System freezes quickly - grsecurity-3.1-4.2.6-201511211841

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

System freezes quickly - grsecurity-3.1-4.2.6-201511211841

Postby rfnx » Sun Nov 22, 2015 7:58 am

Hello,

With the latest grsec patch - grsecurity-3.1-4.2.6-201511211841.patch - my two computers freeze after a few minutes, with no message. They are both running Archlinux (updated). Ask me more info if you need.

Bye.
rfnx
 
Posts: 30
Joined: Sat Dec 20, 2014 8:06 am

Re: System freezes quickly - grsecurity-3.1-4.2.6-2015112118

Postby PaX Team » Sun Nov 22, 2015 9:44 am

what gcc did you compile the kernel with? and if sysrq works, can you get a task list?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: System freezes quickly - grsecurity-3.1-4.2.6-2015112118

Postby rfnx » Sun Nov 22, 2015 10:41 am

Thanks for your reply, I compiled it with latest gcc version from Archlinux, 5.2.0 (https://www.archlinux.org/packages/core/x86_64/gcc/).

What is a task list ?

EDIT : Also, since this patch I have a lot of new warnings at the beginning of the kernel compilation, before configuring the kernel when there are lines like "HOSTCXX -fPIC tools/gcc/colorize_plugin.o". It's only warnings, but it is new.
rfnx
 
Posts: 30
Joined: Sat Dec 20, 2014 8:06 am

Re: System freezes quickly - grsecurity-3.1-4.2.6-2015112118

Postby PaX Team » Sun Nov 22, 2015 11:13 am

ok, that's a new enough gcc without a particular problem i was thinking of. so the next task would be to get the kernel logs, either by taking a screenshot (you should stay in console mode if possible) or getting it via netconsole or a serial console. also do you have SIZE__OVERFLOW enabled? if so, can you disable it and see if the kernel works then?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: System freezes quickly - grsecurity-3.1-4.2.6-2015112118

Postby rfnx » Sun Nov 22, 2015 11:45 am

I can't give you logs because when it happens, the system is completly frozen, I can only reset the computer. The system logs stop here and I have nothing interesting.

I'll recompile without SIZE_OVERFLOW and post results later.
rfnx
 
Posts: 30
Joined: Sat Dec 20, 2014 8:06 am

Re: System freezes quickly - grsecurity-3.1-4.2.6-2015112118

Postby rfnx » Mon Nov 23, 2015 11:18 pm

Same problem with latest patch grsecurity-3.1-4.2.6-201511232037.patch .

The problem happens every time on my server, a few minutes after the boot. But I can't use this computer to debug because 1. it's not its role and 2. it's headless.
On my desktop computer, the bug occurs randomly, and sometimes it happens after a long time. And I don't have time this week to debug.

I'm sure other people have this problem, I can't be alone. So please help.
rfnx
 
Posts: 30
Joined: Sat Dec 20, 2014 8:06 am

Re: System freezes quickly - grsecurity-3.1-4.2.6-2015112118

Postby PaX Team » Tue Nov 24, 2015 4:41 am

did you try it without SIZE_OVERFLOW?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: System freezes quickly - grsecurity-3.1-4.2.6-2015112118

Postby rfnx » Tue Nov 24, 2015 2:33 pm

It works without SIZE_OVERFLOW.

As a side note, 99% of the time I had issues with grsec patches, it was caused by this option. So, is it really worth it ? Also, there was an option a few weeks ago (SIZE_OVERFLOW_DISABLE_KILL) to avoid crashes (again, it was done since this option caused a lot of problems), maybe you could consider adding it permanently for people who don't want to spend hours on this forum :P .
rfnx
 
Posts: 30
Joined: Sat Dec 20, 2014 8:06 am

Re: System freezes quickly - grsecurity-3.1-4.2.6-2015112118

Postby PaX Team » Tue Nov 24, 2015 2:53 pm

yes, it's worth it given this is probably the feature in grsec that found the most real bugs so far (not to mention the protection against 0-day bugs such as CVE-2013-0913). as for bringing back the DISABLE_KILL option, we added it temporarily exactly so that users still experiencing size overflow reports would have a chance to report them back to us and since the reports stopped coming in, spender reverted it. my guess is that you'll find such reports in your kernel logs for this period so you should dig them out and report them here.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: System freezes quickly - grsecurity-3.1-4.2.6-2015112118

