grsecurity forums

Hi
Yesterday i've updated some gentoo machines from 2.6.24 (hardened-r2 to be precise) to 2.6.25 (hardened-r3).
Since then the antivir updater cron job is broken...see:
--8<--
/bin/rm: error while loading shared libraries: /lib/libc.so.6: cannot apply additional memory protection after relocation: Permission denied
--8<--
the kernel config was not altered. can you tell me whats happening here?
sorry i cannot tell you what version of grsecurity patch is included in the gentoo kernels.

brainatwork wrote:

Code: Select all

/bin/rm: error while loading shared libraries: /lib/libc.so.6: cannot apply additional memory protection after relocation: Permission denied

the kernel config was not altered. can you tell me whats happening here?

are you sure the kernel .config hasn't changed? this looks like either text relocations or RWE GNU_STACK being denied, most likely from PaX. can you post the strace /bin/rm and readelf -ed /lib/libc.so.6 outputs please? also how on earth did you get either textrels or RWE GNU_STACK on glibc? something looks really broken in your userland...

hi

kernel config has not changed in sections GRSECURITY and PAX; text relocations are disabled on both. i'm unsure about what you mean by RWE GNU_STACK.

sorry, i forgot to mention that "/bin/rm" is called by the antivir binary. so the output looks like this:
--8<--
root@torquemada:/home/gweiss # LC_ALL=C /usr/local/antivir/antivir --update
AntiVir / Linux Version 2.1.12-59
Copyright (c) 2008 by Avira GmbH.
All rights reserved.

checking for updates

on disk | upd server
--------------+--------------
02.01.12.59 = 02.01.12.59 [antivir]
06.40.00.00 = 06.40.00.00 [antivir0.vdf]
07.00.05.01 = 07.00.05.01 [antivir1.vdf]
07.00.06.10 = 07.00.06.10 [antivir2.vdf]
07.00.06.12 = 07.00.06.12 [antivir3.vdf]
--------------+--------------

AntiVir is up-to-date

/bin/rm: error while loading shared libraries: /lib/libc.so.6: cannot apply additional memory protection after relocation: Permission denied
root@torquemada:/home/gweiss #
--8<--

/bin/rm works normally called from bash. when antivir calls /bin/rm it breaks. i see no pax related messages in syslog regarding /bin/rm.

--8<--
root@torquemada:/home/gweiss # readelf -ed /lib/libc.so.6
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: DYN (Shared object file)
Machine: Intel 80386
Version: 0x1
Entry point address: 0x16140
Start of program headers: 52 (bytes into file)
Start of section headers: 1246876 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 11
Size of section headers: 40 (bytes)
Number of section headers: 66
Section header string table index: 65

