grsecurity forums

by **buswellj** » Sat Mar 22, 2008 1:49 pm

The problem appears to be with the pax patches. I tested it with -test34 applied and the same problem occurs:

execve("./anonmap", ["./anonmap"], [/* 8 vars */]) = 0
brk(0) = 0x8059ab8
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/lib/tls/i686/sse2/libpthread.so.0", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/tls/i686/sse2", 0xb8669640) = -1 ENOENT (No such file or directory)
open("/lib/tls/i686/libpthread.so.0", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/tls/i686", 0xb8669640) = -1 ENOENT (No such file or directory)
open("/lib/tls/sse2/libpthread.so.0", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/tls/sse2", 0xb8669640) = -1 ENOENT (No such file or directory)
open("/lib/tls/libpthread.so.0", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/tls", 0xb8669640) = -1 ENOENT (No such file or directory)
open("/lib/i686/sse2/libpthread.so.0", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/i686/sse2", 0xb8669640) = -1 ENOENT (No such file or directory)
open("/lib/i686/libpthread.so.0", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/i686", 0xb8669640) = -1 ENOENT (No such file or directory)
open("/lib/sse2/libpthread.so.0", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/sse2", 0xb8669640) = -1 ENOENT (No such file or directory)
open("/lib/libpthread.so.0", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340L\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=111398, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xa408a000
mmap2(NULL, 90592, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xa4073000
mmap2(0xa4086000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x12) = 0xa4086000
mmap2(0xa4088000, 4576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xa4088000
close(3) = 0
open("/lib/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240Z\1"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1443421, ...}) = 0
mmap2(NULL, 1226396, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xa3f47000
mmap2(0xa406d000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x126) = 0xa406d000
mmap2(0xa4070000, 9884, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xa4070000
close(3) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xa3f46000
set_thread_area({entry_number:-1 -> 6, base_addr:0xa3f466c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
open("/dev/erandom", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/dev/urandom", O_RDONLY) = 3
read(3, "\2742\"\22", 4) = 4
close(3) = 0
mprotect(0xa406d000, 4096, PROT_READ) = 0
mprotect(0xa40a6000, 4096, PROT_READ) = 0
set_tid_address(0xa3f46708) = 608
set_robust_list(0xa3f46710, 0xc) = 0
rt_sigaction(SIGRTMIN, {0xa40778c0, [], SA_SIGINFO}, NULL,

= 0
rt_sigaction(SIGRT_1, {0xa40777e0, [], SA_RESTART|SA_SIGINFO}, NULL,

= 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL,

= 0
getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0
uname({sys="Linux", node="(none)", ...}) = 0
fstat64(1, {st_mode=S_IFCHR|0622, st_rdev=makedev(136, 0), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xa3f45000
write(1, "Executable anonymous mapping "..., 43Executable anonymous mapping : ) = 43
clone(Process 609 attached
child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xa3f46708) = 609
[pid 609] mmap2(NULL, 8392704, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xa3744000
[pid 609] brk(0) = 0x8059ab8
[pid 609] brk(0x807aab8) = 0x807aab8
[pid 609] brk(0x807b000) = 0x807b000
[pid 609] mprotect(0xa3744000, 4096, PROT_NONE) = 0
[pid 609] clone(Process 610 attached
child_stack=0xa3f444b4, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID|CLONE_DETACHED, parent_tidptr=0xa3f44bd8, {entry_number:6, base_addr:0xa3f44b90, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}, child_tidptr=0xa3f44bd8) = 610
[pid 610] set_robust_list(0xa3f44be0, 0xc) = 0
[pid 610] pause( <unfinished ...>
[pid 609] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xa3743000
[pid 608] wait4(-1, Process 608 suspended

Any ideas?

by **buswellj** » Sat Mar 22, 2008 10:04 pm

I confirmed that this is also broken with:

pax-linux-2.6.24.1-test12.patch

when patched against 2.6.24.3

I will go test the stable grsec patch with 2.6.19 on the same hardware.

Thanks

by **buswellj** » Sat Mar 22, 2008 11:32 pm

I've confirmed that this is *also* broken in 2.6.19.2 with the latest stable grsec patch (2.1.10-2.6.19.2-200701222307):

I also had someone confirm it was broken in 2.6.24.2 on Intel P3 hardware.

We are building the kernel without module support, with squashfs support and using initramfs. We are also running these tests *before* running switch_root. I don't think that matters, but I thought I'd
throw it out there. I can give you guys remote access to the box or debug via IRC if you want to ?

