsh: command not found: clinfo
zero@ozzie ~ % sudo su -
ozzie ~ # clinfo
zsh: command not found: clinfo
ozzie ~ #

[ZeroChaos-]

ozzie vendors # pwd
/etc/OpenCL/vendors
ozzie vendors # ls
intelocl64.icd nvidia.icd

ozzie vendors # ls -al /usr/lib64/libOpenCL.so*
lrwxrwxrwx 1 root root 40 Dec 15 17:45 /usr/lib64/libOpenCL.so -> OpenCL/vendors/nvidia/libOpenCL.so.1.0.0*
lrwxrwxrwx 1 root root 40 Dec 15 17:45 /usr/lib64/libOpenCL.so.1 -> OpenCL/vendors/nvidia/libOpenCL.so.1.0.0*

[blshkv]

We've done some debugging. The problem seems somewhere in the initialize_opencl function:

amd-compiler.c:
    printf("\n\nDebug: The main AMD function\n");

    if (argc!=3) usage();

    if (initialize_opencl() != hash_ok).
    {
<------>printf("No OpenCL library found!\n");
<------>exit(0);
    }

    printf("Debug: OpenCL detected\n");

ocl-base.c:

hash_stat initialize_opencl(void)
{
    printf("Debug: dlopen\n");

    dll = dlopen( "libOpenCL.so", RTLD_LAZY/*|RTLD_GLOBAL*/);
    if (!dll)
    {
          dll = dlopen( "libOpenCL.so.1", RTLD_LAZY/*|RTLD_GLOBAL*/);
          if (!dll)
          {
              return hash_err;
          }
    }

    printf("Debug: GetProcAddress 1\n");

Output:
Debug: The main AMD function
Debug: dlopen

It prints "Debug: dlopen", does not print the second "Debug: GetProcAddress" and exit quietly without printing the final message from the parent [amd-compiler.c] printf("No OpenCL library found!\n");

Would you have any ideas?..

[gat3way]

That's very strange. Can you run ltrace (not strace) on that command? I also now noticed that the crash is in the dynamic loader library. Can you try changing RTLD_LAZY with RTLD_NOW and see if it changes? Still cannot explain why it behaves so though.

[blshkv]

While we are waiting for ZC, the only logical explanation I have is the hardened kernel settings.
For example, CONFIG_GRKERNSEC_LINK=y since it is a symlink

It might block the code execution of dlopen function, that's why we don't see the proper exit.

A quick search gave this:
http://www.gentoo.org/proj/en/hardened/hardened-toolchain.xml

Normally this would be done with dlopen(3) and friends, including obtaining symbol addresses via dlsym(3), but it is possible to avoid using dlsym(3) and a plethora of pointers in the code by using lazy binding, although it's not pretty.

I no expert here.

[ZeroChaos-]

ozzie compiler # ltrace ./amd-compiler amd_ipb2_long n

Debug: The main AMD function
Debug: dlopen
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++

dmesg

[177980.263734] grsec: Segmentation fault occurred at 0000799215318d90 in /tmp/hashkill-0.3.1/src/kernels/compiler/amd-compiler[amd-compiler:13285] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:13284] uid/euid:0/0 gid/egid:0/0
[177980.263744] grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /tmp/hashkill-0.3.1/src/kernels/compiler/amd-compiler[amd-compiler:13285] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:13284] uid/euid:0/0 gid/egid:0/0
[177984.487183] grsec: Segmentation fault occurred at 000076ffb1d9ed90 in /tmp/hashkill-0.3.1/src/kernels/compiler/amd-compiler[amd-compiler:13290] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/ltrace[ltrace:13289] uid/euid:0/0 gid/egid:0/0
[177984.487294] grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /tmp/hashkill-0.3.1/src/kernels/compiler/amd-compiler[amd-compiler:13290] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/ltrace[ltrace:13289] uid/euid:0/0 gid/egid:0/0

[ZeroChaos-]

The strace version of this is far more interesting to me:

write(1, "Debug: dlopen\n", 14Debug: dlopen ) = 14 open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=241803, ...}) = 0 mmap(NULL, 241803, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7a014c754000 close(3) = 0 open("/usr/lib64/libOpenCL.so", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\33\0\0\0\0\0\0"..., 832) = 832 brk(0) = 0x9419828a720 brk(0x941982ab720) = 0x941982ab720 brk(0x941982ac000) = 0x941982ac000 fstat(3, {st_mode=S_IFREG|0755, st_size=21296, ...}) = 0 mmap(NULL, 2116768, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7a014be03000 mprotect(0x7a014be07000, 2097152, PROT_NONE) = 0 mmap(0x7a014c007000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0x7a014c007000 mprotect(0x7a014c7d1000, 3476, PROT_READ|PROT_WRITE) = -1 EACCES (Permission denied) --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_ACCERR, si_addr=0x7a014c7d1d90} --- +++ killed by SIGSEGV +++ zsh: segmentation fault strace ./amd-compiler amd_ipb2_long n

mprotect appears to be blocking something here and then it dies...

