grsecurity forums

[franz]

Hi,

login problem due to mprotect:

grsec: denied RWX mprotect of /lib/ld-2.13.so by /bin/login[login:20260] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb 9 10:19:04 spunk kernel: login[20260]: segfault at 6f53131e7d90 ip 00006f5312fd0bfe sp 00007974b4fb0840 error 7 in ld-2.13.so[6f5312fca000+1e000]
Feb 9 10:19:04 spunk kernel: grsec: Segmentation fault occurred at 00006f53131e7d90 in /bin/login[login:20260] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb 9 10:19:04 spunk kernel: grsec: more alerts, logging disabled for 10 seconds



Running archlinux and my own build of grsec (grsecurity-2.2.1-2.6.36.2-201012192125.patch).
Not able to logon to any tty if grsec-kernel is enabled (no grsec/pax upgrade).

I am not sure if disabling mprotect on the lib is the solution but maybe you can tell?

Info about glibc:
/lib/ld-2.13.so owned by glibc 2.13-1

I did check the other threads about same issue "http://forums.grsecurity.net/search.php?sid=e5424478a93a2dd2cf1e6518cef7cf28"

Any other information needed to solve this?

Regards,
franz

[spender]

This appears to be due to a known glibc bug in combination with PT_GNU_STACK userland breakage, see the description from the PaX Team here:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611195

run ldd/lddtree on /bin/login (or view dependencies from /proc/`pidof login`/maps) and make sure PT_GNU_STACK is turned off on each dependency, using execstack -c.

And remember that every time these problems occur, a normal Linux system would have silently degraded into allowing exploitation

-Brad

[franz]

Ohh no, more work

It seems that I need to reboot into a non grsec kernel to fix this little issue

Feb 10 07:33:00 spunk kernel: grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/lib/paxtest/execstack[execstack:3908] uid/euid:0/0 gid/egid:0/0, parent /usr/lib/paxtest/execstack[execstack:3907] uid/euid:0/0 gid/egid:0/0
Feb 10 07:37:25 spunk kernel: PAX: execution attempt in: <anonymous mapping>, 753ad889b000-753ad88bc000 7ffffffde000
Feb 10 07:37:25 spunk kernel: PAX: terminating task: /usr/lib/paxtest/execstack(execstack):5112, uid/euid: 0/0, PC: 0000753ad88b8f70, SP: 0000753ad88b8f68
Feb 10 07:37:25 spunk kernel: PAX: bytes at PC: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Feb 10 07:37:25 spunk kernel: PAX: bytes at SP-8: 0000000000000000 0000000000400b69 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
Feb 10 07:37:25 spunk kernel: grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/lib/paxtest/execstack[execstack:5112] uid/euid:0/0 gid/egid:0/0, parent /usr/lib/paxtest/execstack[execstack:5111] uid/euid:0/0 gid/egid:0/0


Anyway, thanks for the answer!

/franz

[PaX Team]

Feb 10 07:33:00 spunk kernel: grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/lib/paxtest/execstack[execstack:3908] uid/euid:0/0 gid/egid:0/0, parent /usr/lib/paxtest/execstack[execstack:3907] uid/euid:0/0 gid/egid:0/0

that's not the execstack spender meant, try the one from prelink .

[franz]

Problem not solved by using execstack -c on lib's used by /bin/login (the tool from prelink)

[root@spunk 2.6.37.0]# ldd /bin/login
linux-vdso.so.1 => (0x00007fff949ff000)
libshadow.so.0 => /lib/libshadow.so.0 (0x00007ffb64ecc000)
libpam.so.0 => /lib/libpam.so.0 (0x00007ffb64cbf000)
libpam_misc.so.0 => /lib/libpam_misc.so.0 (0x00007ffb64abc000)
libc.so.6 => /lib/libc.so.6 (0x00007ffb6475b000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007ffb64524000)
libdl.so.2 => /lib/libdl.so.2 (0x00007ffb64320000)
/lib/ld-linux-x86-64.so.2 (0x00007ffb650db000)
[root@spunk 2.6.37.0]#

[root@spunk lib]# pacman -Q paxctl
paxctl 0.5-1
[root@spunk lib]# pacman -Q gradm
gradm 2.2.1-201012121738
[root@spunk lib]# pacman -Q kernel26-grsecurity
kernel26-grsecurity 2.6.37-1 (grsecurity-2.2.1-2.6.37-201102121148.patch)

[root@spunk 2.6.37.0]# pacman -Q | egrep 'glibc|binutils|shadow'
binutils 2.21-3
glibc 2.13-1
shadow 4.1.4.2-4
[root@spunk 2.6.37.0]#



Not able to logon when booting into grsec kernel.
Any suggestion?