Section Headers:
[Nr] Name Type Addr Off Size ES Flg Lk Inf Al
[ 0] NULL 00000000 000000 000000 00 0 0 0
[ 1] .note.ABI-tag NOTE 00000194 000194 000020 00 A 0 0 4
[ 2] .gnu.hash GNU_HASH 000001b4 0001b4 003aac 04 A 3 0 4
[ 3] .dynsym DYNSYM 00003c60 003c60 008be0 10 A 4 1 4
[ 4] .dynstr STRTAB 0000c840 00c840 00565f 00 A 0 0 1
[ 5] .gnu.version VERSYM 00011ea0 011ea0 00117c 02 A 3 0 2
[ 6] .gnu.version_d VERDEF 0001301c 01301c 0002dc 00 A 4 21 4
[ 7] .gnu.version_r VERNEED 000132f8 0132f8 000040 00 A 4 1 4
[ 8] .rel.dyn REL 00013338 013338 0029c8 08 A 3 0 4
[ 9] .rel.plt REL 00015d00 015d00 000040 08 A 3 10 4
[10] .plt PROGBITS 00015d40 015d40 000090 04 AX 0 0 4
[11] .text PROGBITS 00015dd0 015dd0 0e88e8 00 AX 0 0 16
[12] __libc_freeres_fn PROGBITS 000fe6c0 0fe6c0 000eb0 00 AX 0 0 16
[13] __libc_thread_fre PROGBITS 000ff570 0ff570 000182 00 AX 0 0 16
[14] .rodata PROGBITS 000ff700 0ff700 01a280 00 A 0 0 32
[15] .interp PROGBITS 00119980 119980 000013 00 A 0 0 1
[16] .eh_frame_hdr PROGBITS 00119994 119994 002aac 00 A 0 0 4
[17] .eh_frame PROGBITS 0011c440 11c440 00d370 00 A 0 0 4
[18] .gcc_except_table PROGBITS 001297b0 1297b0 00042f 00 A 0 0 1
[19] .hash HASH 00129be0 129be0 0032fc 04 A 3 0 4
[20] .tdata PROGBITS 0012d1b8 12d1b8 000008 00 WAT 0 0 4
[21] .tbss NOBITS 0012d1c0 12d1c0 000038 00 WAT 0 0 4
[22] .fini_array FINI_ARRAY 0012d1c0 12d1c0 000004 00 WA 0 0 4
[23] .ctors PROGBITS 0012d1c4 12d1c4 00000c 00 WA 0 0 4
[24] .dtors PROGBITS 0012d1d0 12d1d0 000008 00 A 0 0 4
[25] __libc_subfreeres PROGBITS 0012d1d8 12d1d8 000068 00 WA 0 0 4
[26] __libc_atexit PROGBITS 0012d240 12d240 000004 00 WA 0 0 4
[27] __libc_thread_sub PROGBITS 0012d244 12d244 00000c 00 WA 0 0 4
[28] .data.rel.ro PROGBITS 0012d260 12d260 001afc 00 WA 0 0 32
[29] .dynamic DYNAMIC 0012ed5c 12ed5c 0000f8 08 WA 4 0 4
[30] .got PROGBITS 0012ee54 12ee54 000190 04 WA 0 0 4
[31] .data PROGBITS 0012f000 12f000 00097c 00 WA 0 0 32
[32] .bss NOBITS 0012f980 12f97c 002f90 00 WA 0 0 32
[33] .gnu.warning.sigs PROGBITS 00000000 12f980 00004d 00 0 0 32
[34] .gnu.warning.sigr PROGBITS 00000000 12f9e0 00003b 00 0 0 32
[35] .gnu.warning.sigg PROGBITS 00000000 12fa20 000039 00 0 0 32
[36] .gnu.warning.tmpn PROGBITS 00000000 12fa60 000037 00 0 0 32
[37] .gnu.warning.tmpn PROGBITS 00000000 12faa0 000039 00 0 0 32
[38] .gnu.warning.temp PROGBITS 00000000 12fae0 000038 00 0 0 32
[39] .gnu.warning.sys_ PROGBITS 00000000 12fb20 000044 00 0 0 32
[40] .gnu.warning.sys_ PROGBITS 00000000 12fb80 000041 00 0 0 32
[41] .gnu.warning.gets PROGBITS 00000000 12fbe0 000039 00 0 0 32
[42] .gnu.warning.__me PROGBITS 00000000 12fc19 00005c 00 0 0 1
[43] .gnu.warning.getp PROGBITS 00000000 12fc80 00003a 00 0 0 32
[44] .gnu.warning.setl PROGBITS 00000000 12fcc0 00003a 00 0 0 32
[45] .gnu.warning.re_m PROGBITS 00000000 12fd00 00003d 00 0 0 32
[46] .gnu.warning.lchm PROGBITS 00000000 12fd40 000038 00 0 0 32
[47] .gnu.warning.getw PROGBITS 00000000 12fd80 00007a 00 0 0 32
[48] .gnu.warning.sstk PROGBITS 00000000 12fe00 000036 00 0 0 32
[49] .gnu.warning.revo PROGBITS 00000000 12fe40 000038 00 0 0 32
[50] .gnu.warning.mkte PROGBITS 00000000 12fe80 000037 00 0 0 32
[51] .gnu.warning.gtty PROGBITS 00000000 12fec0 000036 00 0 0 32
[52] .gnu.warning.stty PROGBITS 00000000 12ff00 000036 00 0 0 32
[53] .gnu.warning.chfl PROGBITS 00000000 12ff40 000039 00 0 0 32
[54] .gnu.warning.fchf PROGBITS 00000000 12ff80 00003a 00 0 0 32
[55] .gnu.warning.llse PROGBITS 00000000 12ffc0 00003f 00 0 0 32
[56] .gnu.warning.__ge PROGBITS 00000000 130000 000039 00 0 0 32
[57] .gnu.warning.inet PROGBITS 00000000 130040 00003c 00 0 0 32
[58] .gnu.warning.inet PROGBITS 00000000 130080 00003b 00 0 0 32
[59] .gnu.warning.inet PROGBITS 00000000 1300c0 00003d 00 0 0 32
[60] .gnu.warning.inet PROGBITS 00000000 130100 00003c 00 0 0 32
[61] .gnu.warning.inet PROGBITS 00000000 130140 00003b 00 0 0 32
[62] .gnu.warning.inet PROGBITS 00000000 130180 00003b 00 0 0 32
[63] .gnu.warning.fatt PROGBITS 00000000 1301c0 000039 00 0 0 32
[64] .gnu.warning.fdet PROGBITS 00000000 130200 000039 00 0 0 32
[65] .shstrtab STRTAB 00000000 130239 000462 00 0 0 1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings)
I (info), L (link order), G (group), x (unknown)
O (extra OS processing required) o (OS specific), p (processor specific)

Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR 0x000034 0x00000034 0x00000034 0x00160 0x00160 R E 0x4
INTERP 0x119980 0x00119980 0x00119980 0x00013 0x00013 R 0x1
[Requesting program interpreter: /lib/ld-linux.so.2]
LOAD 0x000000 0x00000000 0x00000000 0x12cedc 0x12cedc R E 0x1000
LOAD 0x12d1b8 0x0012d1b8 0x0012d1b8 0x027c4 0x05758 RW 0x1000
DYNAMIC 0x12ed5c 0x0012ed5c 0x0012ed5c 0x000f8 0x000f8 RW 0x4
NOTE 0x000194 0x00000194 0x00000194 0x00020 0x00020 R 0x4
TLS 0x12d1b8 0x0012d1b8 0x0012d1b8 0x00008 0x00040 R 0x4
GNU_EH_FRAME 0x119994 0x00119994 0x00119994 0x02aac 0x02aac R 0x4
GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4
GNU_RELRO 0x12d1b8 0x0012d1b8 0x0012d1b8 0x01e48 0x01e48 R 0x1
PAX_FLAGS 0x000000 0x00000000 0x00000000 0x00000 0x00000 0x4

Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .note.ABI-tag .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_d .gnu.version_r .rel.dyn .rel.plt .plt .text __libc_freeres_fn __libc_thread_freeres_fn .rodata .interp .eh_frame_hdr .eh_frame .gcc_except_table .hash
03 .tdata .fini_array .ctors .dtors __libc_subfreeres __libc_atexit __libc_thread_subfreeres .data.rel.ro .dynamic .got .data .bss
04 .dynamic
05 .note.ABI-tag
06 .tdata .tbss
07 .eh_frame_hdr
08
09 .tdata .fini_array .ctors .dtors __libc_subfreeres __libc_atexit __libc_thread_subfreeres .data.rel.ro .dynamic .got
10

