Page 1 of 1

problems: grsec (cvs) (gradm segfault + oops, etc)

PostPosted: Mon Nov 18, 2002 4:10 pm
by devastor
Hi,

Something odd happened to me today when I was configuring my acl system:

# gradm -a
Password:
(all ok here, got to admin mode)
# pico mysql.acl
# gradm -R
Password:
(I pushed ctrl-X ctrl-C here, because I didn't want to reload it yet)
# pico mysql.acl
# gradm -R
Password:
zsh: 31955 segmentation fault gradm -R
(here I typed the correct password and everything blew up :) )
got Oops to the logs and the whole acl-system was shutdown
# gradm -R
Password:
#
(no seg fault etc. here, but acl system was disabled..)

things seen in dmesg:
(first i go to admin mode (ok), then i try to reload the acl (oops),
and when i try it again acl system is disabled)
-----

grsec: From 192.168.0.4: successful change to admin mode by (gradm:5992) UID(0) EUID(0), parent (zsh:20534) UID(0) EUID(0)
Unable to handle kernel paging request at virtual address 752f6465
printing eip:
c01f0777
*pde = 00000000
Oops: 0000
CPU: 0
EIP: 0010:[<c01f0777>] Not tainted
EFLAGS: 00010286
eax: d085202f ebx: c25841c0 ecx: c2584200 edx: 0000039b
esi: c25841c1 edi: 752f6465 ebp: d0852e6c esp: c968fdc4
ds: 0018 es: 0018 ss: 0018
Process gradm (pid: 31955, stackpage=c968f000)
Stack: 00000000 c2584180 c2584180 080c7478 d0852000 000007f7 d0852000 000007f7
000bc9b4 02000000 c01f0d24 c25841c0 00000002 00000006 00000000 c2584180
c968fe70 080c6a00 c968ff38 c968fe70 c2584180 080c6a00 000003c0 c968e000
Call Trace: [<c01f0d24>] [<c01f1107>] [<c01f338d>] [<c01195be>] [<c011961c>]
[<c01348c6>] [<c010872b>]

Code: ae 75 08 84 c0 75 f8 31 c0 eb 04 19 c0 0c 01 85 c0 75 bc eb
<1>grsec: From 192.168.0.4: Ignoring reload request for disabled ACL

--Here's the Oops ran through ksymoops: ---

(I don't have module support, which probably causes that error, don't think it
causes any problems, tho)

Error (regular_file): read_ksyms stat /proc/ksyms failed
ksymoops: No such file or directory
No modules in ksyms, skipping objects
No ksyms, skipping lsmod
Unable to handle kernel paging request at virtual address 752f6465
c01f0777
*pde = 00000000
Oops: 0000
CPU: 0
EIP: 0010:[<c01f0777>] Not tainted
Using defaults from ksymoops -t elf32-i386 -a i386
EFLAGS: 00010286
eax: d085202f ebx: c25841c0 ecx: c2584200 edx: 0000039b
esi: c25841c1 edi: 752f6465 ebp: d0852e6c esp: c968fdc4
ds: 0018 es: 0018 ss: 0018
Process gradm (pid: 31955, stackpage=c968f000)
Stack: 00000000 c2584180 c2584180 080c7478 d0852000 000007f7 d0852000 000007f7
000bc9b4 02000000 c01f0d24 c25841c0 00000002 00000006 00000000 c2584180
c968fe70 080c6a00 c968ff38 c968fe70 c2584180 080c6a00 000003c0 c968e000
Call Trace: [<c01f0d24>] [<c01f1107>] [<c01f338d>] [<c01195be>] [<c011961c>]
[<c01348c6>] [<c010872b>]
Code: ae 75 08 84 c0 75 f8 31 c0 eb 04 19 c0 0c 01 85 c0 75 bc eb

