bind user banned

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

bind user banned

Postby Stephane » Fri Apr 24, 2015 7:12 am

Hi all,

I sometimes experiment this kind of issue on my bind servers, any advices ?
User 107 is bind.

[Fri Apr 24 08:08:57 2015] grsec: time set by /usr/sbin/ntpd[ntpd:1859] uid/euid:103/103 gid/egid:109/109, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[Fri Apr 24 11:57:13 2015] list_add corruption. next->prev should be prev (ffffffff82299560), but was ffff88003c6e3400. (next=ffff88003c6e3500).
[Fri Apr 24 11:57:13 2015] ------------[ cut here ]------------
[Fri Apr 24 11:57:13 2015] kernel BUG at lib/list_debug.c:32!
[Fri Apr 24 11:57:13 2015] invalid opcode: 0000 [#1] SMP
[Fri Apr 24 11:57:13 2015] Modules linked in: crct10dif_pclmul(F) crc32_pclmul(F) ghash_clmulni_intel(F) aesni_intel(F) cirrus(F) aes_x86_64(F) ttm(F) lrw(F) gf128mul(F) glue_helper(F) drm_kms_helper(F) ablk_helper(F) cryptd(F) drm(F) i2c_piix4(F) syscopyarea(F) serio_raw(F) sysfillrect(F) sysimgblt(F) mac_hid(F) psmouse(F) floppy(F) pata_acpi(F)
[Fri Apr 24 11:57:13 2015] CPU: 0 PID: 3021 Comm: named Tainted: GF 3.14.17-cloudomc-1.1-grsec #1
[Fri Apr 24 11:57:13 2015] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[Fri Apr 24 11:57:13 2015] task: ffff8800369acc20 ti: ffff8800369ad028 task.ti: ffff8800369ad028
[Fri Apr 24 11:57:13 2015] RIP: 0010:[<ffffffff813e3740>] [<ffffffff813e3740>] ffffffff813e3740
[Fri Apr 24 11:57:13 2015] RSP: 0018:ffffc90002b4bd70 EFLAGS: 00010293
[Fri Apr 24 11:57:13 2015] RAX: 0000000000000075 RBX: ffff88003c93b480 RCX: 0000000000000000
[Fri Apr 24 11:57:13 2015] RDX: ffff88003fc0e180 RSI: ffff88003fc0c568 RDI: 0000000000000246
[Fri Apr 24 11:57:13 2015] RBP: ffffc90002b4bd70 R08: 0000000000000086 R09: 0000000000000018
[Fri Apr 24 11:57:13 2015] R10: 00000000000002f0 R11: 0000000000000002 R12: ffffffff82299560
[Fri Apr 24 11:57:13 2015] R13: ffff88003c6e3500 R14: 00000238f5b8f570 R15: 000000000000e420
[Fri Apr 24 11:57:13 2015] FS: 00000238f5b90700(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000
[Fri Apr 24 11:57:13 2015] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[Fri Apr 24 11:57:13 2015] CR2: 000002d90b3a4000 CR3: 00000000017e9000 CR4: 00000000000607f0
[Fri Apr 24 11:57:13 2015] Stack:
[Fri Apr 24 11:57:13 2015] ffffc90002b4bd98 ffffffff813e3797 000000000000fa5d ffff88003c3b3b80
[Fri Apr 24 11:57:13 2015] ffff88003cee77c0 ffffc90002b4bdc0 ffffffff813671f7 ffff8800063fec00
[Fri Apr 24 11:57:13 2015] 000000000000001c ffffc90002b4bdf8 ffffc90002b4bdd0 ffffffff81367289
[Fri Apr 24 11:57:13 2015] Call Trace:
[Fri Apr 24 11:57:13 2015] [<ffffffff813e3797>] __list_add+0x17/0x40
[Fri Apr 24 11:57:13 2015] [<ffffffff813671f7>] smk_ipv6_port_label.isra.24+0x97/0x100
[Fri Apr 24 11:57:13 2015] [<ffffffff81367289>] smack_socket_bind+0x29/0x40
[Fri Apr 24 11:57:13 2015] [<ffffffff81363473>] security_socket_bind+0x23/0x30
[Fri Apr 24 11:57:13 2015] [<ffffffff816714c3>] SYSC_bind+0xd3/0x130
[Fri Apr 24 11:57:13 2015] [<ffffffff810e09c4>] ? vtime_account_user+0x54/0x60
[Fri Apr 24 11:57:13 2015] [<ffffffff81672c2e>] SyS_bind+0xe/0x20
[Fri Apr 24 11:57:13 2015] [<ffffffff817ce9f1>] tracesys+0xd5/0xda
[Fri Apr 24 11:57:13 2015] Code: f0 75 40 48 39 c7 74 25 48 39 fa 74 20 b8 01 00 00 00 5d 48 0f ba 2c 24 3f c3 48 89 c1 48 c7 c7 b0 79 df 81 31 c0 e8 00 37 3d 00 <0f> 0b 48 89 c1 48 89 fe 31 c0 48 c7 c7 50 7a df 81 e8 ea 36 3d
[Fri Apr 24 11:57:13 2015] RIP [<ffffffff813e3740>] ffffffff813e3740
[Fri Apr 24 11:57:13 2015] RSP <ffffc90002b4bd70>
[Fri Apr 24 11:57:13 2015] ---[ end trace ef0cd9d898da5110 ]---
[Fri Apr 24 11:57:13 2015] grsec: banning user with uid 107 until system restart for suspicious kernel crash
[Fri Apr 24 12:06:41 2015] grsec: time set by /usr/sbin/ntpd[ntpd:1859] uid/euid:103/103 gid/egid:109/109, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Stephane
 
Posts: 50
Joined: Thu Apr 18, 2013 7:13 am

Re: bind user banned

Postby spender » Fri Apr 24, 2015 7:57 am

This looks like an old, unsupported kernel, and a module was forced to be loaded. There's some list corruption in smk_ipv6_port_list via the line:
list_add(&spp->list, &smk_ipv6_port_list);
in security/smack/smack_lsm.c.
I don't see anything wrong with that particular code, so the bug may be due to the old kernel or to the forced module load (particularly if RANDSTRUCT is used).

Anyway, we don't support outdated custom kernels. Please look into getting commercial support if you need to run such a kernel.

Thanks,
-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: bind user banned

Postby Stephane » Fri Apr 24, 2015 8:15 am

Ok thank you Brad, yes my kernel is not that fresh (3.14.17)... I'll make a try with a newer one.

EDIT :
CONFIG_GRKERNSEC_RANDSTRUCT=y
CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE=y
Stephane
 
Posts: 50
Joined: Thu Apr 18, 2013 7:13 am


Return to grsecurity support