Page 1 of 1

PAX: VMMIRROR: fault bug2, 080fd624, 080fd000, 680fd000, 080

PostPosted: Fri Jan 07, 2005 5:44 pm
by crusader
thousands messages of this kind in the system log & dmesg:

PAX: VMMIRROR: fault bug2, 080eba64, 080eb000, 680eb000, 080ed000, 680ec000

what is the reason ?

my config is kernel 2.6.10 + grsecurity-2.1.0-2.6.10-200501071049.patch & linux-2.6.10-secfix-200501071130.patch on INTEL Xeon

The same kernel on AMD Athlon(TM) XP 1800+ has no problem ?!

the config is:

# Grsecurity
#
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MEDIUM is not set
# CONFIG_GRKERNSEC_HIGH is not set
CONFIG_GRKERNSEC_CUSTOM=y

#
# Address Space Protection
#
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
# CONFIG_GRKERNSEC_PROC_MEMMAP is not set
# CONFIG_GRKERNSEC_BRUTE is not set
# CONFIG_GRKERNSEC_HIDESYM is not set

#
# Role Based Access Control Options
#
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
# CONFIG_GRKERNSEC_LINK is not set
# CONFIG_GRKERNSEC_FIFO is not set
# CONFIG_GRKERNSEC_CHROOT is not set

#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
# CONFIG_GRKERNSEC_RESLOG is not set
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
# CONFIG_GRKERNSEC_SIGNAL is not set
# CONFIG_GRKERNSEC_FORKFAIL is not set
# CONFIG_GRKERNSEC_TIME is not set
CONFIG_GRKERNSEC_PROC_IPADDR=y

#
# Executable Protections
#
# CONFIG_GRKERNSEC_EXECVE is not set
# CONFIG_GRKERNSEC_SHM is not set
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
# CONFIG_GRKERNSEC_TPE is not set

#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RANDISN=y
CONFIG_GRKERNSEC_RANDID=y
CONFIG_GRKERNSEC_RANDSRC=y
CONFIG_GRKERNSEC_RANDRPC=y
CONFIG_GRKERNSEC_SOCKET=y
# CONFIG_GRKERNSEC_SOCKET_ALL is not set
# CONFIG_GRKERNSEC_SOCKET_CLIENT is not set
CONFIG_GRKERNSEC_SOCKET_SERVER=y
CONFIG_GRKERNSEC_SOCKET_SERVER_GID=2000

#
# Sysctl support
#
# CONFIG_GRKERNSEC_SYSCTL is not set

#
# Logging Options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4

#
# PaX
#
CONFIG_PAX=y

#
# PaX Control
#
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
# CONFIG_PAX_PAGEEXEC is not set
# CONFIG_PAX_SEGMEXEC is not set
# CONFIG_PAX_KERNEXEC is not set

#
# Address Space Layout Randomization
#
# CONFIG_PAX_ASLR is not set
# CONFIG_KEYS is not set
CONFIG_SECURITY=y
# CONFIG_SECURITY_NETWORK is not set
CONFIG_SECURITY_CAPABILITIES=y
# CONFIG_SECURITY_ROOTPLUG is not set
# CONFIG_SECURITY_SECLVL is not set
# CONFIG_SECURITY_SELINUX is not set

Re: PAX: VMMIRROR: fault bug2, 080fd624, 080fd000, 680fd000,

PostPosted: Fri Jan 07, 2005 9:02 pm
by PaX Team
crusader wrote:thousands messages of this kind in the system log & dmesg:

PAX: VMMIRROR: fault bug2, 080eba64, 080eb000, 680eb000, 080ed000, 680ec000

what is the reason ?
hm, this is an unusual .config you have, you enabled NOEXEC but no actual feature under it, i guess it's not a supported combination ;-), although it should not cause problems like this. for now, either disable it for good, or enable some options under it, i'll fix the config dependencies later.

PostPosted: Sat Jan 08, 2005 6:46 am
by crusader
i`ve tried with:

CONFIG_PAX_SEGMEXEC=y - the problem still persists i will try to disable it

2.4.28 kernel with the same grsec configuration has no problem on the both systesms:

CONFIG_PAX_NOEXEC=y
CONFIG_PAX_SEGMEXEC=y

one question - if i use CONFIG_PAX_NOEXEC=y but no other options it simply does nothing right ? and without CONFIG_PAX_NOEXEC and options i don`t have stack protection ?

10x !

PostPosted: Sat Jan 08, 2005 8:10 am
by PaX Team
crusader wrote:one question - if i use CONFIG_PAX_NOEXEC=y but no other options it simply does nothing right ?
well, it's not supposed to but apparently in your case something's broken with that config. for a test, could you try a plain PaX patch alone and see if you get the problem?
and without CONFIG_PAX_NOEXEC and options i don`t have stack protection ?
correct (and it's about non-exec pages, not only stack protection), although with NOEXEC alone you don't get it either.

PostPosted: Sat Jan 08, 2005 4:50 pm
by crusader
hello again
i`ve tried with make clean &

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
# CONFIG_PAX_PAGEEXEC is not set
CONFIG_PAX_SEGMEXEC=y
# CONFIG_PAX_EMUTRAMP is not set
# CONFIG_PAX_MPROTECT is not set
# CONFIG_PAX_KERNEXEC is not set

and there is the same problem:
PAX: VMMIRROR: fault bug2, 080fd624, 080fd000, 680fd000, 080ff000, 680fe000

could you give me a link to this plain pax patch for 2.6.10 ?
i can`t find one at pax.grsecurity.net

PostPosted: Sat Jan 08, 2005 7:34 pm
by PaX Team
crusader wrote:and there is the same problem:
PAX: VMMIRROR: fault bug2, 080fd624, 080fd000, 680fd000, 080ff000, 680fe000
hmm, looks like disabling MPROTECT doesn't work again, will look at it soon.
could you give me a link to this plain pax patch for 2.6.10 ? i can`t find one at pax.grsecurity.net
http://www.grsecurity.net/~paxguy1/

PostPosted: Mon Jan 10, 2005 12:17 pm
by crusader
without:
CONFIG_PAX_NOEXEC & CONFIG_PAX_SEGMEXEC
the problem has gone
can you tell me if this can be fixed because NOEXEC pages are important for me

10x

PostPosted: Wed Dec 21, 2005 9:26 am
by gothfox
I also get this bug with Apache when it performs some operations (e.g. logging in to Trac system), but not always. The message is:

Code: Select all
PAX: VMMIRROR: fault bug2, 5be1aee0, 5be1a000, bbe1b000, 5be30000, bbe30000
PAX: VMMIRROR: fault bug2, 5be1ac00, 5be1a000, bbe1b000, 5be30000, bbe30000


I'm running Debian Etch/Sid mix on an Athlon64 (in 32-bit mode). Config file is here - http://madoka.spb.ru/~fox/unsorted/conf ... rsec2-1-k8

kernel-patch-grsecurity2 is latest from Sid (2.1.7-2), kernel is vanilla 2.6.14.3

chpax -ms `which apache2` solved the issue, but I'm worried about the most active daemon on machine not having any protection. :(

PostPosted: Sat Dec 31, 2005 5:23 pm
by PaX Team
gothfox wrote:kernel-patch-grsecurity2 is latest from Sid (2.1.7-2), kernel is vanilla 2.6.14.3
i fixed this bug already but i have no idea why debian doesn't have that grsec version. also, http://ftp.debian.org/debian/pool/main/k/kernel-patch-grsecurity2/ doesn't even show 2.1.7-2, where did you get that from? in any case, it should use the grsecurity patch from 11th december, you can try that manually as well.