grsecurity forums

Posted: **Tue Nov 03, 2009 5:12 pm**

Hi,
On my desktop (a D945GCLF2, with Atom 330 , Intel 945GC and onboard GMA950) runs Debian Unstable.
Since approximately april I used the Xorg-version of Debian Stable. This version still works for kernels newer than the 2.6.27.x-kernels.
On another pc I tested that the newer Xorg-version started working again with the 2.6.30.x-kernels.
Note: the onboard GPU uses system memory.

In short, I upgraded the Xorg-version to the latest version and I ran into a kernel error. I tried to copy/paste the error as best as I could.
Used kernelpatch: grsecurity-2.1.14-2.6.31.5-200910312135.patch

Code: Select all: Starting X display manager: xdm. Enabling laptop mode...done (enabled, not active). Stopping watchdog keepalive daemon.... PAX: Xorg:2212, uid/euid: 0/0, attempted to modify kernel code BUG: unable to handle kernel paging request at c125dedc IP: [<0001abb3>] *pde = 368da063 *pte = 0125d161 Oops: 0003 [#1] SMP last sysfs file: /sys/block/hda/uevent Modules linked in: smsc47m192 hwmon_vid vfat fat ipv6 nfs lockd nf s_acl auth_rp Pid: 2212, comm: Xorg Tainted: G W (2.6.31.5-grsec-2009110 22011-1 #2) EIP: 0060:[<0001abb3>] EFLAGS: 00213283 CPU: 0 EAX: c125dedc EBX: 00000003 ECX: fffb7000 EDX: 00048000 ESI: 0000001c EDI: f6aad3c0 EBP: f6aadc40 ESP: f66f9d50 DS: 0068 ES: 0068 FS: 00d8 GS: 0033 SS: 0068 Process Xorg (pid: 2212, ti=f66f8000 task=f664bbf0 task.ti=f66f800 0) Stack: f80d8020 0045a965 00000000 f66f9d7c 00000000 00017769 00030001 f6 aadcc0 <0> f66f9e20 f6435800 f60b9000 f6435814 00000000 00000002 00000000 00000000 <0> f6aad340 f61b5960 00000004 f61b5e40 00000001 08537b47 f80d8000 000003fe Call Trace:%) [<0045a965>] ? [<00017769>] ? [<00030001>] ? [<00422b6b>] ? [<0045a04e>] ? [<00003fe8>] ? [<000280da>] ? [<0004f4db>] ? [<000280da>] ? [<000765d4>] ? [<00076d19>] ? [<0005b17d>] ? [<00017b83>] ? [<00076da1>] ? [<00003c43>] ? [<00070000>] ? [<00203202>] ? [<00076da1>] ? [<00003c5c>] ? [<00203202>] ? Code: 14 81 e1 00 f0 ff ff 53 8d 1c 10 a1 44 a5 c2 c1 8d 53 45 c1 e2 0c 29 d0 3 EIP: [<0001abb3>] SS:ESP 0068:f66f9d50 CR2: 00000000c125dedc ---[ end trace 1af7eb590d3a68a4 ]--- note: Xorg[2212] exited with preempt_count 1 Starting watchdoBUG: scheduling while atomic: Xorg/2212/0x10000001 g daemon...Modules linked in: smsc47m192 hwmon_vid vfat fat ipv6 n fs lockd nfs_ Pid: 2212, comm: Xorg Tainted: G D W 2.6.31.5-grsec-20091102 2011-1 #2 Call Trace: [<001c6a53>] ? [<00021002>] ? [<00002140>] ? [<00002140>] ? [<00203286>] ? [<0001c039>] ? [<00002140>] ? [<00203282>] ? [<0004984c>] ? [<0002839f>] ? [<0002143e>] ? [<001c7431>] ? [<0003fc05>] ? [<00004638>] ? [<0000f8f8>] ? [<000224c3>] ? [<0002544c>] ? [<00046ef5>] ? [<00026a69>] ? [<00203046>] ? [<00203046>] ? [<00026eaa>] ? [<00203046>] ? [<00006e80>] ? [<00017728>] ? [<0004f0db>] ? [<00203246>] ? [<000280d2>] ? [<000080d2>] ? [<0004f4db>] ? [<000171f8>] ? [<000178ad>] ? [<00017858>] ? [<0001773a>] ? [<00030001>] ? [<001c8a77>] ? [<00048000>] ? [<00130068>] ? [<00450068>] ? [<00017858>] ? [<0001abb3>] ? [<00213283>] ? [<0045a965>] ? [<00017769>] ? [<00030001>] ? [<00422b6b>] ? [<0045a04e>] ? [<00003fe8>] ? [<000280da>] ? [<0004f4db>] ? [<000280da>] ? [<000765d4>] ? [<00076d19>] ? [<0005b17d>] ? [<00017b83>] ? [<00076da1>] ? [<00003c43>] ? [<00070000>] ? [<00203202>] ? [<00076da1>] ? [<00003c5c>] ? [<00203202>] ? ------------[ cut here ]------------ BUG: scheduling while atomic: Xorg/2212/0x00000001 Modules linked in: smsc47m192 hwmon_vid vfat fat ipv6 nfs lockd nf s_acl auth_rp Pid: 2212, comm: Xorg Tainted: G D W 2.6.31.5-grsec-20091102 2011-1 #2 Call Trace: [<001c6a53>] ? [<00002140>] ? [<00002140>] ? [<0004984c>] ? [<0002839f>] ? [<00203046>] ? [<00203046>] ? [<000284d9>] ? [<00004638>] ? [<0001bcc3>] ? [<001c7a56>] ? [<001c7cf1>] ? [<00423dd8>] ? [<0005db10>] ? [<0005dc31>] ? [<00022598>] ? [<00025502>] ? [<00046ef5>] ? [<00026a69>] ? [<00203046>] ? [<00203046>] ? [<00026eaa>] ? [<00203046>] ? [<00006e80>] ? [<00017728>] ? [<0004f0db>] ? [<00203246>] ? [<000280d2>] ? [<000080d2>] ? [<0004f4db>] ? [<000171f8>] ? [<000178ad>] ? [<00017858>] ? [<0001773a>] ? [<00030001>] ? [<001c8a77>] ? [<00048000>] ? [<00130068>] ? [<00450068>] ? [<00017858>] ? [<0001abb3>] ? [<00213283>] ? [<0045a965>] ? [<00017769>] ? [<00030001>] ? [<00422b6b>] ? [<0045a04e>] ? [<00003fe8>] ? [<000280da>] ? [<0004f4db>] ? [<000280da>] ? [<000765d4>] ? [<00076d19>] ? [<0005b17d>] ? [<00017b83>] ? [<00076da1>] ? [<00003c43>] ? [<00070000>] ? [<00203202>] ? [<00076da1>] ? [<00003c5c>] ? [<00203202>] ? kernel BUG at arch/x86/mm/highmem_32.c:45! invalid opcode: 0000 [#2] SMP last sysfs file: /sys/block/hda/uevent Modules linked in: smsc47m192 hwmon_vid vfat fat ipv6 nfs lockd nf s_acl auth_rp