/franz

[PaX Team]

Not able to logon when booting into grsec kernel.
Any suggestion?

what's the error now?

[franz]

Hi,
I will test on another pc that I have to see if same error occur.

Anyway here is the error:
Feb 13 20:02:25 spunk init: Entering runlevel: 3
Feb 13 20:02:28 spunk kernel: grsec: denied RWX mprotect of /lib/ld-2.13.so by /bin/login[login:4469] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb 13 20:02:28 spunk kernel: login[4469]: segfault at 6aa8f3a6ad90 ip 00006aa8f3853bfe sp 000077543900e4d0 error 7 in ld-2.13.so[6aa8f384d000+1e000]
Feb 13 20:02:28 spunk kernel: grsec: Segmentation fault occurred at 00006aa8f3a6ad90 in /bin/login[login:4469] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb 13 20:02:28 spunk kernel: grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /bin/login[login:4469] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0


/franz

[franz]

Problem is not the same on the other pc but, patchlevel is not exacly the same but I don't think it matters anyway.
On working pc kernelpatch has this timestamp 201101272240.

I did manage to logon to the problem pc remote using ssh so I am logged on right now when typing this.

It's still not possible to logon to consol.

Same error as before:
Feb 14 08:53:37 spunk kernel: grsec: denied RWX mprotect of /lib/ld-2.13.so by /bin/login[login:3668] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb 14 08:53:37 spunk kernel: login[3668]: segfault at 67e4fe9bdd90 ip 000067e4fe7a6bfe sp 000073a6b56c5080 error 7 in ld-2.13.so[67e4fe7a0000+1e000]
Feb 14 08:53:37 spunk kernel: grsec: Segmentation fault occurred at 000067e4fe9bdd90 in /bin/login[login:3668] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb 14 08:53:37 spunk kernel: grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /bin/login[login:3668] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb 14 09:04:01 spunk crond[3520]: FILE /var/spool/cron/root USER root PID 6391 job sys-hourly

Here are som additional information from pc with logon issue:

[root@spunk ~]# gradm -a admin
The operation you requested cannot be performed because the RBAC system is currently disabled.

[root@spunk ~]# sysctl -a | egrep 'pax|grse'
kernel.grsecurity.linking_restrictions = 1
kernel.grsecurity.fifo_restrictions = 1
kernel.grsecurity.execve_limiting = 1
kernel.grsecurity.ip_blackhole = 1
kernel.grsecurity.lastack_retries = 4
kernel.grsecurity.rwxmap_logging = 1
kernel.grsecurity.signal_logging = 1
kernel.grsecurity.forkfail_logging = 1
kernel.grsecurity.timechange_logging = 1
kernel.grsecurity.chroot_deny_shmat = 1
kernel.grsecurity.chroot_deny_unix = 1
kernel.grsecurity.chroot_deny_mount = 1
kernel.grsecurity.chroot_deny_fchdir = 1
kernel.grsecurity.chroot_deny_chroot = 1
kernel.grsecurity.chroot_deny_pivot = 1
kernel.grsecurity.chroot_enforce_chdir = 1
kernel.grsecurity.chroot_deny_chmod = 1
kernel.grsecurity.chroot_deny_mknod = 1
kernel.grsecurity.chroot_restrict_nice = 1
kernel.grsecurity.chroot_caps = 1
kernel.grsecurity.chroot_deny_sysctl = 1
kernel.grsecurity.audit_chdir = 0
kernel.grsecurity.audit_mount = 0
kernel.grsecurity.dmesg = 1
kernel.grsecurity.chroot_findtask = 1
kernel.grsecurity.resource_logging = 1
kernel.grsecurity.audit_ptrace = 1
kernel.grsecurity.harden_ptrace = 1
kernel.grsecurity.grsec_lock = 0
kernel.grsecurity.romount_protect = 0
kernel.pax.softmode = 0

[root@spunk ~]# zcat /proc/config.gz | egrep 'GRK| PAX'
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MEDIUM is not set
# CONFIG_GRKERNSEC_HIGH is not set
CONFIG_GRKERNSEC_CUSTOM=y
CONFIG_GRKERNSEC_KMEM=y
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODHARDEN=y
CONFIG_GRKERNSEC_HIDESYM=y
# CONFIG_GRKERNSEC_NO_RBAC is not set
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_ROFS=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
CONFIG_GRKERNSEC_AUDIT_PTRACE=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_RWXMAP_LOG=y
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
# CONFIG_GRKERNSEC_TPE is not set
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_BLACKHOLE=y
# CONFIG_GRKERNSEC_SOCKET is not set
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4

Nothing in any log about restricting ssh logins

Any idea?

Maybe configuration error from my side but I am not sure..

