grsecurity forums

Hello,

I'm using the latest stable grsec version on a vanilla kernel 2.6.14.6 under Debian stable.
grsec is configured in high security mode, with pax enabled too.

My logs are filled with entries such as :
<date> <IP>: requesting 4294893568 for RLIMIT_MEMLOCK against limit 32768 for /usr/sbin/apache-ssl[apache-ssl:30529] uid/euid:33/33 gid/egid:33/33, parent /usr/sbin/apache-ssl[apache-ssl:12134] uid/euid:0/0 gid/egid:0/0

The amount of memory to be locked varies a bit, but it's still near 2^32 bytes.

Apache is v1.3.33-6 (latest debian stable packaged version), with PHP v4.3.10-16 (ditto)

This sounds crazy to me that apache tries to lock 4 Gb of memory.
I've tried to grep thru the apache logs to find out what did cause these entries, I've found nothing relevant... It's just normal browsing.

I've searched in this forum, on others, on the wiki, I've found nothing that could explain this. I saw that ntpd was having similar problems a while ago, but nothing about apache, and it was only about 7 Mb, not 4 Gb !

Any idea ?

Speed47 wrote:Apache is v1.3.33-6 (latest debian stable packaged version), with PHP v4.3.10-16 (ditto)

This sounds crazy to me that apache tries to lock 4 Gb of memory.
I've tried to grep thru the apache logs to find out what did cause these entries, I've found nothing relevant... It's just normal browsing.

you could try to attach to apache in gdb (configure it so that there's only one apache process to make your life easier) and set a breakpoint on mlock then when it hits, look at the backtrace and see where that mlock size came from.

Hello,

I'm seing what seems to be the exact same problem under apache 2.0.
It happens when using Horde IMP and searching for messages or using Horde gollem with the smb backend.

Environment:
CPU: AMD Athlon 64 Bit
Kernel: Linux 2.6.19.2 (same with 2.6.17 and 2.6.18.1-6)
Apache: Apache/2.0.58
RAM: 1GB + 2GB Swap
PHP: 4.4.4

I tried with no effect:
PHP Memlimit: Settings between 32M and 640M
/etc/security/limits.conf: added this one with no effect:

Code: Select all

*               hard    memlock         0

Log Messages:

Code: Select all

Jan 15 13:44:29 loc@myhost grsec: From 1.2.3.4: denied resource overstep by requesting 18446744073707724800 for RLIMIT_MEMLOCK again
st limit 32768 for /usr/sbin/apache2[apache2:22982] uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2[apache2:3707] uid/euid:0/0 gid/e
gid:0/0
Jan 15 13:44:29 loc@myhost grsec: From 1.2.3.4: denied resource overstep by requesting 18446744073707724800 for RLIMIT_MEMLOCK again
st limit 32768 for /usr/sbin/apache2[apache2:22982] uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2[apache2:3707] uid/euid:0/0 gid/e
gid:0/0
Jan 15 13:44:30 loc@myhost grsec: From 1.2.3.4: denied resource overstep by requesting 18446744073707716608 for RLIMIT_MEMLOCK again
st limit 32768 for /usr/sbin/apache2[apache2:22982] uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2[apache2:3707] uid/euid:0/0 gid/e
gid:0/0
Jan 15 13:44:30 loc@myhost grsec: From 1.2.3.4: denied resource overstep by requesting 18446744073707716608 for RLIMIT_MEMLOCK again
st limit 32768 for /usr/sbin/apache2[apache2:22982] uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2[apache2:3707] uid/euid:0/0 gid/e
gid:0/0
Jan 15 13:46:10 loc@myhost grsec: From 1.2.3.4: denied resource overstep by requesting 18446744073708281856 for RLIMIT_MEMLOCK again
st limit 32768 for /usr/sbin/apache2[apache2:1233] uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2[apache2:3707] uid/euid:0/0 gid/eg
id:0/0
Jan 15 13:46:10 loc@myhost grsec: From 1.2.3.4: denied resource overstep by requesting 18446744073708281856 for RLIMIT_MEMLOCK again
st limit 32768 for /usr/sbin/apache2[apache2:1233] uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2[apache2:3707] uid/euid:0/0 gid/eg
id:0/0
Jan 15 13:46:10 loc@myhost grsec: From 1.2.3.4: denied resource overstep by requesting 18446744073708273664 for RLIMIT_MEMLOCK again
st limit 32768 for /usr/sbin/apache2[apache2:1233] uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2[apache2:3707] uid/euid:0/0 gid/eg
id:0/0
Jan 15 13:46:10 loc@myhost grsec: From 1.2.3.4: denied resource overstep by requesting 18446744073708273664 for RLIMIT_MEMLOCK again
st limit 32768 for /usr/sbin/apache2[apache2:1233] uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2[apache2:3707] uid/euid:0/0 gid/eg
id:0/0
Jan 15 13:46:10 loc@myhost grsec: From 1.2.3.4: denied resource overstep by requesting 18446744073708265472 for RLIMIT_MEMLOCK again
st limit 32768 for /usr/sbin/apache2[apache2:1233] uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2[apache2:3707] uid/euid:0/0 gid/eg
id:0/0
Jan 15 13:46:10 loc@myhost grsec: more alerts, logging disabled for 10 seconds


Can post more information when needed.
Any idea how to fix this?

flixfe wrote:Can post more information when needed.
Any idea how to fix this?

you should find out where the mlock size request comes from, to me it looks like that there's some miscalculation (int overflow?) in there, then we can figure out what grsec feature causes it.

It's been a while since I had time to look at this. Strangely, I can't reproduce the issue anymore.
From the logs I could correlate HTTP requests to Horde 3.1.3's /services/portal/sidebar.php?httpclient=1 with the RLIMIT_MEMLOCK error.
Unfortunately, I can't reproduce it anymore and a quick look at the Horde source didn't reveal anything.

I also found the following GRSEC messages while experimenting with DIMP (a Horde application using AJAX):

Code: Select all

grsec: From 1.2.3.4: denied resource overstep by requesting 8392704 for RLIMIT_STACK against limit 8388608 for /usr/sbin/apac
he2[apache2:18031] uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2[apache2:17652] uid/euid:0/0 gid/egid:0/0


Which goes along with PHP warning:

Code: Select all

PHP Warning:  Invalid argument supplied for foreach() in /imp/lib/IMAP/Tree.php on line 1808


So this doesn't seem to be a GRSEC problem but a Horde problem instead. Note that this was with a CVS snapshot of DIMP.

Please consider this issue closed.

flixfe wrote:I also found the following GRSEC messages while experimenting with DIMP (a Horde application using AJAX):

Code: Select all

grsec: From 1.2.3.4: denied resource overstep by requesting 8392704 for RLIMIT_STACK against limit 8388608 for /usr/sbin/apac
he2[apache2:18031] uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2[apache2:17652] uid/euid:0/0 gid/egid:0/0


Which goes along with PHP warning:

Code: Select all

PHP Warning:  Invalid argument supplied for foreach() in /imp/lib/IMAP/Tree.php on line 1808


So this doesn't seem to be a GRSEC problem but a Horde problem instead. Note that this was with a CVS snapshot of DIMP.

this looks like a normal stack overflow (as in, not buffer overflow, just too much stack usage), probably due to some recursing in that Tree code. you can work it around by increasing the stack rlimit for apache (probably it's the systems default 8MB now).