grsecurity forums

Hello,

I get an annoying bug with the 2.6.17.4 kernel and the last grsecurity-2.1.9-2.6.17.4-200607120947.patch : processes receiving UDP packets will seemingly crash on a '14: Bad address' error. As for DNS resolution for instance :

Code: Select all

4:05 linkfanel@prue ~% host www.google.com
errno2result.c:109: unable to convert errno to isc_result: 14: Bad address
;; communications error: unexpected error
errno2result.c:109: unable to convert errno to isc_result: 14: Bad address
;; communications error: unexpected error
;; connection timed out; no servers could be reached
zsh: exit 1     host www.google.com


A simple piece of code listening to a UDP socket will give the same error on receiving a packet.

This problem happens only when I enable the 'Prevent invalid userland pointer dereference' option : everything works fine if I disable it.

Tests run on my IBM Thinkpad T42, .config available at http://andrea.via.ecp.fr/config-2.6.17.4-grsec_prue

I experienced the same problem with a 2.6.17.5 kernel and the latest grsecurity patch from ~spender.

Here is the strace output from "dig http://www.grsecurity.net"

http://silentwire.net/~lobo/files/grsec-dnsresolv.txt

can you guys post an strace -f output while nscd is turned off? i'm pretty sure it's the IP checksumming code again, but i need some leads as to what addresses are involved. you can also turn off randomization so that the addresses are easier to correlate.

edit: can you also try the PaX patch alone?

I wasn't able to compile the kernel with the pax patch (pax-linux-2.6.17-test11.patch). I got the same error message with 2.6.17 and 2.6.17.5.

Code: Select all

fs/built-in.o: In function `load_elf_binary':binfmt_elf.c:(.text+0x264e0): undefined reference to `pax_set_initial_flags'
make[1]: *** [.tmp_vmlinux1] Error 1
make[1]: Leaving directory `/home/lobo/tmp/linux-2.6.17'
make: *** [stamp-build] Error 2


But here is the strace -f output, until I get a working pax-only kernel. Nscd isn't installed on this server and randomization features were disabled.

http://silentwire.net/~lobo/files/grsec-dnsresolv2.txt

lobo wrote:I wasn't able to compile the kernel with the pax patch (pax-linux-2.6.17-test11.patch). I got the same error message with 2.6.17 and 2.6.17.5.

your ACL hook method is not set to 'none'.

But here is the strace -f output, until I get a working pax-only kernel. Nscd isn't installed on this server and randomization features were disabled.

thanks, i see that the failing recvmsg did provide a valid address on a thread stack, i still don't see why accessing it from the kernel would fail though. also, can you tell me which package provides /usr/lib/libisc.so.11? bind-tools doesn't seem to.

Thx it was the ACL hook.

libisc.so.11 ist from the libisc11 Debian package and belongs to bind9.
If you want me to do some other tests, don't hessitate to ask, I have installed a test server here.

Here is the output of a simple strace -f perl -e 'use IO::Socket; $s=IO::Socket::INET->new(LocalPort=>1242,Proto=>"udp"); <$s>;' : http://andrea.via.ecp.fr/strace-perl

I tried with a nc -u -l -p 1242, and it doesn't give the same result, though it seems to hang after the first packet anyway : http://andrea.via.ecp.fr/strace-netcat

If you mind those are perl and netcat from debian sid. I hope this can help.

can you guys test -test13 please?

PaX Team wrote:can you guys test -test13 please?

Yes, it works now, with -test13 and a 2.6.17.6 linux kernel

I confirm, linux 2.6.17.6 patched with -test13 works well. Thanks