vmnet-only can't be compiled with RAP

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

vmnet-only can't be compiled with RAP

Postby sth0R » Tue Jun 14, 2016 1:58 am

Hi,

It seems RAP causes this problem? Or any workaround?

VMWARE WORKSTATION 12 + Linux kernel 4.5.7 + PaX/Grsecurity( grsecurity-3.1-4.5.7-201606110914.patch)
-----------------------------------------------------------------------------------------------------------

/shawn-fortress vmnet-only # sudo /usr/bin/make -j4 -C /usr/lib/vmware/modules/source/vmnet-only auto-build HEADER_DIR=/lib/modules/4.5.7-grsec/build/include CC=/usr/bin/gcc IS_GCC_3=no
make: Entering directory '/usr/lib/vmware/modules/source/vmnet-only'
Using kernel build system.
/usr/bin/make -C /lib/modules/4.5.7-grsec/build/include/.. SUBDIRS=$PWD SRCROOT=$PWD/. \
MODULEBUILDDIR= modules
make[1]: Entering directory '/usr/src/linux-headers-4.5.7-grsec'
CC [M] /usr/lib/vmware/modules/source/vmnet-only/driver.o
CC [M] /usr/lib/vmware/modules/source/vmnet-only/hub.o
CC [M] /usr/lib/vmware/modules/source/vmnet-only/userif.o
CC [M] /usr/lib/vmware/modules/source/vmnet-only/netif.o
Function VNetUserIfWrite is missing from the size_overflow hash table +VNetUserIfWrite+fndecl+4+54044+
CC [M] /usr/lib/vmware/modules/source/vmnet-only/bridge.o
CC [M] /usr/lib/vmware/modules/source/vmnet-only/procfs.o
CC [M] /usr/lib/vmware/modules/source/vmnet-only/smac_compat.o
CC [M] /usr/lib/vmware/modules/source/vmnet-only/smac.o
Function SMACL_Alloc is missing from the size_overflow hash table +SMACL_Alloc+fndecl+1+2775+
CC [M] /usr/lib/vmware/modules/source/vmnet-only/vnetEvent.o
CC [M] /usr/lib/vmware/modules/source/vmnet-only/vnetUserListener.o
Function size is missing from the size_overflow hash table +size+VNet_EventHeader+0+15382+
Function VNetKernel_MemoryAllocate is missing from the size_overflow hash table +VNetKernel_MemoryAllocate+fndecl+1+53131+
Function VNetKernel_MemoryAllocate is missing from the size_overflow hash table +VNetKernel_MemoryAllocate+fndecl+1+53131+
Function size is missing from the size_overflow hash table +size+VNet_EventHeader+0+15382+
Function VNetUserListenerRead is missing from the size_overflow hash table +VNetUserListenerRead+fndecl+4+34039+
LD [M] /usr/lib/vmware/modules/source/vmnet-only/vmnet.o
/usr/lib/vmware/modules/source/vmnet-only/bridge.o:(*ABS*+0x5bed9002): multiple definition of `__rap_hash_VNetBridge_Create'
scripts/Makefile.build:395: recipe for target '/usr/lib/vmware/modules/source/vmnet-only/vmnet.o' failed
make[2]: *** [/usr/lib/vmware/modules/source/vmnet-only/vmnet.o] Error 1
Makefile:1409: recipe for target '_module_/usr/lib/vmware/modules/source/vmnet-only' failed
make[1]: *** [_module_/usr/lib/vmware/modules/source/vmnet-only] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-4.5.7-grsec'
Makefile:120: recipe for target 'vmnet.ko' failed
make: *** [vmnet.ko] Error 2
make: Leaving directory '/usr/lib/vmware/modules/source/vmnet-only'
sth0R
 
Posts: 9
Joined: Fri May 09, 2014 11:03 am

Re: vmnet-only can't be compiled with RAP

Postby PaX Team » Tue Jun 14, 2016 5:10 am

RAP doesn't cause any problems, it merely detects an existing bug that could cause problems at runtime if the involved function was ever called indirectly. in this particular case the problem is that the source code has incompatible declarations of VNetBridge_Create:
Code: Select all
driver.c
60:extern int VNetBridge_Create(char *devName, uint32 flags, VNetJack *hubJack,
61-                             VNetPort **ret);

vs.

bridge.c
228: * VNetBridge_Create --
229- *
230- *      Creates a bridge. Allocates struct, allocates internal device,
231- *      initializes port/jack, and creates a proc entry. Finally, creates an
232- *      event sender and register itself with the kernel for device state
258:VNetBridge_Create(const char *devName, // IN:  name of device (e.g., "eth0")
259-                  uint32 flags,        // IN:  configuration flags
260-                  VNetJack *hubJack,   // IN:  the future hub
261-                  VNetPort **ret)      // OUT: port to virtual hub
as you can see, the first parameter is declared as const char* or char*, you'll have to change one or the other, probably the former is the intended one.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: vmnet-only can't be compiled with RAP