/qa/test # ./writetext
Writable text segments : Killed
/qa/test # ./anonmap
Executable anonymous mapping :
/qa/test # ./strace -f ./anonmap
execve("./anonmap", ["./anonmap"], [/* 8 vars */]) = 0
brk(0) = 0x8057ef8
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/lib/tls/i686/sse2/libpthread.so.0", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/tls/i686/sse2", 0x5a882110) = -1 ENOENT (No such file or directory)
open("/lib/tls/i686/libpthread.so.0", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/tls/i686", 0x5a882110) = -1 ENOENT (No such file or directory)
open("/lib/tls/sse2/libpthread.so.0", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/tls/sse2", 0x5a882110) = -1 ENOENT (No such file or directory)
open("/lib/tls/libpthread.so.0", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/tls", 0x5a882110) = -1 ENOENT (No such file or directory)
open("/lib/i686/sse2/libpthread.so.0", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/i686/sse2", 0x5a882110) = -1 ENOENT (No such file or directory)
open("/lib/i686/libpthread.so.0", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/i686", 0x5a882110) = -1 ENOENT (No such file or directory)
open("/lib/sse2/libpthread.so.0", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/sse2", 0x5a882110) = -1 ENOENT (No such file or directory)
open("/lib/libpthread.so.0", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340L\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=111398, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4d2c3000
mmap2(NULL, 90592, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x4d2ac000
mmap2(0x4d2bf000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x12) = 0x4d2bf000
mmap2(0x4d2c1000, 4576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4d2c1000
close(3) = 0
open("/lib/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240Z\1"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1443421, ...}) = 0
mmap2(NULL, 1226396, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x4d180000
mmap2(0x4d2a6000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x126) = 0x4d2a6000
mmap2(0x4d2a9000, 9884, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4d2a9000
close(3) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4d17f000
set_thread_area({entry_number:-1 -> 6, base_addr:0x4d17f6c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
open("/dev/erandom", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/dev/urandom", O_RDONLY) = 3
read(3, "\225F\212\360", 4) = 4
close(3) = 0
mprotect(0x4d2a6000, 4096, PROT_READ) = 0
mprotect(0x4d2df000, 4096, PROT_READ) = 0
set_tid_address(0x4d17f708) = 502
set_robust_list(0x4d17f710, 0xc) = 0
rt_sigaction(SIGRTMIN, {0x4d2b08c0, [], SA_SIGINFO}, NULL,

= 0
rt_sigaction(SIGRT_1, {0x4d2b07e0, [], SA_RESTART|SA_SIGINFO}, NULL,

= 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL,

= 0
getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0
uname({sys="Linux", node="(none)", ...}) = 0
fstat64(1, {st_mode=S_IFCHR|0622, st_rdev=makedev(136, 0), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4d17e000
write(1, "Executable anonymous mapping "..., 43Executable anonymous mapping : ) = 43
clone(Process 503 attached
child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x4d17f708) = 503
[pid 502] wait4(-1, Process 502 suspended
<unfinished ...>
[pid 503] mmap2(NULL, 8392704, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4c97d000
[pid 503] brk(0) = 0x8057ef8
[pid 503] brk(0x8078ef8) = 0x8078ef8
[pid 503] brk(0x8079000) = 0x8079000
[pid 503] mprotect(0x4c97d000, 4096, PROT_NONE) = 0
[pid 503] clone(Process 504 attached
child_stack=0x4d17d4b4, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID|CLONE_DETACHED, parent_tidptr=0x4d17dbd8, {entry_number:6, base_addr:0x4d17db90, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}, child_tidptr=0x4d17dbd8) = 504
[pid 503] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4c97c000
[pid 504] set_robust_list(0x4d17dbe0, 0xc) = 0
[pid 504] pause(

by **PaX Team** » Sun Mar 23, 2008 9:43 am

buswellj wrote:We are building the kernel without module support, with squashfs support and using initramfs. We are also running these tests *before* running switch_root. I don't think that matters, but I thought I'd
throw it out there.

if it does, it's easy to decide: can you disable the early run of paxtest and do it instead once userland started up completely? if that works then it's some userland interference (say, do you have klibc instead of glibc in the initramfs?), we'll see if we need remote debugging or can figure it out without. you can find me/us on OFTC in #grsecurity btw.

by **PaX Team** » Sun Mar 23, 2008 10:16 am

buswellj wrote:We are building the kernel without module support, with squashfs support and using initramfs. We are also running these tests *before* running switch_root. I don't think that matters, but I thought I'd throw it out there.

one more thing, it may have something to do with coredumping as that's pretty much the only point left where it can get stuck. can processes dump core in that environment? what are the ulimits, etc?

by **buswellj** » Sun Mar 23, 2008 12:26 pm

ah, we disabled ELF core dumping in the kernel

I'll go turn it back on and see if that fixes the problem...

we're using glibc, I took a look at the switch_root code, it doesn't do anything special other than remount and rm -rf stuff, so its not that. We've also ruled out the lack of module support.

what is a good time to catch you on irc? I'm on #grsecurity (jbsn)

thanks

by **buswellj** » Sun Mar 23, 2008 9:36 pm

I've got this figured out, will post up a patch shortly.

thanks

by **buswellj** » Sun Mar 23, 2008 10:16 pm

The problem was that we had ELF_CORE disabled, here is a quick patch to prevent this particular configuration

diff -urNp security/Kconfig.old security/Kconfig
--- security/Kconfig.old 2008-03-23 22:10:56.000000000 -0400
+++ security/Kconfig 2008-03-23 22:09:12.000000000 -0400
@@ -98,7 +98,7 @@ menu "Non-executable pages"

config PAX_NOEXEC
bool "Enforce non-executable pages"
- depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
+ depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64) && (ELF_CORE)
help
By design some architectures do not allow for protecting memory
pages against execution or even if they do, Linux does not make

by **PaX Team** » Wed Mar 26, 2008 6:37 pm

buswellj wrote:- depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
+ depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64) && (ELF_CORE)

khm, this is where the baby went with the bathwater i guess

, a better fix should be in the latest test patch.

grsecurity forums

grsec stopping but not killing process

Re: grsec stopping but not killing process

Re: grsec stopping but not killing process

Re: grsec stopping but not killing process

Re: grsec stopping but not killing process

Re: grsec stopping but not killing process

Re: grsec stopping but not killing process

Re: grsec stopping but not killing process

Re: grsec stopping but not killing process

Re: grsec stopping but not killing process