grsecurity forums

[xxterry1xx]

Hello All,

Alright, so I am having an issue with the latest grsec patches and the
issue has been occuring around 3.18.1 and above grsec patches.

Basically I was using dwb as a webbrowser before from
https://aur.archlinux.org/packages/dwb_collect-git/ and it started to
crash upon program execution with these (3.18.1 and onward) latest patches, at first i
thought it was gcc optimization flags (-march=native and -mtune=native)
that I have added to the kernels makefile because it started to happen
around that time i compiled it with those flags, but I compiled the kernel without those flags just
recently and it is not the case(This also happens on my laptop).

I also noticed odd behavior when I would compile dwb with -march=native and
-mtune=native, it would crash on grsec 3.18.1 but when i compiled it without
those flags it would launch.

but even with or without the flags(both kernel and programs) it still doesn't work on grsec 3.18.2.

It kind of seems like it builds up from working(3.18.1 first couple patches released), to slightly working(3.18.1 other patches) to not
working(3.18.2).

I also have grsec to deny server sockets to
my user group(1000) as i can see in journalctl that grsec is denying
qupzilla from using the bind() function which should'nt be the issue because I am using
the same .config i created from 3.18 with no previous issues.

This crashing also does not happen with the latest stable stock linux kernel(same .config and flags just
without the grsecurity options or patches)

Processor Information:
Desktop: AMD Phenom II X6 1100T Black Edition Thuban 6-Core 3.3GHz, 3.7GHz Turbo Socket AM3 125W
Laptop: AMD Athlon 64 X2 QL-65

Distribution:
Arch Linux x86_64

Heres qupzillas crashlog (Stock arch package)

Time: Tue Jan 13 20:01:09 2015
Qt version: 5.4.0 (compiled with 5.4.0)
QupZilla version: 1.8.5
WebKit version: 538.1

============== BACKTRACE ==============
#0: qupzilla() [0x403393]
#1: /usr/lib/libc.so.6(+0x33b20) [0x259f16f0b20]
#2: /usr/lib/libQt5Script.so.5(+0x9f8ad) [0x259f04738ad]
#3: /usr/lib/libQt5Script.so.5(+0x127380) [0x259f04fb380]
#4: /usr/lib/libQt5Script.so.5(+0x127848) [0x259f04fb848]
#5: /usr/lib/libQt5Script.so.5(+0x1c7bf6) [0x259f059bbf6]
#6: /usr/lib/libQt5Script.so.5(_ZN13QScriptEngineC2Ev+0x1e)
[0x259f059c74e]
#7: /usr/lib/libQupZilla.so.1(_ZN4Json5parseERK7QString+0x4a)
[0x259f52c988a]
#8: /usr/lib/libQupZilla.so.1(_ZN9Bookmarks13loadBookmarksEv+0x1a6)
[0x259f5166656]
#9: /usr/lib/libQupZilla.so.1(_ZN9Bookmarks4initEv+0x2cd)
[0x259f516a0ad]
#10: /usr/lib/libQupZilla.so.1(_ZN9BookmarksC1EP7QObject+0x81)
[0x259f516a2b1]
#11: /usr/lib/libQupZilla.so.1(_ZN15MainApplication9bookmarksEv+0x31)
[0x259f512bb21]
#12:
/usr/lib/libQupZilla.so.1(_ZN16BookmarksToolbarC1EP13BrowserWindowP7QWidget+0x51)
[0x259f5181361]
#13: /usr/lib/libQupZilla.so.1(_ZN13BrowserWindow7setupUiEv+0x5e5)
[0x259f511cf25]
#14:
/usr/lib/libQupZilla.so.1(_ZN13BrowserWindowC1EN2Qz17BrowserWindowTypeERK4QUrl+0x1c0)
[0x259f51240f0]
#15:
/usr/lib/libQupZilla.so.1(_ZN15MainApplication12createWindowEN2Qz17BrowserWindowTypeERK4QUrl+0x4f)
[0x259f512f59f]
#16: /usr/lib/libQupZilla.so.1(_ZN15MainApplicationC2ERiPPc+0x1577)
[0x259f5135577]
#17: qupzilla() [0x40299b]
#18: /usr/lib/libc.so.6(__libc_start_main+0xf0) [0x259f16dd040]
#19: qupzilla() [0x402d00]

