grsecurity forums

[x14sg1]

Hello,

I have had this problem since vmalloc was changed (after 2.6.28.10) on a quad core machine, but not on a uni-processsor machine. I am running the standard 2.6.30.4 kernel with the latest 2.6.30.4 patch (200908132040). The only thing I did was select "HIGH" for the grsecurity config. I can supply my .config file via email. I will see if I can post it somewhere.

One other thing, increasing vmalloc at the boot prompt (error msg recommends this) does not help.

Thank you

Tim

[x14sg1]

Hello,

Here is the config file: http://home.comcast.net/~x14sg1/.config

[PaX Team]

I have had this problem

uhm, what is exactly the problem?

[x14sg1]

Hello,

I run an iptables firewall. The iptables modules do not load, I get these errors in /var/adm/syslog (don't always see that first line)
and trying to increase vmalloc at boot time doesn't help (at least not upto 512M)

Aug 24 11:45:33 pc100 kernel: __ratelimit: 991 callbacks suppressed
Aug 24 11:45:33 pc100 kernel: vmap allocation for size 12288 failed: use vmalloc=<size> to increase size.
Aug 24 11:45:33 pc100 kernel: vmap allocation for size 16384 failed: use vmalloc=<size> to increase size.
Aug 24 11:45:33 pc100 kernel: vmap allocation for size 8192 failed: use vmalloc=<size> to increase size.
Aug 24 11:45:33 pc100 kernel: vmap allocation for size 36864 failed: use vmalloc=<size> to increase size.
Aug 24 11:45:33 pc100 kernel: vmap allocation for size 12288 failed: use vmalloc=<size> to increase size.
Aug 24 11:45:33 pc100 kernel: vmap allocation for size 36864 failed: use vmalloc=<size> to increase size.
Aug 24 11:45:33 pc100 kernel: vmap allocation for size 8192 failed: use vmalloc=<size> to increase size.
Aug 24 11:45:33 pc100 kernel: vmap allocation for size 12288 failed: use vmalloc=<size> to increase size.
Aug 24 11:45:33 pc100 kernel: vmap allocation for size 36864 failed: use vmalloc=<size> to increase size.
Aug 24 11:45:33 pc100 kernel: vmap allocation for size 8192 failed: use vmalloc=<size> to increase size.

On the screen I see these when module loading is attempted

probe ip_tables (1): FATAL: Error inserting ip_tables (/lib/modules/2.6.30.4-grsec-smp/kernel/net/ipv4/netfilter/ip_tables.ko): Cannot allocate memory

probe ip_conntrack (1): FATAL: Error inserting nf_conntrack_ipv4 (/lib/modules/2.6.30.4-grsec-smp/kernel/net/ipv4/netfilter/nf_conntrack_ipv4.ko): Cannot allocate memory

probe ip_conntrack_ftp (1): FATAL: Error inserting nf_conntrack_ftp (/lib/modules/2.6.30.4-grsec-smp/kernel/net/netfilter/nf_conntrack_ftp.ko): Cannot allocate memory

probe ipt_conntrack (1): FATAL: Error inserting xt_conntrack (/lib/modules/2.6.30.4-grsec-smp/kernel/net/netfilter/xt_conntrack.ko): Cannot allocate memory

probe ipt_limit (1): FATAL: Error inserting xt_limit (/lib/modules/2.6.30.4-grsec-smp/kernel/net/netfilter/xt_limit.ko): Cannot allocate memory

probe ipt_state (1): FATAL: Error inserting xt_state (/lib/modules/2.6.30.4-grsec-smp/kernel/net/netfilter/xt_state.ko): Cannot allocate memory

probe ipt_multiport (1): FATAL: Error inserting xt_multiport (/lib/modules/2.6.30.4-grsec-smp/kernel/net/netfilter/xt_multiport.ko): Cannot allocate memory

probe iptable_filter (1): FATAL: Error inserting iptable_filter (/lib/modules/2.6.30.4-grsec-smp/kernel/net/ipv4/netfilter/iptable_filter.ko): Cannot allocate memory