Running paxctl -m amd-compiler (turning off mprotect) it seems that I now get this output:

Debug: The main AMD function
Debug: dlopen
Debug: GetProcAddress 1
Debug: GetProcAddress 2
Debug: GetProcAddress 3
Debug: GetProcAddress 4
Debug: GetProcAddress 4
Debug: GetProcAddress 5
Debug: GetProcAddress 6
Debug: GetProcAddress 7
Debug: GetProcAddress 8
Debug: GetProcAddress 9
Debug: GetProcAddress 10
Debug: GetProcAddress 11
Debug: GetProcAddress 12
Debug: GetProcAddress 13
Debug: GetProcAddress 14
Debug: GetProcAddress 15
Debug: GetProcAddress 16
Debug: clGetProgramInfo
No OpenCL library found!

I'm guessing that a bit closer to intended. Perhaps we can fix whatever is pissing off mprotect?

[gat3way]

From the PaX documentation....

The goal of MPROTECT is to help prevent the introduction of new executable
code into the task's address space. This is accomplished by restricting the
mmap() and mprotect() interfaces.

The restrictions prevent

• creating executable anonymous mappings
• creating executable/writable file mappings
• making an executable/read-only file mapping writable except for performing
  relocations on an ET_DYN ELF file (non-PIC shared library)
• making a non-executable mapping executable

Ugh...that is not good. The executable mapping is being done by the dynamic loader library and happens when I load the plugins (or the opencl library). This is the way it works and it is outside hashkill's control. I am not very much acquainted with PaX though...are there some kind of rules which specify who can do that and who cannot? Since this is something very basic (e.g apache modules should be loaded more or less the same way). Perhaps the right way to deal with that would be to create some PaX configuration allowing hashkill to dynamically load libraries like this (dlopen/dlsym)?

[blshkv]

As far as I'm aware there is no pax configit is only possible to disable pax for the binary.

Could you have a look how they do it at cryptohaze (http://sourceforge.net/projects/cryptohaze/files/) ? There is no such problem with that software.

[gat3way]

Yes - they do not load libOpenCL.so dynamically, it is rather a link-time dependency. Those are just 2 different approaches with pros and cons. E.g hashkill does not require AMD APP SDK to build and does not require two different binaries (cpu-only and cpu/opencl). However there are indeed cases like this (with pax) where this breaks.

[gat3way]

What I meant is that with cryptohaze's approach (which hashkill previously followed btw), the binary is either dynamically linked to libOpenCL, or not (depends on build-time specifics). A binary that is linked to libOpenCL would not run on a system without a GPU at all. This in turn would create headache to distributions that want to ship it in binary form. hashcat solve it in another way - they have a cpu-only cracker (hashcat) and GPU-only ones (oclhashcat-lite and oclhashcat-plus) that are completely different programs.

[gat3way]

I am going to close this (now specifying --disable-amd-ocl at configure-time should solve the issue) - still the root cause is unknown though

[blshkv]

Just to make it clear, the workaround is to run following commands during compilation:

paxctl -m src/kernels/compiler/amd-compiler
paxctl -m src/kernels/compiler/nvidia-compiler

the hardened kernel does not allow to use some technique used in both compilers and disabling kernel protection (which is not cool) is the only way for now. It has nothing to do with "--disable*-ocl" options.

Also, the tool itself will probably fail to run as well, so it the folowing is necessary:

paxctl -m /usr/bin/hashkill

The title should be: ".. does not work on hardened kernel" and it is not fixed.

[ZeroChaos-]

I'm not really sure how allowing me to disable ati support allows me to successfully build with ati support... This shouldn't be closed.

[gat3way]

Ooops, sorry, should have re-read that thread before closing, looks like 10 days are enough to forget what it was really about :(

Reopening it. I am now writing a mail to the PaX team to ask if there is something that can be done (programatically) to avoid that. Will keep you updated with the reply.

[gat3way]

OK, that's the response from PaX developers:

...i think the problem you ran into is this: http://forums.grsecurity.net/viewtopic.php?f=3&t=2194

if the 'bad' library in question doesn't do runtime codegen and just has an
incorrectly set GNU_STACK header then execstack -c is the best fix, otherwise
MPROTECT must be disabled on the executables that load the lib (paxctl -m or
the new xattr stuff or grsec's rbac).

I will now check the thread as well.

[gat3way]

ZeroChaos, do you experience the same problem with any other OpenCL software? Also, does execstack -c /usr/lib/libOpenCL.so fix the issue for you? If that's the case then we should perhaps address this to the OpenCL vendor...

[ZeroChaos-]

issues like this don't appear on current git code, so let's just close this and assume everything is happy happy :-)

[ZeroChaos-]

oops, I'm stupid, this is the same bug I just reported again. sorry for the noise.

[ZeroChaos-]

execstack -c was replaced by fix-gnustack -f, however it looks like /usr/lib/libOpenCL.so wasn't set execstack in the first place so this did exactly nothing.