Page 1 of 1

Oops when reading /proc/xxx/maps on 2.6.22.9 / 200709280630

PostPosted: Tue Oct 02, 2007 2:15 pm
by olrick2
Hello,

I have the same problem as jprezes described here :
http://forums.grsecurity.net/viewtopic.php?t=1808&start=6

My kernels oops when I do cat /proc/self/maps on any of my boxes. I'm using 2.6.22.9 + grsecurity-2.1.11-2.6.22.9-200709280630.patch. The bug was already present with the previous grsec patch.

Spender asked for a stack trace with symbols, so here is mine.

20:36:07 test-pdc kernel: BUG: unable to handle kernel NULL pointer dereference at virtual address 0000017c
20:36:07 test-pdc kernel: printing eip:
20:36:07 test-pdc kernel: c04194b3
20:36:07 test-pdc kernel: *pde = 00000000
20:36:07 test-pdc kernel: Oops: 0000 [#2]
20:36:07 test-pdc kernel: SMP
20:36:07 test-pdc kernel: Modules linked in: nvram uinput ppdev lp button ac battery ipv6 dm_snapshot dm_mirror dm_mod l
oop floppy pcspkr parport_pc parport serio_raw i2c_piix4 i2c_core psmouse sworks_agp agpgart evdev tsdev ext3 jbd mbcache sd_mo
d ide_generic usbhid hid ide_cd cdrom ata_generic libata generic ohci_hcd usbcore e100 mii aic7xxx scsi_transport_spi scsi_mod
serverworks ide_core thermal processor fan
20:36:07 test-pdc kernel: CPU: 0
20:36:07 test-pdc kernel: EIP: 0060:[<c04194b3>] Not tainted VLI
20:36:07 test-pdc kernel: EFLAGS: 00010246 (2.6.22.9-grsec #2)
20:36:07 test-pdc kernel: EIP is at arch_vma_name+0xb/0x1a
20:36:07 test-pdc kernel: eax: 00000000 ebx: fffff000 ecx: 00000000 edx: ffffe000
20:36:07 test-pdc kernel: esi: 00000000 edi: c0667040 ebp: d596bf28 esp: d596beb8
20:36:07 test-pdc kernel: ds: 007b es: 007b fs: 00d8 gs: 0033 ss: 0068
20:36:07 test-pdc kernel: Process cat (pid: 2906, ti=d596a000 task=d2836030 task.ti=d596a000)
20:36:07 test-pdc kernel: Stack: c049ac0d d58def20 c05f0f4e ffffe000 fffff000 00000072 0000002d 00000078
20:36:07 test-pdc kernel: 00000070 00000000 00000000 00000000 00000000 d596bf18 00000000 d58def20
20:36:07 test-pdc kernel: 00000000 00000070 00000078 ffffe000 d2836030 00000000 00000000 00000000
20:36:07 test-pdc kernel: Call Trace:
20:36:07 test-pdc kernel: [<c04055e3>] show_trace_log_lvl+0x1a/0x2f
20:36:07 test-pdc kernel: [<c0405695>] show_stack_log_lvl+0x9d/0xa5
20:36:07 test-pdc kernel: [<c04058b3>] show_registers+0x216/0x336
20:36:07 test-pdc kernel: [<c0405aed>] die+0x11a/0x23d
20:36:07 test-pdc kernel: [<c041d655>] do_page_fault+0x4ca/0x5a5
20:36:07 test-pdc kernel: [<c059eb45>] error_code+0x75/0x80
20:36:07 test-pdc kernel: [<c049ad9f>] show_map+0xa/0xc
20:36:07 test-pdc kernel: [<c048535c>] seq_read+0x18c/0x25c
20:36:07 test-pdc kernel: [<c046e80a>] vfs_read+0xad/0x136
20:36:07 test-pdc kernel: [<c046ec2f>] sys_read+0x3d/0x61
20:36:07 test-pdc kernel: [<c0403f99>] sysenter_past_esp+0x72/0xb9
20:36:07 test-pdc kernel: =======================
20:36:07 test-pdc kernel: Code: c2 03 56 14 e8 2d 06 ff ff 8b 4d dc 8b 55 e0 8b 45 e4 e8 6d 1a 0b 00 83 c4 24 5b 5e 5f 5
d c3 90 55 8b 08 89 e5 8b 50 04 31 c0 5d <3b> 91 7c 01 00 00 ba 2f 9d 5e c0 0f 44 c2 c3 55 8b 90 80 00 00
Oct 2 20:36:07 test-pdc kernel: EIP: [<c04194b3>] arch_vma_name+0xb/0x1a SS:ESP 0068:d596beb8

I can provide full .config if required, or any other info.

Thanks a lot ! :)

Regards

Re: Oops when reading /proc/xxx/maps on 2.6.22.9 / 200709280

PostPosted: Wed Oct 03, 2007 6:24 am
by PaX Team
olrick2 wrote:I have the same problem as jprezes described here :
http://forums.grsecurity.net/viewtopic.php?t=1808&start=6

My kernels oops when I do cat /proc/self/maps on any of my boxes.
thanks, it's fixed in test31, you can apply the interdiff to grsec as well till spender picks it up.

Re: Oops when reading /proc/xxx/maps on 2.6.22.9 / 200709280

PostPosted: Wed Oct 03, 2007 12:57 pm
by olrick2
PaX Team wrote:
olrick2 wrote:I have the same problem as jprezes described here :
http://forums.grsecurity.net/viewtopic.php?t=1808&start=6

My kernels oops when I do cat /proc/self/maps on any of my boxes.
thanks, it's fixed in test31, you can apply the interdiff to grsec as well till spender picks it up.


Ok, I added the interfdiff from pax-linux-2.6.22.9-test31 to grsecurity-2.1.11-2.6.22.9-200709280630 and I can confirm the oops is now fixed.

Thank you very much :D

Regards

Re: Oops when reading /proc/xxx/maps on 2.6.22.9 / 200709280

PostPosted: Mon Oct 29, 2007 2:27 pm
by PMK
PaX Team wrote:it's fixed in test31, you can apply the interdiff to grsec as well till spender picks it up.


Hello,

I noticed that changes to arch_vma_name function in pax-linux-2.6.23-test5.patch are
the same as in pax-linux-2.6.22.9-test30.patch.
There is no test if vma->vm_mm is not NULL.
I think it can cause oops again.
Could you check why this test was removed?
Thank you.

Przemek

Re: Oops when reading /proc/xxx/maps on 2.6.22.9 / 200709280

PostPosted: Tue Oct 30, 2007 5:16 pm
by PaX Team
PMK wrote:I noticed that changes to arch_vma_name function in pax-linux-2.6.23-test5.patch are
the same as in pax-linux-2.6.22.9-test30.patch.
There is no test if vma->vm_mm is not NULL.
I think it can cause oops again.
Could you check why this test was removed?
embarrasingly, it was not removed as it never made it there in the first place :oops:. i've already fixed it here but have to check out some other changes before i upload a new patch.