grsecurity forums

Hi,
here's what i can see in syslog (Mandrake 10 Official with kernel 2.4.27 and grsecurity patch)

kernel: kernel BUG at page_alloc.c:144!
kernel: invalid operand: 0000
kernel: CPU: 1
kernel: EIP: 0010:[__free_pages_ok+82/784] Not tainted
kernel: EIP: 0010:[<c01d4a62>] Not tainted
kernel: EFLAGS: 00010286
kernel: eax: 00000000 ebx: c13ae7e8 ecx: c13ae7e8 edx: 00000000
kernel: esi: 00000008 edi: 00000000 ebp: c01037c0 esp: c2fdfe3c
kernel: ds: 0018 es: 0018 ss: 0018
kernel: Process smbd (pid: 30808, stackpage=c2fdf000)
kernel: Stack: c01d48ff 00000000 00141000 c1149a9c c1149a9c c01d5ad8 c01037c0 00141100
kernel: dfe8dbf0 00000002 00000008 00141000 de305160 c01c6ff0 00141100 c2fdfe7c
kernel: 00001411 00000000 00141000 dd9490c0 c01c715f 00141000 86838614 26838614
kernel: Call Trace: [rw_swap_page+63/96] [read_swap_cache_async+104/199] [swapin_readahead+48/112] [do_swap_page+303/368] [handle_mm_fault+385/608]
kernel: Call Trace: [<c01d48ff>] [<c01d5ad8>] [<c01c6ff0>] [<c01c715f>] [<c01c76a1>]
kernel: [do_page_fault+1264/1856] [generic_file_write+276/352] [ext3_file_write+57/192] [sys_write+279/368] [do_page_fault+0/1856] [error_code+52/64]
kernel: [<c01b0d90>] [<c01ce6c4>] [<c020d659>] [<c01dd027>] [<c01b08a0>] [<c01a2304>]
kernel:
kernel: Code: 0f 0b 90 00 28 76 3b c0 8b 35 90 14 16 c0 89 d8 29 f0 c1 f8



kernel: kernel BUG at page_alloc.c:144!
kernel: invalid operand: 0000
kernel: CPU: 1
kernel: EIP: 0010:[__free_pages_ok+82/784] Not tainted
kernel: EIP: 0010:[<c01d4a62>] Not tainted
kernel: EFLAGS: 00010286
kernel: eax: 00000000 ebx: c13ae7e8 ecx: c01039d8 edx: c0103820
kernel: esi: c13ae7e8 edi: 00000000 ebp: c01037c0 esp: c1591f08
kernel: ds: 0018 es: 0018 ss: 0018
kernel: Process kswapd (pid: 5, stackpage=c1591000)
kernel: Stack: 00000001 00000286 00000003 c8f9ae40 c8f9ae40 c8f9ae40 c13ae7e8 c01e1eeb
kernel: c8f9ae40 00000000 c13ae7e8 c01038fc 00004a6a c01d4074 c13ae7e8 000001d0
kernel: 00000c80 000001d0 00000020 00000020 000001d0 c01038fc c01038fc c01d42ea
kernel: Call Trace: [try_to_free_buffers+235/368] [shrink_cache+884/1072] [shrink_caches+74/96] [try_to_free_pages_zone+88/256] [schedule+738/1344]
kernel: Call Trace: [<c01e1eeb>] [<c01d4074>] [<c01d42ea>] [<c01d4358>] [<c01b2052>]
kernel: [kswapd_balance_pgdat+86/176] [kswapd_balance+40/64] [kswapd+152/185] [arch_kernel_thread+46/64] [kswapd+0/185]
kernel: [<c01d4516>] [<c01d4598>] [<c01d46d8>] [<c01a068e>] [<c01d4640>]
kernel:
kernel: Code: 0f 0b 90 00 28 76 3b c0 8b 35 90 14 16 c0 89 d8 29 f0 c1 f8

Output from scripts/ver_linux
Linux blabla 2.4.27-grsec3 #1 SMP pon wrz 13 17:57:49 CEST 2004 i686 unknown unknown GNU/Linux
Gnu C 3.3.2
Gnu make 3.80
util-linux 2.12
mount 2.12
modutils 2.4.26
e2fsprogs 1.34
Linux C Library 2.3.3
Dynamic linker (ldd) 2.3.3
Procps 3.1.15
Net-tools 1.60
Console-tools 0.2.3
Sh-utils 5.1.2
Modules Loaded