probe iptable_mangle (1): FATAL: Error inserting iptable_mangle (/lib/modules/2.6.30.4-grsec-smp/kernel/net/ipv4/netfilter/iptable_mangle.ko): Cannot allocate memory

probe ipt_REJECT (1): FATAL: Error inserting ipt_REJECT (/lib/modules/2.6.30.4-grsec-smp/kernel/net/ipv4/netfilter/ipt_REJECT.ko): Cannot allocate memory

probe ipt_LOG (1): FATAL: Error inserting ipt_LOG (/lib/modules/2.6.30.4-grsec-smp/kernel/net/ipv4/netfilter/ipt_LOG.ko): Cannot allocate memory

probe ipt_TCPMSS (1): FATAL: Error inserting xt_TCPMSS (/lib/modules/2.6.30.4-grsec-smp/kernel/net/netfilter/xt_TCPMSS.ko): Cannot allocate memory

then some msgs on iptables variables that can't be set, followed by tables that can't be initialized

I do not have these issues if I do not use the grsecurity patch


Hope this helps

Tim

[PaX Team]

I run an iptables firewall. The iptables modules do not load, I get these errors in /var/adm/syslog (don't always see that first line)
and trying to increase vmalloc at boot time doesn't help (at least not upto 512M)

does this work if you turn off KERNEXEC? also, can you send me the 'cat /proc/modules' and 'readelf -ed vmlinux' outputs please?

[x14sg1]

Hello,

As you suspected, turning off KERNEXEC did the trick. I have uploaded 4 files for you.

http://home.comcast.net/~x14sg1/modules.KERNEXEC.notset
http://home.comcast.net/~x14sg1/modules.KERNEXEC.set
http://home.comcast.net/~x14sg1/readelf.KERNEXEC.notset
http://home.comcast.net/~x14sg1/readelf.KERNEXEC.set

Thanks

Tim

[PaX Team]

As you suspected, turning off KERNEXEC did the trick. I have uploaded 4 files for you.

ok, it's the usual problem of the binary nvidia driver taking up all the space for executable module code (under i386/KERNEXEC it has to be pre-allocated at link time, it's around 6-7 MB). i'll increase it to >8MB in the next patch, but there should be a better way to size this area, maybe a .config option...

[x14sg1]

Thank you.

[x14sg1]

Thanks

The patch fixed my problem.

You mentioned a kernel option as a possible future solution to this problem.

Is it possible for grsecurity to honor the vmalloc=64M boot parameter?

Tim

[PaX Team]

Is it possible for grsecurity to honor the vmalloc=64M boot parameter?

it already does, what i was talking about is a region used for module code (which is separate from the normal vmalloc region under i386/KERNEXEC).

[kamil]

Hi.
IMHO this should get at least .config option + info in docs.
I've wasted half of a day trying to understand why I get vmap errors regardless of how much free vmalloc memory I have.

My problem was triggered by loading both nvidia & snd_ctxfi modules - raising code limit to 10 MB fixed it.

Best regards.

[PaX Team]

IMHO this should get at least .config option + info in docs.

ok, i bit the bullet and added the .config option, i hope people won't get it wrong . also fixed a memory area leak reported by another user that manifested during repeated module loads/unloads.

[specs]

The option is only visible in the i386 tree. With the x86_64 tree I did not see the option (which is OK for me).
With i386 the default seems to be 4MB.

Code: Select all

CONFIG_PAX_KERNEXEC_MODULE_TEXT=4


[PaX Team]

The option is only visible in the i386 tree.

only i386/KERNEXEC is 'special', other archs aren't/won't be since they lack the kind of segmentation logic that i386/KERNEXEC relies on.

With i386 the default seems to be 4MB.

yes it is. what was the question? if you mean why i reduced it from the earlier 8+ MB then it's because the former figure was based on the nvidia kernel module size that people ran into in the past so i accomodated them but since it's easier to change now, they can bump up the number themselves.