grsecurity forums

by **zakalwe** » Thu May 03, 2007 1:02 pm

Kernel 2.6.21.1-grsec
Gentoo Hardened

When I enable the rbac system with no specific /bin/ls subject, and I login as root and type "ls", I get:

Code: Select all: PAX: suspicious general protection fault: 0000 [#5] CPU: 0 EIP: 0060:[<00127860>] Not tainted VLI EFLAGS: 00010207 (2.6.21.1-grsec #2) eax: 00000000 ebx: 00000000 ecx: 00000006 edx: 0000000f esi: 00000000 edi: c06aeb82 ebp: c06cc1f1 esp: c9cc5e0c ds: 0068 es: 0068 fs: 00d8 gs: 0033 ss: 0068 Process ls (pid: 18935, ti=c9cc4000 task=c155c5c0 task.ti=c9cc4000) Stack: 00000000 0003e765 001321f8 00000000 00000000 c0c06420 c0c06574 00000044 c0c06570 dfd1ce74 000280d2 00030002 c06aeb7b 00000001 00000000 c9cc0002 c1667000 c0c06158 0000000e 0000000b 0003e9f4 c13fa000 dd22ad84 c0c04b40 Call Trace: ======================= Code: c6 c0 89 d8 89 5c 24 34 8b 5c 24 44 83 c8 04 85 c9 0f 44 44 24 34 89 74 24 40 81 fb 40 4b c0 c0 89 44 24 34 74 2c 31 f6 8d 76 00 <8b> 7b 04 b9 ff ff ff ff 89 f0 89 7c 24 30 f2 ae f7 d1 49 66 ff EIP: [<00127860>] SS:ESP 0068:c9cc5e0c

I don't know if this is a bug, feature, something sinister or what. Various other commands work, or get killed and logged by grsec correctly.

/etc/grsec/policy :

Code: Select all: role admin sA subject / rvka / rwcdmlxi role default subject / { / h -CAP_ALL connect disabled bind disabled } role root uG role_transitions admin role_allow_ip 0.0.0.0/32 role_allow_ip 192.168.0.0/24 subject / { / r /bin xi /etc rx /etc/grsec h /etc/shadow h /etc/passwd h /lib rxi /proc h /proc/meminfo r /sbin h /sbin/gradm x /usr h /usr/bin/find x /usr/sbin/run-crons rx /var h /var/spool/cron/lastrun /var/spool/mail /var/run r /dev /dev/null w /dev/tty rw /dev/urandom r /dev/grsec h /dev/mem h /dev/kmem h /dev/port h /dev/log h -CAP_ALL bind disabled connect disabled } subject /usr/sbin/sshd opd { user_transition_allow root group_transition_allow root / /bin/bash x /dev h /dev/log rw /dev/null rw /dev/ptmx rw /dev/pts rw /dev/urandom r /dev/random r /dev/tty rw /etc h /etc/group r /etc/passwd r /etc/shadow r /etc/ld.so.cache r /etc/ssh r /etc/nsswitch.conf r /etc/host.conf r /etc/hosts r /etc/resolv.conf r /etc/protocols r /etc/pam.d r /etc/security/pam_env.conf r /etc/security/limits.conf r /root r /root/.bash_history w /lib rx /usr h /usr/lib /usr/lib/libcrypto.so.0.9.8 rx /usr/lib/libssl.so.0.9.8 rx /usr/sbin/sshd rx /usr/share/zoneinfo/GB r /var h /var/empty rw /var/log /var/log/lastlog rw /var/log/wtmp w /var/run /var/run/utmp rw /proc r /proc/kcore h /proc/bus h -CAP_ALL +CAP_CHOWN +CAP_DAC_OVERRIDE +CAP_SETGID +CAP_SETUID +CAP_SYS_CHROOT +CAP_SYS_RESOURCE +CAP_SYS_TTY_CONFIG } subject /bin/bash { / /bin x /lib rx /proc h /proc/meminfo r /sbin h /sbin/gradm x /usr rx /usr/sbin/run-crons x /var h /var/run r /var/spool/mail /dev /dev/null w /dev/tty rw /dev/urandom r /dev/grsec h /dev/mem h /dev/kmem h /dev/port h /dev/log h /etc r /etc/ssh h /etc/shadow h /root /root/.bash_history rwa /root/.bashrc r /root/.profile r -CAP_ALL bind disabled connect disabled }

by **PaX Team** » Thu May 03, 2007 4:46 pm

zakalwe wrote:I don't know if this is a bug, feature, something sinister or what. Various other commands work, or get killed and logged by grsec correctly.

it looks like a NULL derefence caught by UDEREF. you should decode the oops or send us your System.map at least to determine what code caused it.