And here is dwbs crashlog(compiled with -march=native and -mtune=native specified in /etc/makepkg.conf)

[user@user ~]$ dwb
1 0x3010908c4e7 /usr/lib/libjavascriptcoregtk-1.0.so.0(WTFCrash+0x17)
[0x3010908c4e7]
2 0x301090a92bf
/usr/lib/libjavascriptcoregtk-1.0.so.0(_ZN3WTF11OSAllocator6commitEPvmbb+0x2f)
[0x301090a92bf]
3 0x301090a7dbb
/usr/lib/libjavascriptcoregtk-1.0.so.0(_ZN3WTF13MetaAllocator22incrementPageOccupancyEPvm+0x1fb)
[0x301090a7dbb]
4 0x301090a7ecf
/usr/lib/libjavascriptcoregtk-1.0.so.0(_ZN3WTF13MetaAllocator8allocateEmPv+0xcf)
[0x301090a7ecf]
5 0x30108e12349
/usr/lib/libjavascriptcoregtk-1.0.so.0(_ZN3JSC19ExecutableAllocator8allocateERNS_2VMEmPvNS_20JITCompilationEffortE+0x49)
[0x30108e12349]
6 0x30108c2ea7d
/usr/lib/libjavascriptcoregtk-1.0.so.0(_ZN3JSC10LinkBuffer8allocateEmPvNS_20JITCompilationEffortE+0x7d)
[0x30108c2ea7d]
7 0x30108c2eb43
/usr/lib/libjavascriptcoregtk-1.0.so.0(_ZN3JSC10LinkBuffer8linkCodeEPvNS_20JITCompilationEffortE+0x23)
[0x30108c2eb43]
8 0x30108e6c07b /usr/lib/libjavascriptcoregtk-1.0.so.0(+0x3ad07b)
[0x30108e6c07b]
9 0x30108e6c616
/usr/lib/libjavascriptcoregtk-1.0.so.0(_ZN3JSC24nativeConstructGeneratorEPNS_2VME+0x16)
[0x30108e6c616]
10 0x30108e55a84
/usr/lib/libjavascriptcoregtk-1.0.so.0(_ZN3JSC9JITThunks7ctiStubEPNS_2VMEPFNS_21MacroAssemblerCodeRefES2_E+0x194)
[0x30108e55a84]
11 0x30108e55cea
/usr/lib/libjavascriptcoregtk-1.0.so.0(_ZN3JSC9JITThunks18ctiNativeConstructEPNS_2VME+0x3a)
[0x30108e55cea]
12 0x30108e55deb
/usr/lib/libjavascriptcoregtk-1.0.so.0(_ZN3JSC9JITThunks16hostFunctionStubEPNS_2VMEPFlPNS_9ExecStateEES6_+0x9b)
[0x30108e55deb]
13 0x30108f8200a
/usr/lib/libjavascriptcoregtk-1.0.so.0(_ZN3JSC10JSFunction6createERNS_2VMEPNS_14JSGlobalObjectEiRKN3WTF6StringEPFlPNS_9ExecStateEENS_9IntrinsicESC_+0x3a)
[0x30108f8200a]
14 0x30108f640db
/usr/lib/libjavascriptcoregtk-1.0.so.0(_ZN3JSC17FunctionPrototype21addFunctionPropertiesEPNS_9ExecStateEPNS_14JSGlobalObjectEPPNS_10JSFunctionES7_+0x5b)
[0x30108f640db]
15 0x30108f92256
/usr/lib/libjavascriptcoregtk-1.0.so.0(_ZN3JSC14JSGlobalObject5resetENS_7JSValueE+0x276)
[0x30108f92256]
16 0x30108f96424
/usr/lib/libjavascriptcoregtk-1.0.so.0(_ZN3JSC14JSGlobalObject4initEPNS_8JSObjectE+0x74)
[0x30108f96424]
17 0x3010ad0ba75 /usr/lib/libwebkitgtk-1.0.so.0(+0x5dfa75)
[0x3010ad0ba75]
18 0x3010ad11fb7 /usr/lib/libwebkitgtk-1.0.so.0(+0x5e5fb7)
[0x3010ad11fb7]
19 0x3010ad121ee /usr/lib/libwebkitgtk-1.0.so.0(+0x5e61ee)
[0x3010ad121ee]
20 0x3010ad553d8 /usr/lib/libwebkitgtk-1.0.so.0(+0x6293d8)
[0x3010ad553d8]
21 0x3010ad55ad1 /usr/lib/libwebkitgtk-1.0.so.0(+0x629ad1)
[0x3010ad55ad1]
22 0x3010ab9672b
/usr/lib/libwebkitgtk-1.0.so.0(webkit_web_frame_get_global_context+0xfb)
[0x3010ab9672b]
23 0x4358ae dwb() [0x4358ae]
24 0x4223a6 dwb() [0x4223a6]
25 0x30107f94255 /usr/lib/libgobject-2.0.so.0(g_closure_invoke+0x145)
[0x30107f94255]
26 0x30107fa5f4c /usr/lib/libgobject-2.0.so.0(+0x21f4c) [0x30107fa5f4c]
27 0x30107fae758
/usr/lib/libgobject-2.0.so.0(g_signal_emit_valist+0xfd8) [0x30107fae758]
28 0x30107fae9bf /usr/lib/libgobject-2.0.so.0(g_signal_emit+0x8f)
[0x30107fae9bf]
29 0x30107f98995 /usr/lib/libgobject-2.0.so.0(+0x14995) [0x30107f98995]
30 0x30107f9ada1 /usr/lib/libgobject-2.0.so.0(g_object_notify+0x121)
[0x30107f9ada1]
31 0x3010ab7b78d /usr/lib/libwebkitgtk-1.0.so.0(+0x44f78d)
[0x3010ab7b78d]
Received SIGSEGV, trying to clean up.

