Page 1 of 1

vmware-vmx and chpax problems

PostPosted: Tue Nov 20, 2007 2:10 pm
by euronymous
Hi there..
I'm using from more or less one year Gentoo Hardened in production environments, with great results...
I love grsecurity..

I'm a JEE programmer, and I never had problems with JDKs and application server...

now i need to run vmware server...
all seems ok but when I try to power on a Virtual Machine (guest), PaX prevent me to do that...here the logs...
Code: Select all
Nov 20 19:39:48 brutus grsec: From x.x.x.x: shared memory of size 16777216 created by /opt/vmware/server/lib/bin/vmware-vmx[vmware-vmx:24590] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Nov 20 19:39:48 brutus grsec: From x.x.x.x: shared memory of size 16777216 created by /opt/vmware/server/lib/bin/vmware-vmx[vmware-vmx:24590] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Nov 20 19:39:48 brutus grsec: From x.x.x.x: shared memory of uid:0 euid:0 removed by /opt/vmware/server/lib/bin/vmware-vmx[vmware-vmx:24590] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Nov 20 19:39:48 brutus grsec: From x.x.x.x: shared memory of uid:0 euid:0 removed by /opt/vmware/server/lib/bin/vmware-vmx[vmware-vmx:24590] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Nov 20 19:39:48 brutus PAX: vmware-vmx:24600, uid/euid: 0/0, attempted to modify kernel code at virtual address c06b1085
Nov 20 19:39:48 brutus printing eip:
Nov 20 19:39:48 brutus 00364e56
Nov 20 19:39:48 brutus 00364e56
Nov 20 19:39:48 brutus *pde = 004001e1
Nov 20 19:39:48 brutus Oops: 0003 [#8]
Nov 20 19:39:48 brutus SMP
Nov 20 19:39:48 brutus Modules linked in: vmnet(P) vmmon(P)
Nov 20 19:39:48 brutus Modules linked in: vmnet(P) vmmon(P)
Nov 20 19:39:48 brutus CPU:    0
Nov 20 19:39:48 brutus EIP:    0060:[<00364e56>]    Tainted: P       VLI
Nov 20 19:39:48 brutus EFLAGS: 00013082   (2.6.22-hardened-r8 #1)
Nov 20 19:39:48 brutus eax: 00000089   ebx: f88fe000   ecx: c7d44000   edx: c06b1080
Nov 20 19:39:48 brutus esi: 00000080   edi: 00000650   ebp: 000000d8   esp: c7b85b08
Nov 20 19:39:48 brutus ds: 0068   es: 0068   fs: 00d8  gs: 0033  ss: 0068
Nov 20 19:39:48 brutus Process vmware-vmx (pid: 24600, ti=c7b84000 task=f4881550 task.ti=c7b84000)
Nov 20 19:39:48 brutus Stack: 00000000 00000000 00000000 00000000 00000000 00000000 c7d44000 00003246
Nov 20 19:39:48 brutus 8005003b b3ca3de0 00000000 00000000 00000033 00ff0000 c06b1000 100000ff
Nov 20 19:39:48 brutus 00ffc06b c06b1000 f88fe000 0000006b c7d44000 00000000 003706ac 00000000
Nov 20 19:39:48 brutus Call Trace:
Nov 20 19:39:48 brutus [<00003246>] <0> [<003706ac>] <0> [<00364218>] <0> [<00357db2>] <0> [<00358d92>] <0> [<000011fb>] <0> [<00003082>] <0> [<00019752>] <0> [<00359f24>] <0> [<000011fb>] <0> [<00003082>] <0> [<000175e7>] <0> [<00017aeb>] <0> [<00003282>] <0> [<00003282>] <0> [<00032585>] <0> [<00033707>] <0> [<0003378d>] <0> [<0014458f>] <0> [<00359a8d>] <0> [<00359a8d>] <0> [<0006029f>] <0> [<000604ee>] <0> [<00021157>] <0> [<00060533>] <0> [<000043b2>] <0> [<00003282>] <0> [<00003246>] <0> =======================
Nov 20 19:39:48 brutus Code: 3a 66 89 83 00 04 00 00 8b 44 24 38 89 83 02 04 00 00 74 1a 89 f2 01 c2 0f b6 42 05 83 e0 0f 83 f8 0b 75 0a 8a 42 05 24 f0 0c 09 <88> 42 05 80 bb 6b 05 00 00 00 74 1a 89 5c 24 04 8d 93 d0 01 00
Nov 20 19:39:48 brutus EIP: [<00364e56>]  SS:ESP 0068:c7b85b08



so I used chpax, as suggested...

Code: Select all
brutus chpax-0.7 # chpax -v /opt/vmware/server/lib/bin/vmware-vmx

----[ chpax 0.7 : Current flags for /opt/vmware/server/lib/bin/vmware-vmx (pemrxs) ]----

 * Paging based PAGE_EXEC       : disabled
 * Trampolines                  : not emulated
 * mprotect()                   : not restricted
 * mmap() base                  : not randomized
 * ET_EXEC base                 : not randomized
 * Segmentation based PAGE_EXEC : disabled


no only on vmware-vmx (that seems the only one to give me problems), but also to the other bins, sbins and network bins

BUT IS STILL NOT WORKING...WITH THE PREVIOUS ERROR...

can anyone help me asap?

thanks

Michele

Re: vmware-vmx and chpax problems

PostPosted: Tue Nov 20, 2007 5:16 pm
by PaX Team
euronymous wrote:so I used chpax, as suggested...
this problem occured in the kernel, not userland therefore chpax/paxctl won't help (on a sidenote, chpax is obsolete, check your kernel .config to see if you can/should use paxctl instead).

some time ago there was a thread or two here and/or the mailing list about this same problem, basically it's a non-trivial undertaking to get vmware (and other similarly architected hypervisors) to work under the KERNEXEC feature. so if you need vmware more than that feature, just disable it, recompile the vmware modules and you should be fine again.

PostPosted: Wed Nov 21, 2007 7:16 am
by euronymous
thanks for teh fast reply...

in fact actually i'm using grsecurity without pax..
and vmware is working well of course

the pax configuration that I usually use in gentoo hardened is the following:

Code: Select all
CONFIG_PAX=y
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_SEGMEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_NOELFRELOCS is not set
CONFIG_PAX_KERNEXEC=y
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_MEMORY_SANITIZE=y
CONFIG_PAX_MEMORY_UDEREF=y



you said me in the previous post that I can try to recompile the kernel disabling CONFIG_PAX_KERNEXEC, right?

I mean...disabling this feature and leaving the others pax features untouched, you think I will be able to use vmware without problems?

another thing...do you think that my previous config is ok?
running paxtest in blackhat mode, all is killed except the return to libc (of course...but we have gcc with ssp-pie)

let's me know

all the best

PostPosted: Wed Nov 21, 2007 7:40 pm
by PaX Team
euronymous wrote:you said me in the previous post that I can try to recompile the kernel disabling CONFIG_PAX_KERNEXEC, right?
yes
I mean...disabling this feature and leaving the others pax features untouched, you think I will be able to use vmware without problems?
yes it will work but you'll have to exempt the vmware (userland) process itself from MPROTECT because IIRC, it wants to use some libraries with text relocations or maybe even do runtime code generation, i forget (well, you have NOELFRELOCS off but that won't work for a 32 bit process on a 64 bit kernel).
another thing...do you think that my previous config is ok?
it's ok although you could enable NOELFRELOCS, we've already fixed most of the textrelocs in various libraries already in gentoo (and will try to fix more if we become aware of them).