Postby rfnx » Tue Nov 24, 2015 4:06 pm

I checked all the logs I could find, and I have no size_overflow error. I reported some errors a few weeks ago, but after that everything was working correctly, until the 3 latest patch (4.2.6.201511182042 is the last working version for me).
rfnx
 
Posts: 30
Joined: Sat Dec 20, 2014 8:06 am

Re: System freezes quickly - grsecurity-3.1-4.2.6-2015112118

Postby nail » Wed Nov 25, 2015 4:42 am

The same issue with Linux version 4.2.6.201511211841-1-grsec.
Here last journalctl messages before system freezing:
http://pastebin.com/gR71Vay2
nail
 
Posts: 15
Joined: Mon Oct 19, 2015 2:57 am

Re: System freezes quickly - grsecurity-3.1-4.2.6-2015112118

Postby rfnx » Wed Nov 25, 2015 11:23 am

For me the biggest issue here is to see that the Archlinux package has been updated, even if I reported issue before.

Archlinux official repo isn't a play ground.
rfnx
 
Posts: 30
Joined: Sat Dec 20, 2014 8:06 am

Re: System freezes quickly - grsecurity-3.1-4.2.6-2015112118

Postby ephox » Wed Nov 25, 2015 8:04 pm

Could you please apply this patch and send me the result from dmesg?
Code: Select all
--- fs/exec.c.orig      2015-11-26 00:58:28.080278749 +0100
+++ fs/exec.c   2015-11-26 00:58:56.152280378 +0100
@@ -2224,7 +2224,7 @@
 {
        printk(KERN_EMERG "PAX: size overflow detected in function %s %s:%u %s", func, file, line, ssa_name);
        dump_stack();
-       do_group_exit(SIGKILL);
+//     do_group_exit(SIGKILL);
 }
 EXPORT_SYMBOL(report_size_overflow);
 #endif
ephox
 
Posts: 134
Joined: Tue Mar 20, 2012 4:36 pm

Re: System freezes quickly - grsecurity-3.1-4.2.6-2015112118

Postby rfnx » Wed Nov 25, 2015 10:09 pm

I patched and now I have a lot of these errors : PAX: size overflow detected in function ipv6_gro_receive include/linux/skbuff.h:1969 cicus.141_209 min, count: 38, decl: len; num: 0; context: sk_buff;

Log :