CONFIG_GRKERNSEC=y
CONFIG_CRYPTO=y
CONFIG_CRYPTO_SHA256=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MID is not set
# CONFIG_GRKERNSEC_HI is not set
CONFIG_GRKERNSEC_CUSTOM=y
CONFIG_GRKERNSEC_PAX_EI_PAX=y
CONFIG_GRKERNSEC_PAX_PT_PAX_FLAGS=y
CONFIG_GRKERNSEC_PAX_NO_ACL_FLAGS=y
# CONFIG_GRKERNSEC_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_GRKERNSEC_PAX_HOOK_ACL_FLAGS is not set
CONFIG_GRKERNSEC_PAX_NOEXEC=y
# CONFIG_GRKERNSEC_PAX_PAGEEXEC is not set
CONFIG_GRKERNSEC_PAX_SEGMEXEC=y
# CONFIG_GRKERNSEC_PAX_EMUTRAMP is not set
# CONFIG_GRKERNSEC_PAX_MPROTECT is not set
CONFIG_GRKERNSEC_PAX_ASLR=y
# CONFIG_GRKERNSEC_PAX_RANDKSTACK is not set
CONFIG_GRKERNSEC_PAX_RANDUSTACK=y
CONFIG_GRKERNSEC_PAX_RANDMMAP=y
# CONFIG_GRKERNSEC_KMEM is not set
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
# CONFIG_GRKERNSEC_CHROOT_SHMAT is not set
CONFIG_GRKERNSEC_CHROOT_UNIX=y
# CONFIG_GRKERNSEC_CHROOT_FINDTASK is not set
# CONFIG_GRKERNSEC_CHROOT_NICE is not set
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
# CONFIG_GRKERNSEC_CHROOT_CAPS is not set
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
# CONFIG_GRKERNSEC_RESLOG is not set
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
# CONFIG_GRKERNSEC_PROC_IPADDR is not set
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
# CONFIG_GRKERNSEC_TPE is not set
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RANDISN=y
CONFIG_GRKERNSEC_RANDID=y
CONFIG_GRKERNSEC_RANDSRC=y
CONFIG_GRKERNSEC_RANDRPC=y
# CONFIG_GRKERNSEC_SOCKET is not set
# CONFIG_GRKERNSEC_SYSCTL is not set
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4

I can't reproduce this. It just 'happens'.

I also posted this to linux-kernel list http://marc.theaimsgroup.com/?t=102910922100001&r=1&w=2

marcin_1 wrote:# CONFIG_GRKERNSEC_PAX_MPROTECT is not set

any reason you had to disable this? as you noted in the lkml thread, you didn't have this problem when MPROTECT was enabled, so as a quick solution you should enable it again. based on the stack trace it's probably a problem with swapping out mirrored anonymous memory which can happen only with MPROTECT disabled. anyway, i'll fix it as soon as i get a little time to work on PaX.

PaX Team wrote:any reason you had to disable this? as you noted in the lkml thread, you didn't have this problem when MPROTECT was enabled,

I had to disable this 'cause Mandrake's developers "did" (or didn't?) something to (as i understand reading other posts on forum) to glibc and that prevents some programs from loading libraries when CONFIG_GRKERNSEC_PAX_MPROTECT is enabled (eg. error while loading shared libraries: libcrypto.so.0.9.7: cannot enable executable stack as shared object requires: Permission denied).
Unfortunately i don't fully understand how to manage that problem so i've just disabled CONFIG_GRKERNSEC_PAX_MPROTECT (well, because of that BUG i've moved to clean 2.4.27 yesterday).

marcin_1 wrote:Unfortunately i don't fully understand how to manage that problem so i've just disabled CONFIG_GRKERNSEC_PAX_MPROTECT (well, because of that BUG i've moved to clean 2.4.27 yesterday).

oh, the PT_GNU_STACK problem again. you could enable MPROTECT in the kernel and chpax/paxctl -m the apps that want to load such libraries. you could also execstack -c the affected libraries, probably most of them are false positives (and if they're not, you can just enable EMUTRAMP in the kernel and on the affected apps). also, you could try turning off swap, the bug should not manifest then.

PaX Team wrote:oh, the PT_GNU_STACK problem again. you could enable MPROTECT in the kernel and chpax/paxctl -m the apps that want to load such libraries. you could also execstack -c the affected libraries, probably most of them are false positives (and if they're not, you can just enable EMUTRAMP in the kernel and on the affected apps). also, you could try turning off swap, the bug should not manifest then.

I did execstack -c on libraries. All of them, I hope...

Thank you for the tips!

Where can I get the execstack utility? Running slackware 10.2, and have the same problem. (i can't even log in with mprotect() enabled, because libtermcap won't load and bash fails)

It is in prelink package, not included in Slackware.