Dynamic section at offset 0x12ed5c contains 27 entries:
Tag Type Name/Value
0x00000001 (NEEDED) Shared library: [ld-linux.so.2]
0x0000000e (SONAME) Library soname: [libc.so.6]
0x0000000c (INIT) 0x15e50
0x0000001a (FINI_ARRAY) 0x12d1c0
0x0000001c (FINI_ARRAYSZ) 4 (bytes)
0x00000004 (HASH) 0x129be0
0x6ffffef5 (GNU_HASH) 0x1b4
0x00000005 (STRTAB) 0xc840
0x00000006 (SYMTAB) 0x3c60
0x0000000a (STRSZ) 22111 (bytes)
0x0000000b (SYMENT) 16 (bytes)
0x00000003 (PLTGOT) 0x12ee54
0x00000002 (PLTRELSZ) 64 (bytes)
0x00000014 (PLTREL) REL
0x00000017 (JMPREL) 0x15d00
0x00000011 (REL) 0x13338
0x00000012 (RELSZ) 10696 (bytes)
0x00000013 (RELENT) 8 (bytes)
0x6ffffffc (VERDEF) 0x1301c
0x6ffffffd (VERDEFNUM) 21
0x0000001e (FLAGS) BIND_NOW STATIC_TLS
0x6ffffffb (FLAGS_1) Flags: NOW
0x6ffffffe (VERNEED) 0x132f8
0x6fffffff (VERNEEDNUM) 1
0x6ffffff0 (VERSYM) 0x11ea0
0x6ffffffa (RELCOUNT) 1242
0x00000000 (NULL) 0x0
--8<--

--8<--
root@torquemada:/usr/src/linux # LC_ALL=C strace /bin/rm
execve("/bin/rm", ["/bin/rm"], [/* 45 vars */]) = 0
brk(0) = 0x176bbbd8
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=22609, ...}) = 0
mmap2(NULL, 22609, PROT_READ, MAP_PRIVATE, 3, 0) = 0x4e342000
close(3) = 0
open("/lib/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@a\1\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1249516, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4e341000
mmap2(NULL, 1255696, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x4e20e000
mmap2(0x4e33b000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x12d) = 0x4e33b000
mmap2(0x4e33e000, 10512, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4e33e000
close(3) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4e20d000
set_thread_area({entry_number:-1 -> 6, base_addr:0x4e20d6c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
open("/dev/urandom", O_RDONLY) = 3
read(3, "\225i\36\300", 4) = 4
close(3) = 0
mprotect(0x4e33b000, 8192, PROT_READ) = 0
mprotect(0x176b2000, 4096, PROT_READ) = 0
mprotect(0x4e363000, 4096, PROT_READ) = 0
munmap(0x4e342000, 22609) = 0
brk(0) = 0x176bbbd8
brk(0x176dcbd8) = 0x176dcbd8
brk(0x176dd000) = 0x176dd000
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
write(2, "/bin/rm: ", 9/bin/rm: ) = 9
write(2, "missing operand", 15missing operand) = 15
write(2, "\n", 1
) = 1
write(2, "Try `/bin/rm --help\' for more in"..., 43Try `/bin/rm --help' for more information.
) = 43
close(0) = 0
close(1) = 0
close(2) = 0
exit_group(1) = ?
--8<--

brainatwork wrote:kernel config has not changed in sections GRSECURITY and PAX; text relocations are disabled on both. i'm unsure about what you mean by RWE GNU_STACK.

GNU_STACK is one of the program headers you can find in readelf -l, its access rights indicate what kind of stack the given binary wants (ignored under PaX though). in any case, your troubles are probably due to the READ_IMPLIES_EXEC personality bit which kicks in for binaries that don't have a GNU_STACK header at all. can you post the readelf output of this AV scanner binary please? also, did you change this binary when you upgraded the kernel? thing is, this behaviour should have been present in the previous kernel as well, i don't recall changing anything here (when PaX is not in control of the binary, say missing PT_PAX_FLAGS and you didn't enable chpax flag support, READ_IMPLIES_EXEC behaviour is allowed and is inherited by children). in any case, i'll fix it by removing READ_IMPLIES_EXEC for PaX controlled binaries, but a better approach would be to paxctl -C your AV binaries and put proper PaX flags on them.

here is the requested readelf output
--8<--
root@torquemada:/usr/local/antivir # readelf -l antivir

Elf file type is EXEC (Executable file)
Entry point 0x804c8d0
There are 7 program headers, starting at offset 52

Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR 0x000034 0x08048034 0x08048034 0x000e0 0x000e0 R E 0x4
INTERP 0x000114 0x08048114 0x08048114 0x00013 0x00013 R 0x1
[Requesting program interpreter: /lib/ld-linux.so.2]
LOAD 0x000000 0x08048000 0x08048000 0x4c0bb4 0x4c0bb4 R E 0x1000
LOAD 0x4c1000 0x08509000 0x08509000 0x2b760 0x2f6c0 RW 0x1000
DYNAMIC 0x4ec11c 0x0853411c 0x0853411c 0x000c8 0x000c8 RW 0x4
NOTE 0x000128 0x08048128 0x08048128 0x00020 0x00020 R 0x4
GNU_EH_FRAME 0x4c0b68 0x08508b68 0x08508b68 0x0004c 0x0004c R 0x4

Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .note.ABI-tag .hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame_hdr
03 .data .eh_frame .dynamic .ctors .dtors .jcr .got .bss
04 .dynamic
05 .note.ABI-tag
06 .eh_frame_hdr
root@torquemada:/usr/local/antivir #
--8<--

the AV binary has not been changed...see here:
--8<--
root@torquemada:/usr/local/antivir # md5sum antivir
faf4935562fd4a0dfaa4b2048707ab15 antivir
root@torquemada:/usr/local/antivir # uname -a
Linux torquemada 2.6.25-hardened-r3-gw21 #1 SMP Thu Jul 31 09:46:46 CEST 2008 i686 Intel(R) Xeon(TM) CPU 2.40GHz GenuineIntel GNU/Linux
root@torquemada:/usr/local/antivir # LC_ALL=C ./antivir --update
AntiVir / Linux Version 2.1.12-59
Copyright (c) 2008 by Avira GmbH.
All rights reserved.

checking for updates

on disk | upd server
--------------+--------------
02.01.12.59 = 02.01.12.59 [antivir]
06.40.00.00 = 06.40.00.00 [antivir0.vdf]
07.00.05.01 = 07.00.05.01 [antivir1.vdf]
07.00.06.10 = 07.00.06.10 [antivir2.vdf]
07.00.06.20 = 07.00.06.20 [antivir3.vdf]
--------------+--------------

AntiVir is up-to-date

/bin/rm: error while loading shared libraries: /lib/libc.so.6: cannot apply additional memory protection after relocation: Permission denied
root@torquemada:/usr/local/antivir #
--8<--

--8<--
root@amy:/usr/local/antivir # md5sum antivir
faf4935562fd4a0dfaa4b2048707ab15 antivir
root@amy:/usr/local/antivir # uname -a
Linux amy 2.6.24-hardened-r2-gw18 #1 SMP Thu May 15 16:20:32 CEST 2008 i686 Intel(R) Xeon(TM) CPU 2.80GHz GenuineIntel GNU/Linux
root@amy:/usr/local/antivir # LC_ALL=C ./antivir --update
AntiVir / Linux Version 2.1.12-59
Copyright (c) 2008 by Avira GmbH.
All rights reserved.

checking for updates

on disk | upd server
--------------+--------------
02.01.12.59 = 02.01.12.59 [antivir]
06.40.00.00 = 06.40.00.00 [antivir0.vdf]
07.00.05.01 = 07.00.05.01 [antivir1.vdf]
07.00.06.10 = 07.00.06.10 [antivir2.vdf]
07.00.06.20 = 07.00.06.20 [antivir3.vdf]
--------------+--------------

AntiVir is up-to-date

root@amy:/usr/local/antivir #
--8<--

unfortunately adding pax flags on the AV binary breaks its selftest...
--8<--
root@torquemada:/home/gweiss # paxctl -C /usr/local/antivir/antivir
file /usr/local/antivir/antivir got a new PT_PAX_FLAGS program header
root@torquemada:/usr/local/antivir # LC_ALL=C ./antivir --update
AntiVir / Linux Version 2.1.12-59
Copyright (c) 2008 by Avira GmbH.
All rights reserved.


Warning: integrity selftest FAILED.
--8<--

PaX Team wrote:in any case, i'll fix it by removing READ_IMPLIES_EXEC for PaX controlled binaries.

ok, should be fixed in test19.