Code: Select all
[   38.131937] PAX: size overflow detected in function ipv6_gro_receive include/linux/skbuff.h:1969 cicus.141_209 min, count: 38, decl: len; num: 0; context: sk_buff;
[   38.131989] CPU: 4 PID: 0 Comm: swapper/4 Not tainted 4.2.6.201511232037-3-grsec-custom #1
[   38.131990] Hardware name: System manufacturer System Product Name/P8Z77, BIOS 1225 12/07/2012
[   38.131991]  ffffffff98a0485f 46c8725b4eb91ffe 0000000000000000 ffffffff988ffa19
[   38.131993]  ffff88081fb03cc8 ffffffff985e828d 0000000000000097 ffffffff989306da
[   38.131995]  ffff88081fb03cf8 ffffffff9819f4e4 000000000000003a 0000000000000028
[   38.131996] Call Trace:
[   38.131997]  <IRQ>  [<ffffffff985e828d>] dump_stack+0x45/0x5d
[   38.132003]  [<ffffffff9819f4e4>] report_size_overflow+0x34/0x50
[   38.132005]  [<ffffffff985c3e4e>] ipv6_gro_receive+0xa0e/0xb10
[   38.132007]  [<ffffffff984b2f5c>] dev_gro_receive+0x29c/0x670
[   38.132009]  [<ffffffff982f59dc>] ? swiotlb_sync_single+0x4c/0x70
[   38.132010]  [<ffffffff984b3650>] napi_gro_receive+0x20/0x90
[   38.132014]  [<ffffffffc032926f>] rtl8169_poll+0x2cf/0x680 [r8169]
[   38.132015]  [<ffffffff984b47d3>] net_rx_action+0x1f3/0x300
[   38.132018]  [<ffffffff98068a67>] __do_softirq+0xf7/0x210
[   38.132019]  [<ffffffff98068cba>] irq_exit+0x6a/0x70
[   38.132021]  [<ffffffff980056f5>] do_IRQ+0x55/0xf0
[   38.132023]  [<ffffffff985eea9a>] common_interrupt+0x9a/0x9a
[   38.132024]  <EOI>  [<ffffffff98464536>] ? cpuidle_enter_state+0x156/0x210
[   38.132027]  [<ffffffff9846452f>] ? cpuidle_enter_state+0x14f/0x210
[   38.132029]  [<ffffffff98464654>] cpuidle_enter+0x24/0x40
[   38.132031]  [<ffffffff980a935b>] call_cpuidle+0x3b/0x70
[   38.132032]  [<ffffffff980a9531>] cpu_startup_entry+0x1a1/0x260
[   38.132034]  [<ffffffff980403b0>] ? lapic_get_maxlvt+0x40/0x40
[   38.132036]  [<ffffffff98046f10>] ? x2apic_apic_id_registered+0x20/0x20
[   38.132038]  [<ffffffff9803e372>] start_secondary+0x1f2/0x230
[   38.165143] PAX: size overflow detected in function ipv6_gro_receive include/linux/skbuff.h:1969 cicus.141_209 min, count: 38, decl: len; num: 0; context: sk_buff;
[   38.165195] CPU: 4 PID: 0 Comm: swapper/4 Not tainted 4.2.6.201511232037-3-grsec-custom #1
[   38.165196] Hardware name: System manufacturer System Product Name/P8Z77, BIOS 1225 12/07/2012
[   38.165197]  ffffffff98a0485f 46c8725b4eb91ffe 0000000000000000 ffffffff988ffa19
[   38.165198]  ffff88081fb03cc8 ffffffff985e828d 0000000000000097 ffffffff989306da
[   38.165200]  ffff88081fb03cf8 ffffffff9819f4e4 000000000000003a 0000000000000028
[   38.165201] Call Trace:
[   38.165202]  <IRQ>  [<ffffffff985e828d>] dump_stack+0x45/0x5d
[   38.165206]  [<ffffffff9819f4e4>] report_size_overflow+0x34/0x50
[   38.165208]  [<ffffffff985c3e4e>] ipv6_gro_receive+0xa0e/0xb10
[   38.165209]  [<ffffffff984b2f5c>] dev_gro_receive+0x29c/0x670
[   38.165211]  [<ffffffff982f59dc>] ? swiotlb_sync_single+0x4c/0x70
[   38.165212]  [<ffffffff984b3650>] napi_gro_receive+0x20/0x90
[   38.165215]  [<ffffffffc032926f>] rtl8169_poll+0x2cf/0x680 [r8169]
[   38.165216]  [<ffffffff984b47d3>] net_rx_action+0x1f3/0x300
[   38.165218]  [<ffffffff98068a67>] __do_softirq+0xf7/0x210
[   38.165220]  [<ffffffff98068cba>] irq_exit+0x6a/0x70
[   38.165221]  [<ffffffff980056f5>] do_IRQ+0x55/0xf0
[   38.165222]  [<ffffffff985eea9a>] common_interrupt+0x9a/0x9a
[   38.165223]  <EOI>  [<ffffffff98464536>] ? cpuidle_enter_state+0x156/0x210
[   38.165226]  [<ffffffff9846452f>] ? cpuidle_enter_state+0x14f/0x210
[   38.165227]  [<ffffffff98464654>] cpuidle_enter+0x24/0x40
[   38.165229]  [<ffffffff980a935b>] call_cpuidle+0x3b/0x70
[   38.165230]  [<ffffffff980a9531>] cpu_startup_entry+0x1a1/0x260
[   38.165231]  [<ffffffff980403b0>] ? lapic_get_maxlvt+0x40/0x40
[   38.165233]  [<ffffffff98046f10>] ? x2apic_apic_id_registered+0x20/0x20
[   38.165235]  [<ffffffff9803e372>] start_secondary+0x1f2/0x230


This problem was previously fixed (see viewtopic.php?f=3&t=4287) but it's happening again.
rfnx
 
Posts: 30
Joined: Sat Dec 20, 2014 8:06 am

Re: System freezes quickly - grsecurity-3.1-4.2.6-2015112118

Postby ephox » Fri Nov 27, 2015 2:47 pm

rfnx wrote:
Code: Select all
[   38.165143] PAX: size overflow detected in function ipv6_gro_receive include/linux/skbuff.h:1969 cicus.141_209 min, count: 38, decl: len; num: 0; context: sk_buff;


Thanks for the report, it will be fixed in the next grsec patch.
ephox
 
Posts: 134
Joined: Tue Mar 20, 2012 4:36 pm

Next

Return to grsecurity support