>>EIP; c01f0777 <insert_name_entry+b7/120> <=====

>>eax; d085202f <END_OF_CODE+105b5927/????>
>>ebx; c25841c0 <END_OF_CODE+22e7ab8/????>
>>ecx; c2584200 <END_OF_CODE+22e7af8/????>
>>esi; c25841c1 <END_OF_CODE+22e7ab9/????>
>>edi; 752f6465 Before first symbol
>>ebp; d0852e6c <END_OF_CODE+105b6764/????>
>>esp; c968fdc4 <END_OF_CODE+93f36bc/????>

Trace; c01f0d24 <copy_user_acl+f4/390>
Trace; c01f1107 <grsecurity_init+147/170>
Trace; c01f338d <gr_proc_handler+9ad/18d0>
Trace; c01195be <do_rw_proc+22e/240>
Trace; c011961c <proc_writesys+1c/30>
Trace; c01348c6 <sys_write+96/f0>

Trace; c010872b <system_call+33/50>

Code; c01f0777 <insert_name_entry+b7/120>
00000000 <_EIP>:
Code; c01f0777 <insert_name_entry+b7/120> <=====
0: ae scas %es:(%edi),%al <=====
Code; c01f0778 <insert_name_entry+b8/120>
1: 75 08 jne b <_EIP+0xb> c01f0782 <insert_name_entry+c2/120>
Code; c01f077a <insert_name_entry+ba/120>
3: 84 c0 test %al,%al
Code; c01f077c <insert_name_entry+bc/120>
5: 75 f8 jne ffffffff <_EIP+0xffffffff> c01f0776 <insert_name_entry+b6/120>
Code; c01f077e <insert_name_entry+be/120>
7: 31 c0 xor %eax,%eax
Code; c01f0780 <insert_name_entry+c0/120>
9: eb 04 jmp f <_EIP+0xf> c01f0786 <insert_name_entry+c6/120>
Code; c01f0782 <insert_name_entry+c2/120>
b: 19 c0 sbb %eax,%eax
Code; c01f0784 <insert_name_entry+c4/120>
d: 0c 01 or $0x1,%al
Code; c01f0786 <insert_name_entry+c6/120>
f: 85 c0 test %eax,%eax
Code; c01f0788 <insert_name_entry+c8/120>
11: 75 bc jne ffffffcf <_EIP+0xffffffcf> c01f0746 <insert_name_entry+86/120>
Code; c01f078a <insert_name_entry+ca/120>
13: eb 00 jmp 15 <_EIP+0x15> c01f078c <insert_name_entry+cc/120>

1 warning and 1 error issued. Results may not be reliable.

When I tried gradm -E i got Oops again..

Oops is also available at http://www.silen.eu.org/usr/oops.txt
(may be easier to read it from there.. not sure what this forum does for
too long lines :) )
I haven't yet been able to reproduce this.. so i hope you can figure something out
from that oops..

Thanks,

Tuomas Silen

PostPosted: Mon Nov 18, 2002 4:40 pm
by devastor
Oh, forgot to say that this indeed is cvs version and may not be
the most recent one.. gradm is from cvs too..
I think i took it from there in the beginning of this month..
So might be fixed in a more recent version..?

PostPosted: Mon Nov 18, 2002 5:06 pm
by spender
yea, grab the newest one of both. Did you check out the gram at a different time than grsecurity? Some of the changes might not have been synced up when you grabbed them. Let me know if the problem crops up again though. As far as I can tell, there's no reason why that piece of code should have any problems.

-Brad

PostPosted: Mon Nov 18, 2002 5:38 pm
by devastor
Will do that, I'll let you know if i encounter any problems :)
Is there a cvs version of the documentation somewhere btw?
Telling what all the new modes are/do, etc.. :)

PostPosted: Mon Nov 18, 2002 5:45 pm
by spender
not yet. I think the following is all you'll need:

New subject modes:

O -> disable ptrace and mmap restrictions for this subject

X -> enable RANDEXEC for this subject
G -> enable EMUTRAMPS for this subject
R -> disable RANDMMAP for this subject
M -> disable MPROTECT for this subject
S -> disable SEGMEXEC for this subject
P -> disable PAGEEXEC for this subject

-bRAD