Last 53 stack frames:

53: dwb() [0x4132c3]
52: dwb() [0x4318e5]
51: /usr/lib/libpthread.so.0(+0x10210) [0x30107a6a210]
50: /usr/lib/libjavascriptcoregtk-1.0.so.0(WTFCrash+0x1c)
[0x3010908c4ec]
49:
/usr/lib/libjavascriptcoregtk-1.0.so.0(_ZN3WTF11OSAllocator6commitEPvmbb+0x2f)
[0x301090a92bf]
48:
/usr/lib/libjavascriptcoregtk-1.0.so.0(_ZN3WTF13MetaAllocator22incrementPageOccupancyEPvm+0x1fb)
[0x301090a7dbb]
47:
/usr/lib/libjavascriptcoregtk-1.0.so.0(_ZN3WTF13MetaAllocator8allocateEmPv+0xcf)
[0x301090a7ecf]
46:
/usr/lib/libjavascriptcoregtk-1.0.so.0(_ZN3JSC19ExecutableAllocator8allocateERNS_2VMEmPvNS_20JITCompilationEffortE+0x49)
[0x30108e12349]
45:
/usr/lib/libjavascriptcoregtk-1.0.so.0(_ZN3JSC10LinkBuffer8allocateEmPvNS_20JITCompilationEffortE+0x7d)
[0x30108c2ea7d]
44:
/usr/lib/libjavascriptcoregtk-1.0.so.0(_ZN3JSC10LinkBuffer8linkCodeEPvNS_20JITCompilationEffortE+0x23)
[0x30108c2eb43]
43: /usr/lib/libjavascriptcoregtk-1.0.so.0(+0x3ad07b) [0x30108e6c07b]
42:
/usr/lib/libjavascriptcoregtk-1.0.so.0(_ZN3JSC24nativeConstructGeneratorEPNS_2VME+0x16)
[0x30108e6c616]
41:
/usr/lib/libjavascriptcoregtk-1.0.so.0(_ZN3JSC9JITThunks7ctiStubEPNS_2VMEPFNS_21MacroAssemblerCodeRefES2_E+0x194)
[0x30108e55a84]
40:
/usr/lib/libjavascriptcoregtk-1.0.so.0(_ZN3JSC9JITThunks18ctiNativeConstructEPNS_2VME+0x3a)
[0x30108e55cea]
39:
/usr/lib/libjavascriptcoregtk-1.0.so.0(_ZN3JSC9JITThunks16hostFunctionStubEPNS_2VMEPFlPNS_9ExecStateEES6_+0x9b)
[0x30108e55deb]
38:
/usr/lib/libjavascriptcoregtk-1.0.so.0(_ZN3JSC10JSFunction6createERNS_2VMEPNS_14JSGlobalObjectEiRKN3WTF6StringEPFlPNS_9ExecStateEENS_9IntrinsicESC_+0x3a)
[0x30108f8200a]
37:
/usr/lib/libjavascriptcoregtk-1.0.so.0(_ZN3JSC17FunctionPrototype21addFunctionPropertiesEPNS_9ExecStateEPNS_14JSGlobalObjectEPPNS_10JSFunctionES7_+0x5b)
[0x30108f640db]
36:
/usr/lib/libjavascriptcoregtk-1.0.so.0(_ZN3JSC14JSGlobalObject5resetENS_7JSValueE+0x276)
[0x30108f92256]
35:
/usr/lib/libjavascriptcoregtk-1.0.so.0(_ZN3JSC14JSGlobalObject4initEPNS_8JSObjectE+0x74)
[0x30108f96424]
