grsecurity forums

[craig2015]

Kernel: Linux 3.14.32-grsec #1 SMP Tue Feb 17 15:43:57 AEDT 2015 x86_64 x86_64 x86_64 GNU/Linux
OS: Fedora release 21 (Twenty One)

Symptoms:
We are attempting to run with this kernel on a Desktop OS running KDE, the user is getting all kinds of random crashing of the task bars, gui settings etc.. Below is an example I found at the exact time of the latest crash, should we upgrade the kernel? Google Chrome? or something else all together?

ERROR:
Mar 25 14:16:46 jonathanpc kernel: [104069.848749] grsec: Invalid alignment/Bus error occurred at 000066e987550020 in /opt/google/chrome/chrome[chrome:3999] uid/euid:370/370 gid/egid:132/132, parent /usr/bin/kdeinit4[kdeinit4:1720] uid/euid:370/370 gid/egid:132/132
Mar 25 14:16:46 jonathanpc kernel: [104069.852350] grsec: denied resource overstep by requesting 64 for RLIMIT_CORE against limit 0 for /opt/google/chrome/chrome[chrome:3999] uid/euid:370/370 gid/egid:132/132, parent /usr/bin/kdeinit4[kdeinit4:1720] uid/euid:370/370 gid/egid:132/132
Mar 25 14:16:46 jonathanpc kernel: [104069.852361] grsec: denied resource overstep by requesting 120 for RLIMIT_CORE against limit 0 for /opt/google/chrome/chrome[chrome:3999] uid/euid:370/370 gid/egid:132/132, parent /usr/bin/kdeinit4[kdeinit4:1720] uid/euid:370/370 gid/egid:132/132

Regards,

Craig

[PaX Team]

can you post your kernel .config please (at least the grsec/PaX options)? also if MPROTECT is enabled in the kernel it'll have to be disabled on the chrome binary at least (due to the v8 javascript engine), and also likely on any opengl based application if the video driver uses runtime code generation (nvidia is one known example).

[craig2015]

# Grsecurity
#
CONFIG_TASK_SIZE_MAX_SHIFT=47
CONFIG_PAX_USERCOPY_SLABS=y
CONFIG_GRKERNSEC=y
CONFIG_GRKERNSEC_CONFIG_AUTO=y
# CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set
# CONFIG_GRKERNSEC_CONFIG_SERVER is not set
CONFIG_GRKERNSEC_CONFIG_DESKTOP=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_NONE is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST is not set
CONFIG_GRKERNSEC_CONFIG_VIRT_HOST=y
CONFIG_GRKERNSEC_CONFIG_VIRT_EPT=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_SOFT is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_XEN is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_VMWARE is not set
CONFIG_GRKERNSEC_CONFIG_VIRT_KVM=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_VIRTUALBOX is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_HYPERV is not set
CONFIG_GRKERNSEC_CONFIG_PRIORITY_PERF=y
# CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY is not set

#
# Default Special Groups
#
CONFIG_GRKERNSEC_PROC_GID=1001

#
# Customize Configuration
#

#
# PaX
#
CONFIG_PAX=y

#
# PaX Control
#
# CONFIG_PAX_SOFTMODE is not set
# CONFIG_PAX_EI_PAX is not set
# CONFIG_PAX_PT_PAX_FLAGS is not set
# CONFIG_PAX_XATTR_PAX_FLAGS is not set
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
# CONFIG_PAX_NOEXEC is not set
# CONFIG_PAX_KERNEXEC is not set
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD=""

#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y

#
# Miscellaneous hardening features
#
# CONFIG_PAX_MEMORY_SANITIZE is not set
# CONFIG_PAX_MEMORY_STACKLEAK is not set
# CONFIG_PAX_MEMORY_STRUCTLEAK is not set
# CONFIG_PAX_MEMORY_UDEREF is not set
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_USERCOPY=y
# CONFIG_PAX_USERCOPY_DEBUG is not set
CONFIG_PAX_SIZE_OVERFLOW=y
CONFIG_PAX_LATENT_ENTROPY=y

[PaX Team]

ok, so it's not the usual problem. i'm afraid you'll have to do some more debugging then, enable coredumps in a shell (ulimit -c unlimited) and run chrome from there and then analyze the coredump in gdb (bt, x/8i $pc, info regs, etc).