grsecurity forums

Posted: **Thu Jun 11, 2009 5:08 pm**

I've got segmentation fault with gradm -E on 2.6.29.4 kernel with grsecurity-2.1.14-2.6.29.4-200906100842.patch applied with no regards to /etc/grsec/policy contents nor kernel config (tested on two different systems). Any later attempt to launch gradm (like gradm -S|-E|-D) is being deadlocked during write() to /dev/grsec:

Code: Select all: # strace gradm -S execve("/sbin/gradm", ["gradm", "-S"], [/* 44 vars */]) = 0 brk(0) = 0x17d5ea70 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=116021, ...}) = 0 mmap2(NULL, 116021, PROT_READ, MAP_PRIVATE, 3, 0) = 0xac491000 close(3) = 0 open("/lib/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220g\1\0004\0\0\0|"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=1306828, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xac490000 mmap2(NULL, 1312752, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xac34f000 mmap2(0xac48a000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x13b) = 0xac48a000 mmap2(0xac48d000, 10224, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xac48d000 close(3) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xac34e000 set_thread_area({entry_number:-1 -> 6, base_addr:0xac34e6c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 open("/dev/urandom", O_RDONLY) = 3 read(3, "J\214\3753"..., 4) = 4 close(3) = 0 mprotect(0xac48a000, 8192, PROT_READ) = 0 mprotect(0x17d55000, 4096, PROT_READ) = 0 mprotect(0xac4ca000, 4096, PROT_READ) = 0 munmap(0xac491000, 116021) = 0 geteuid32() = 0 getuid32() = 0 uname({sys="Linux", node="hostname", ...}) = 0 setrlimit(RLIMIT_CORE, {rlim_cur=0, rlim_max=0}) = 0 brk(0) = 0x17d5ea70 brk(0x17d7fa70) = 0x17d7fa70 brk(0x17d80000) = 0x17d80000 getcwd("/root"..., 4095) = 6 mlock(0xbef2e4b4, 256) = 0 ioctl(0, TIOCEXCL, 0) = 0 open("/dev/grsec", O_WRONLY) = 3 write(3, "\344\302\362\276\24!\0\0\34\1\0\0"..., 12

gradm version is 2.1.14-200905131803

Next I get this right before rebooting the system:

Code: Select all: Jun 11 23:25:41 hostname divide error: 0000 [#1] SMP Jun 11 23:25:41 hostname last sysfs file: /sys/devices/virtual/block/md2/dev Jun 11 23:25:41 hostname Jun 11 23:25:41 hostname Pid: 6111, comm: gradm Not tainted (2.6.29.4-grsec-grjail #1) GA-MA78G-DS3H Jun 11 23:25:41 hostname EIP: 0060:[<001c9c36>] EFLAGS: 00010246 CPU: 1 Jun 11 23:25:41 hostname EAX: ffffffff EBX: f6823bac ECX: 00000000 EDX: 00000000 Jun 11 23:25:41 hostname ESI: 00000004 EDI: 00000007 EBP: f6823c18 ESP: f6823ba8 Jun 11 23:25:41 hostname DS: 0068 ES: 0068 FS: 00d8 GS: 0033 SS: 0068 Jun 11 23:25:41 hostname Process gradm (pid: 6111, ti=f6822000 task=f68943f0 task.ti=f6822000) Jun 11 23:25:41 hostname Stack: Jun 11 23:25:41 hostname f60b5f80 00000007 0000000d 0000001f 0000003d 0000007f 000000fb 000001fd Jun 11 23:25:41 hostname 000003fd 000007f7 00000ffd 00001fff 00003ffd 00007fed 0000fff1 0001ffff Jun 11 23:25:41 hostname 0003fffb 0007ffff 000ffffd 001ffff7 003ffffd 007ffff1 00fffffd 01ffffd9 Jun 11 23:25:41 hostname Call Trace: Jun 11 23:25:41 hostname [<00003ffd>] ? 0x003ffd Jun 11 23:25:41 hostname [<00007fed>] ? 0x007fed Jun 11 23:25:41 hostname [<0000fff1>] ? 0x00fff1 Jun 11 23:25:41 hostname [<0001ffff>] ? 0x01ffff Jun 11 23:25:41 hostname [<0003fffb>] ? 0x03fffb Jun 11 23:25:41 hostname [<0007ffff>] ? 0x07ffff Jun 11 23:25:41 hostname [<000ffffd>] ? 0x0ffffd Jun 11 23:25:41 hostname [<001ffff7>] ? 0x1ffff7 Jun 11 23:25:41 hostname [<003ffffd>] ? 0x3ffffd Jun 11 23:25:41 hostname [<001c9ee1>] ? 0x1c9ee1 Jun 11 23:25:41 hostname [<001c9c6e>] ? 0x1c9c6e Jun 11 23:25:41 hostname [<00002af6>] ? 0x002af6 Jun 11 23:25:41 hostname [<001cae1c>] ? 0x1cae1c Jun 11 23:25:41 hostname [<000cd210>] ? 0x0cd210 Jun 11 23:25:41 hostname [<00013ce4>] ? 0x013ce4 Jun 11 23:25:41 hostname [<00200000>] ? 0x200000 Jun 11 23:25:41 hostname [<001cb2b9>] ? 0x1cb2b9 Jun 11 23:25:41 hostname [<001d92a8>] ? 0x1d92a8 Jun 11 23:25:41 hostname [<001ccf1b>] ? 0x1ccf1b Jun 11 23:25:41 hostname [<000c34f7>] ? 0x0c34f7 Jun 11 23:25:41 hostname [<0017aa9f>] ? 0x17aa9f Jun 11 23:25:41 hostname [<000ad3b0>] ? 0x0ad3b0 Jun 11 23:25:41 hostname [<00002114>] ? 0x002114 Jun 11 23:25:41 hostname [<000ada24>] ? 0x0ada24 Jun 11 23:25:41 hostname [<000ab506>] ? 0x0ab506 Jun 11 23:25:41 hostname [<001ccb40>] ? 0x1ccb40 Jun 11 23:25:41 hostname [<000ae08d>] ? 0x0ae08d Jun 11 23:25:41 hostname [<0001f712>] ? 0x01f712 Jun 11 23:25:41 hostname [<0001f72a>] ? 0x01f72a Jun 11 23:25:41 hostname Code: 89 d8 e8 8e eb 00 00 8b 45 90 8b 10 31 c0 eb 0b 90 8d 74 26 00 40 83 f8 17 74 74 8b 3c 83 39 d7 76 f3 89 d1 b8 ff ff ff ff 31 d2 <f7> f1 39 f8 72 66 89 f0 0f af c7 3d 00 10 00 00 77 33 89 f3 89 Jun 11 23:25:41 hostname EIP: [<001c9c36>] SS:ESP 0068:f6823ba8 Jun 11 23:25:41 hostname ---[ end trace f76c9b05578ec898 ]---

However, gradm -S|-D works as expected before the first attempt to gradm -E, but not after that (it goes deadlocked instead).

PS
grsecurity-2.1.14-2.6.29.4-200905302114.patch works fine in this aspect.

Posted: **Thu Jun 11, 2009 7:31 pm**

I missed a change I had added to the 2.4 patch. I've now added it to the 2.6 patch, so it should be fixed now. Let me know if you still have any problems.

-Brad

Posted: **Thu Jun 11, 2009 11:21 pm**

Latest patch solved the problem, thanks!

grsecurity forums

RBAC problem with 2.6.29.4-200906100842 patch

RBAC problem with 2.6.29.4-200906100842 patch

Re: RBAC problem with 2.6.29.4-200906100842 patch

Re: RBAC problem with 2.6.29.4-200906100842 patch