34: /usr/lib/libwebkitgtk-1.0.so.0(+0x5dfa75) [0x3010ad0ba75]
33: /usr/lib/libwebkitgtk-1.0.so.0(+0x5e5fb7) [0x3010ad11fb7]
32: /usr/lib/libwebkitgtk-1.0.so.0(+0x5e61ee) [0x3010ad121ee]
31: /usr/lib/libwebkitgtk-1.0.so.0(+0x6293d8) [0x3010ad553d8]
30: /usr/lib/libwebkitgtk-1.0.so.0(+0x629ad1) [0x3010ad55ad1]
29:
/usr/lib/libwebkitgtk-1.0.so.0(webkit_web_frame_get_global_context+0xfb)
[0x3010ab9672b]
28: dwb() [0x4358ae]
27: dwb() [0x4223a6]
26: /usr/lib/libgobject-2.0.so.0(g_closure_invoke+0x145)
[0x30107f94255]
25: /usr/lib/libgobject-2.0.so.0(+0x21f4c) [0x30107fa5f4c]
24: /usr/lib/libgobject-2.0.so.0(g_signal_emit_valist+0xfd8)
[0x30107fae758]
23: /usr/lib/libgobject-2.0.so.0(g_signal_emit+0x8f) [0x30107fae9bf]
22: /usr/lib/libgobject-2.0.so.0(+0x14995) [0x30107f98995]
21: /usr/lib/libgobject-2.0.so.0(g_object_notify+0x121) [0x30107f9ada1]
20: /usr/lib/libwebkitgtk-1.0.so.0(+0x44f78d) [0x3010ab7b78d]
19: /usr/lib/libwebkitgtk-1.0.so.0(+0xb1110d) [0x3010b23d10d]
18: /usr/lib/libwebkitgtk-1.0.so.0(+0xb1e199) [0x3010b24a199]
17: /usr/lib/libwebkitgtk-1.0.so.0(+0xafcc88) [0x3010b228c88]
16: /usr/lib/libwebkitgtk-1.0.so.0(+0x44ed2e) [0x3010ab7ad2e]
15: /usr/lib/libwebkitgtk-1.0.so.0(+0xafe667) [0x3010b22a667]
14: /usr/lib/libwebkitgtk-1.0.so.0(+0xaff6f0) [0x3010b22b6f0]
13: /usr/lib/libwebkitgtk-1.0.so.0(+0xb02a47) [0x3010b22ea47]
12: /usr/lib/libwebkitgtk-1.0.so.0(+0xafbbc6) [0x3010b227bc6]
11: /usr/lib/libwebkitgtk-1.0.so.0(+0x561c89) [0x3010ac8dc89]
10: /usr/lib/libwebkitgtk-1.0.so.0(+0x582922) [0x3010acae922]
9: /usr/lib/libglib-2.0.so.0(+0x4a3c3) [0x30107cc03c3]
8: /usr/lib/libglib-2.0.so.0(g_main_context_dispatch+0x15d)
[0x30107cbf91d]
7: /usr/lib/libglib-2.0.so.0(+0x49cf8) [0x30107cbfcf8]
6: /usr/lib/libglib-2.0.so.0(g_main_context_iteration+0x2c)
[0x30107cbfdac]
5: /usr/lib/libgio-2.0.so.0(g_application_run+0x1ec) [0x3010827a00c]
4: dwb() [0x428a38]
3: dwb() [0x4133af]
2: /usr/lib/libc.so.6(__libc_start_main+0xf0) [0x30107395040]
1: dwb() [0x41342d]
Segmentation fault