Postby sth0R » Wed Jun 15, 2016 5:16 am

Thanks for the explanation. This compile error was solved and it's panic when it was loading the VMWARE's kernel module. RAP found another bug in VMWARE's out-of-tree lkm.
[ 97.774914] /dev/vmmon[4793]: Module vmmon: initialized
[ 97.793827] Guest personality initialized and is inactive
[ 97.793887] VMCI host device registered (name=vmci, major=10, minor=54)
[ 97.793889] Initialized host personality
[ 97.821885] NET: Registered protocol family 40
[ 97.923160] /dev/vmnet: open called by PID 4908 (vmnet-bridge)
[ 97.923170] /dev/vmnet: hub 0 does not exist, allocating memory.
[ 97.923181] /dev/vmnet: port on hub 0 successfully opened
[ 97.923187] bridge-enp3s0: up
[ 97.923190] bridge-enp3s0: attached
[ 98.293778] REJECT IN=enp3s0 OUT= MAC=ff:ff:ff:ff:ff:ff:a4:34:d9:93:72:d1:08:00 SRC=192.168.1.83 DST=192.168.1.255 LEN=291 TOS=0x00 PREC=0x00 TTL=128 ID=25831 PROTO=UDP SPT=54915 DPT=54915 LEN=271
[ 98.971256] /dev/vmnet: open called by PID 4915 (vmnet-netifup)
[ 98.971282] /dev/vmnet: hub 1 does not exist, allocating memory.
[ 98.971336] /dev/vmnet: port on hub 1 successfully opened
[ 98.984403] PAX: overwritten function pointer or return address detected: 0000 [#1] SMP
[ 98.984437] Modules linked in: vmnet(OE) parport_pc vmw_vsock_vmci_transport vsock vmw_vmci vmmon(OE) rfcomm xt_CHECKSUM ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat bridge stp llc ebtable_filter ebtables xt_recent xt_tcpudp xt_multiport nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack ipt_REJECT nf_reject_ipv4 nf_log_ipv4 nf_log_common xt_LOG xt_limit ip6table_mangle ip6table_filter ip6_tables iptable_mangle iptable_filter ip_tables x_tables bnep nf_conntrack_irc nf_conntrack_ftp nf_conntrack arc4 i2c_designware_platform i2c_designware_core binfmt_misc dell_wmi sparse_keymap nls_iso8859_1 snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic intel_rapl x86_pkg_temp_thermal intel_powerclamp snd_soc_skl snd_soc_skl_ipc coretemp snd_soc_sst_ipc snd_soc_sst_dsp snd_hda_ext_core snd_soc_sst_match snd_soc_core snd_compress ac97_bus snd_pcm_dmaengine dw_dmac_core snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep input_leds serio_raw snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq uvcvideo ath10k_pci videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videodev ath10k_core joydev ath snd_seq_device mac80211 snd_timer snd cfg80211 media videobuf2_core soundcore btusb btrtl shpchp idma64 mei_me virt_dma mei intel_lpss_pci processor_thermal_device intel_soc_dts_iosf int3403_thermal int340x_thermal_zone hci_uart btbcm btqca btintel bluetooth intel_lpss_acpi intel_lpss dell_rbtn acpi_pad mac_hid int3400_thermal tpm_crb acpi_thermal_rel acpi_als kfifo_buf industrialio kvm_intel kvm irqbypass netconsole configfs ppdev lp parport autofs4 btrfs xor raid6_pq drbg ansi_cprng algif_skcipher af_alg dm_crypt dm_mirror dm_region_hash dm_log hid_generic usbhid hid crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel nouveau aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd i915 psmouse mxm_wmi ttm i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt alx fb_sys_fops mdio nvme drm wmi video pinctrl_sunrisepoint pinctrl_intel fjes [last unloaded: parport_pc]
[ 98.985173] CPU: 2 PID: 4924 Comm: ifquery Tainted: G OE 4.5.7-grsec #1
[ 98.985195] Hardware name: xXx
[ 98.985219] task: ffff88046a014d00 ti: ffff88046a015788 task.ti: ffff88046a015788
[ 98.985239] RIP: 0010:[<ffffffff8178d9c0>] [<ffffffff8178d9c0>] dev_hard_start_xmit+0x3e0/0x550
[ 98.985270] RSP: 0000:ffff8804c4103b70 EFLAGS: 00010283
[ 98.985285] RAX: ffffffffc0caa670 RBX: ffff8804ada3d200 RCX: ffff8804c4103bfc
[ 98.985305] RDX: ffffffffc0caf320 RSI: ffff88046a2b6040 RDI: ffff8804ada3d200