by **zakalwe** » Thu May 03, 2007 6:38 pm

Code: Select all: ksymoops < grsec.oops.txt ksymoops 2.4.11 on i686 2.6.21.1-grsec. Options used -V (default) -k /proc/ksyms (default) -l /proc/modules (default) -o /lib/modules/2.6.21.1-grsec/ (default) -m /usr/src/linux/System.map (default) Warning: You did not tell me where to find symbol information. I will assume that the log matches the kernel and modules that are running right now and I'll use the default options above for symbol resolution. If the current kernel and/or modules do not match the log, you can get more accurate output by telling me the kernel version and where to find map, modules, ksyms etc. ksymoops -h explains the options. Error (regular_file): read_ksyms stat /proc/ksyms failed ksymoops: No such file or directory No modules in ksyms, skipping objects No ksyms, skipping lsmod CPU: 0 EIP: 0060:[<00127860>] Not tainted VLI Using defaults from ksymoops -t elf32-i386 -a i386 EFLAGS: 00010207 (2.6.21.1-grsec #2) eax: 00000000 ebx: 00000000 ecx: 00000006 edx: 0000000f esi: 00000000 edi: c06aeb82 ebp: c06cc1f1 esp: c9cc5e0c ds: 0068 es: 0068 fs: 00d8 gs: 0033 ss: 0068 Stack: 00000000 0003e765 001321f8 00000000 00000000 c0c06420 c0c06574 00000044 c0c06570 dfd1ce74 000280d2 00030002 c06aeb7b 00000001 00000000 c9cc0002 c1667000 c0c06158 0000000e 0000000b 0003e9f4 c13fa000 dd22ad84 c0c04b40 Call Trace: Code: c6 c0 89 d8 89 5c 24 34 8b 5c 24 44 83 c8 04 85 c9 0f 44 44 24 34 89 74 24 40 81 fb 40 4b c0 c0 89 44 24 34 74 2c 31 f6 8d 76 00 <8b> 7b 04 b9 ff ff ff ff 89 f0 89 7c 24 30 f2 ae f7 d1 49 66 ff >>EIP; 00127860 <gr_handle_sysctl+70/3b0> <===== >>edi; c06aeb82 <pfkey_ops+e2/3fad4> >>ebp; c06cc1f1 <pfkey_ops+1d751/3fad4> >>esp; c9cc5e0c <pg0+9044e0c/3f091000> This architecture has variable length instructions, decoding before eip is unreliable, take these instructions with a pinch of salt. Code; 00127835 <gr_handle_sysctl+45/3b0> 00000000 <_EIP>: Code; 00127835 <gr_handle_sysctl+45/3b0> 0: c6 c0 89 mov $0x89,%al Code; 00127838 <gr_handle_sysctl+48/3b0> 3: d8 89 5c 24 34 8b fmuls 0x8b34245c(%ecx) Code; 0012783e <gr_handle_sysctl+4e/3b0> 9: 5c pop %esp Code; 0012783f <gr_handle_sysctl+4f/3b0> a: 24 44 and $0x44,%al Code; 00127841 <gr_handle_sysctl+51/3b0> c: 83 c8 04 or $0x4,%eax Code; 00127844 <gr_handle_sysctl+54/3b0> f: 85 c9 test %ecx,%ecx Code; 00127846 <gr_handle_sysctl+56/3b0> 11: 0f 44 44 24 34 cmove 0x34(%esp),%eax Code; 0012784b <gr_handle_sysctl+5b/3b0> 16: 89 74 24 40 mov %esi,0x40(%esp) Code; 0012784f <gr_handle_sysctl+5f/3b0> 1a: 81 fb 40 4b c0 c0 cmp $0xc0c04b40,%ebx Code; 00127855 <gr_handle_sysctl+65/3b0> 20: 89 44 24 34 mov %eax,0x34(%esp) Code; 00127859 <gr_handle_sysctl+69/3b0> 24: 74 2c je 52 <_EIP+0x52> Code; 0012785b <gr_handle_sysctl+6b/3b0> 26: 31 f6 xor %esi,%esi Code; 0012785d <gr_handle_sysctl+6d/3b0> 28: 8d 76 00 lea 0x0(%esi),%esi This decode from eip onwards should be reliable Code; 00127860 <gr_handle_sysctl+70/3b0> 00000000 <_EIP>: Code; 00127860 <gr_handle_sysctl+70/3b0> <===== 0: 8b 7b 04 mov 0x4(%ebx),%edi <===== Code; 00127863 <gr_handle_sysctl+73/3b0> 3: b9 ff ff ff ff mov $0xffffffff,%ecx Code; 00127868 <gr_handle_sysctl+78/3b0> 8: 89 f0 mov %esi,%eax Code; 0012786a <gr_handle_sysctl+7a/3b0> a: 89 7c 24 30 mov %edi,0x30(%esp) Code; 0012786e <gr_handle_sysctl+7e/3b0> e: f2 ae repnz scas %es:(%edi),%al Code; 00127870 <gr_handle_sysctl+80/3b0> 10: f7 d1 not %ecx Code; 00127872 <gr_handle_sysctl+82/3b0> 12: 49 dec %ecx Code; 00127873 <gr_handle_sysctl+83/3b0> 13: 66 data16 Code; 00127874 <gr_handle_sysctl+84/3b0> 14: ff .byte 0xff EIP: [<00127860>] SS:ESP 0068:c9cc5e0c Warning (Oops_read): Code line not seen, dumping what data is available >>EIP; 00127860 <gr_handle_sysctl+70/3b0> <===== 2 warnings and 1 error issued. Results may not be reliable.

by **spender** » Fri May 04, 2007 7:38 pm

This problem should be resolved in the latest patch. Let me know if you still encounter any problems.

-Brad

by **zakalwe** » Fri May 04, 2007 8:36 pm

Excellent, that has fixed it. Thanks

grsecurity forums

/bin/ls crashes with RBAC enabled

/bin/ls crashes with RBAC enabled

Re: /bin/ls crashes with RBAC enabled