And thanks for these patches, they are awesome

[PaX Team]

do you get PaX kill logs by any chance? the reason i'm asking it is because qtscript shows up in your backtrace just like in this recent bug: https://bugs.archlinux.org/task/43355 . you could try to recompile qtscript without the JIT compiler (gentoo has a USE flag for it, no idea about arch) or disable MPROTECT on the crashing executables (not the lib!).

[xxterry1xx]

I enabled CONFIG_PAX_MPROTECT_COMPAT, compiled the kernel and instead of a backtrace, I get Killed(terminal output) with qupzilla.

After that I disabled CONFIG_PAX_MPROTECT_COMPAT and enabled pax softmode and the 2 other options that are required for pax softmode and the application launchs, so im guessing its pax related and/or maybe a buggy program/library or something, but now I remember that I disabled pax softmode and this all started to happen so its not the compiler flags that I specified in my beginning post.

[xxterry1xx]

So I tested the same thing on my laptop with pax soft mode enabled(same .config options related to my desktop .config but different hardware related options) and for some odd reason I still get a crash even tho it is working on my desktop with the same options.

Time: Wed Jan 14 02:03:33 2015
Qt version: 5.4.0 (compiled with 5.4.0)
QupZilla version: 1.8.5
WebKit version: 538.1

============== BACKTRACE ==============
#0: qupzilla() [0x403393]
#1: /usr/lib/libc.so.6(+0x33b20) [0x34db028eb20]
#2: /usr/lib/libQt5Script.so.5(+0x9f8ad) [0x34daf0118ad]
#3: /usr/lib/libQt5Script.so.5(+0x127380) [0x34daf099380]
#4: /usr/lib/libQt5Script.so.5(+0x127848) [0x34daf099848]
#5: /usr/lib/libQt5Script.so.5(+0x1c7bf6) [0x34daf139bf6]
#6: /usr/lib/libQt5Script.so.5(_ZN13QScriptEngineC2Ev+0x1e) [0x34daf13a74e]
#7: /usr/lib/libQupZilla.so.1(_ZN4Json5parseERK7QString+0x4a) [0x34db3e6788a]
#8: /usr/lib/libQupZilla.so.1(_ZN9Bookmarks13loadBookmarksEv+0x1a6) [0x34db3d04656]
#9: /usr/lib/libQupZilla.so.1(_ZN9Bookmarks4initEv+0x2cd) [0x34db3d080ad]
#10: /usr/lib/libQupZilla.so.1(_ZN9BookmarksC1EP7QObject+0x81) [0x34db3d082b1]
#11: /usr/lib/libQupZilla.so.1(_ZN15MainApplication9bookmarksEv+0x31) [0x34db3cc9b21]
#12: /usr/lib/libQupZilla.so.1(_ZN16BookmarksToolbarC1EP13BrowserWindowP7QWidget+0x51) [0x34db3d1f361]
#13: /usr/lib/libQupZilla.so.1(_ZN13BrowserWindow7setupUiEv+0x5e5) [0x34db3cbaf25]
#14: /usr/lib/libQupZilla.so.1(_ZN13BrowserWindowC1EN2Qz17BrowserWindowTypeERK4QUrl+0x1c0) [0x34db3cc20f0]
#15: /usr/lib/libQupZilla.so.1(_ZN15MainApplication12createWindowEN2Qz17BrowserWindowTypeERK4QUrl+0x4f) [0x34db3ccd59f]
#16: /usr/lib/libQupZilla.so.1(_ZN15MainApplicationC2ERiPPc+0x1577) [0x34db3cd3577]
#17: qupzilla() [0x40299b]
#18: /usr/lib/libc.so.6(__libc_start_main+0xf0) [0x34db027b040]
#19: qupzilla() [0x402d00]

I will recompile qtscript without JIT later and post an update

[xxterry1xx]

Nevermind about this lol, I instead installed paxd(from arch [Community]) which automatically applys exceptions to problematic binarys which is great, still learning about pax and grsec .


Thanks for the help.