[ 98.985325] RBP: ffff8804c4103be0 R08: ffff8804ac972f6c R09: 0000000000000001
[ 98.985349] R10: 00000000000001c8 R11: ffff8804a6f80000 R12: ffffffff820f50d0
[ 98.985373] R13: ffff8804ada3d200 R14: 0000000000000000 R15: ffff88046a2b6040
[ 98.985393] FS: 0000000000000000(0000) GS:ffff8804c4100000(0000) knlGS:0000000000000000
[ 98.985415] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 98.985431] CR2: 0000000000400040 CR3: 000000045ff1b000 CR4: 00000000003606f0
[ 98.985451] Stack:
[ 98.985458] 160000e000020000 0000000000000000 ffff8804c4103bfc ffff8804a4c68618
[ 98.985484] 00ff8804a4c68618 0000000000000000 ffff88046a2b6040 ffff88046a2b6040
[ 98.985511] ffff8804c4103be0 ffff8804ac972ec0 ffff8804a4c68618 ffff8804ada3d200
[ 98.985537] Call Trace:
[ 98.985545] <IRQ>
[ 98.985554] [<ffffffff817bb570>] sch_direct_xmit+0x100/0x2c0
[ 98.985572] [<ffffffff8178e11f>] __dev_queue_xmit+0x47f/0x730
[ 98.985591] [<ffffffff818d4c93>] ? _raw_write_unlock_bh+0x33/0x60
[ 98.985610] [<ffffffff8178e3e2>] dev_queue_xmit+0x12/0x30
[ 98.985626] [<ffffffff8179984c>] neigh_resolve_output+0x11c/0x1e0
[ 98.985645] [<ffffffff817de2d0>] ip_finish_output2+0x150/0x350
[ 98.985665] [<ffffffffc086b349>] ? ipv4_confirm+0xd9/0x110 [nf_conntrack_ipv4]
[ 98.985687] [<ffffffff817df7cb>] ip_finish_output+0x13b/0x200
[ 98.985704] [<ffffffff817d071f>] ? nf_hook_slow+0x6f/0xe0
[ 98.985721] [<ffffffff817e03b2>] ip_output+0x72/0xf0
[ 98.985737] [<ffffffff817df690>] ? __ip_flush_pending_frames.isra.42+0x90/0x90
[ 98.985759] [<ffffffff817df9b6>] ip_local_out+0x46/0x60
[ 98.985775] [<ffffffff81824d11>] igmpv3_sendpack+0x51/0x70
[ 98.985791] [<ffffffff818278b1>] igmp_ifc_timer_expire+0x171/0x2a0
[ 98.985810] [<ffffffff81827740>] ? igmp_gq_timer_expire+0x50/0x50
[ 98.985829] [<ffffffff810df35d>] call_timer_fn.isra.24+0x2d/0xa0
[ 98.985846] [<ffffffff810df619>] run_timer_softirq+0x249/0x400
[ 98.985865] [<ffffffff810eed56>] ? clockevents_program_event+0x86/0x140
[ 98.985884] [<ffffffff810753df>] __do_softirq+0xef/0x200
[ 98.985901] [<ffffffff81075654>] irq_exit+0x94/0xb0
[ 98.985916] [<ffffffff810459af>] smp_apic_timer_interrupt+0x4f/0x70
[ 98.985935] [<ffffffff818d60b1>] apic_timer_interrupt+0x81/0x90
[ 98.985952] <EOI>
[ 98.985959] Code: 44 24 30 48 8b 90 90 00 00 00 48 05 90 00 00 00 48 39 c2 0f 85 94 fc ff ff e9 21 ff ff ff 48 c7 44 24 28 00 00 00 00 31 c0 eb 91 <0f> 0b 48 c7 c1 c8 a4 d7 81 48 c7 c2 f5 bf d6 81 be 63 08 00 00
[ 98.986104] RIP [<ffffffff8178d9c0>] dev_hard_start_xmit+0x3e0/0x550
[ 98.986125] RSP <ffff8804c4103b70>
[ 98.992866] ---[ end trace fd20b2a4b39f45ba ]---
[ 98.992871] Kernel panic - not syncing: Fatal exception in interrupt
[ 98.993686] systemd-journald[469]: Compressed data object 811 -> 520 using XZ
[ 98.994234] systemd-journald[469]: Compressed data object 805 -> 540 using XZ
[ 98.996944] Kernel Offset: 0x0 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 98.998225] ---[ end Kernel panic - not syncing: Fatal exception in interrupt
sth0R
 
Posts: 9
Joined: Fri May 09, 2014 11:03 am

Re: vmnet-only can't be compiled with RAP

Postby minipli » Wed Jun 15, 2016 3:23 pm

...
[ 98.986104] RIP [<ffffffff8178d9c0>] dev_hard_start_xmit+0x3e0/0x550


Wild guess (I have no sources of the vmware module :wink: ): The return type of VNetNetifStartXmit() needs to be changed from int to netdev_tx_t. But, I guess, then it'll just trap on the next type mismatch... :-/
minipli
 
Posts: 21
Joined: Mon Jan 03, 2011 6:39 pm

Re: vmnet-only can't be compiled with RAP

Postby PaX Team » Wed Jun 15, 2016 4:44 pm

minipli wrote:The return type of VNetNetifStartXmit() needs to be changed from int to netdev_tx_t.
yes, that's a bug throughout linux as you can see the many cases i had to fix in there.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm


Return to grsecurity support