/franz

[PaX Team]

Same error as before:
Feb 14 08:53:37 spunk kernel: grsec: denied RWX mprotect of /lib/ld-2.13.so by /bin/login[login:3668] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb 14 08:53:37 spunk kernel: login[3668]: segfault at 67e4fe9bdd90 ip 000067e4fe7a6bfe sp 000073a6b56c5080 error 7 in ld-2.13.so[67e4fe7a0000+1e000]
Feb 14 08:53:37 spunk kernel: grsec: Segmentation fault occurred at 000067e4fe9bdd90 in /bin/login[login:3668] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Feb 14 08:53:37 spunk kernel: grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /bin/login[login:3668] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

can you strace such a login process? the last opened .so in the log will be your problem, my bet is that it's probably PAM related, so you can also proactively check them for the same GNU_STACK breakage.

[franz]

Hi,
strace and the help from you did solve this little issue!

Did "strace -s 1000 -vfo out.txt login franz" and at the end of the output it gave me this:

15532 open("/etc/ld.so.cache", O_RDONLY) = 4
15532 fstat(4, {st_dev=makedev(8, 3), st_ino=1120982, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=168, st_size=84650, st_atime=2011/02/15-07:25:29, st_mtime=2011/02/15-07:25:25, st_ctime=2011/02/15-07:25:25}) = 0
15532 mmap(NULL, 84650, PROT_READ, MAP_PRIVATE, 4, 0) = 0x73e97f31f000
15532 close(4) = 0
15532 open("/usr/lib/libck-connector.so.0", O_RDONLY) = 4
15532 read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\16\0\0\0\0\0\0@\0\0\0\0\0\0\0P&\0\0\0\0\0\0\0\0\0\0@\0008\0\5\0@\0\32\0\31\0\1\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\f\"\0\0\0\0\0\0\f\"\0\0\0\0\0\0\0\0 \0\0\0\0\0\1\0\0\0\6\0\0\0\20\"\0\0\0\0\0\0\20\" \0\0\0\0\0\20\" \0\0\0\0\0X\3\0\0\0\0\0\0h\3\0\0\0\0\0\0\0\0 \0\0\0\0\0\2\0\0\0\6\0\0\0\260\"\0\0\0\0\0\0\260\" \0\0\0\0\0\260\" \0\0\0\0\0\300\1\0\0\0\0\0\0\300\1\0\0\0\0\0\0\10\0\0\0\0\0\0\0P\345td\4\0\0\0\24 \0\0\0\0\0\0\24 \0\0\0\0\0\0\24 \0\0\0\0\0\0T\0\0\0\0\0\0\0T\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\200\25\4e\0*\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\3\0\0\0\33\0\0\0\2\0\0\0\7\0\0\0\301\0 \32\0@\242\211\10\4\0\1\232\4 \2\33\0\0\0!\0\0\0&\0\0\0\24\227\325J\370\320\322\346\272\343\222|\264\333\230N\234l\6\347CE\325\354tr\305z>\303$\7\260\330\245\235\330qX\34\271\215\361\16\352\323\357\16\7\300\322\346\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\10\0h\f\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0%\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0009\0\0\0\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0)\1\0\0\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0I\0\0\0\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\213\1\0\0\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\367\0\0\0\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\235\1\0\0\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\261\1\0\0\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\0\0\"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0K\1\0\0\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\1\0\0\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0^\0\0\0\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\341\0\0\0\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0u\1\0\0\22\0\0\0", 832) = 832
15532 fstat(4, {st_dev=makedev(8, 3), st_ino=686845, st_mode=S_IFREG|0755, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=24, st_size=11472, st_atime=2011/02/15-07:13:46, st_mtime=2011/02/09-08:12:01, st_ctime=2011/02/09-08:12:01}) = 0
15532 mmap(NULL, 2106744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x73e97c327000
15532 mprotect(0x73e97c32a000, 2093056, PROT_NONE) = 0
15532 mmap(0x73e97c529000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x2000) = 0x73e97c529000
15532 mprotect(0x73e97f350000, 3476, PROT_READ|PROT_WRITE) = -1 EACCES (Permission denied)
15532 --- SIGSEGV (Segmentation fault) @ 0 (0) ---
15532 +++ killed by SIGSEGV +++


pacman -Qo /usr/lib/libck-connector.so.0
/usr/lib/libck-connector.so.0 owned by consolekit 0.4.3-2

So I reinstalled consolekit and problem is now gone.
Not sure why this had happen but it's probably my own fault..

Nice to have ssh open to your pc sometimes

Thanks for pointing me into right direction!
/franz

[spender]

Make sure you report the library to your distro so that nobody else has to put up with the same problem.

-Brad