I ended the session with a reset.

To test what part of the kernel was to blame I first compiled a vanilla kernel (worked). Then I tried to start some old kernels (2.6.31.3, 2.6.30.5, 2.6.29.6 all with grsecurity) with a similar oops.
Then I tried to isolate the error to either the grsecurity patches or the pax patches.

However, both the configuration with only grsecurity and with only pax worked. Only the kernel where both were enabled failed.

Diff with the configuration without grsecurity:

Code: Select all: < # CONFIG_GRKERNSEC is not set --- > CONFIG_GRKERNSEC=y > # CONFIG_GRKERNSEC_LOW is not set > # CONFIG_GRKERNSEC_MEDIUM is not set > # CONFIG_GRKERNSEC_HIGH is not set > CONFIG_GRKERNSEC_CUSTOM=y > > # > # Address Space Protection > # > CONFIG_GRKERNSEC_KMEM=y > # CONFIG_GRKERNSEC_IO is not set > CONFIG_GRKERNSEC_PROC_MEMMAP=y > CONFIG_GRKERNSEC_BRUTE=y > CONFIG_GRKERNSEC_MODHARDEN=y > CONFIG_GRKERNSEC_HIDESYM=y > > # > # Role Based Access Control Options > # > # CONFIG_GRKERNSEC_NO_RBAC is not set > CONFIG_GRKERNSEC_ACL_HIDEKERN=y > CONFIG_GRKERNSEC_ACL_MAXTRIES=3 > CONFIG_GRKERNSEC_ACL_TIMEOUT=30 > > # > # Filesystem Protections > # > CONFIG_GRKERNSEC_PROC=y > # CONFIG_GRKERNSEC_PROC_USER is not set > CONFIG_GRKERNSEC_PROC_USERGROUP=y > CONFIG_GRKERNSEC_PROC_GID=2001 > CONFIG_GRKERNSEC_PROC_ADD=y > CONFIG_GRKERNSEC_LINK=y > CONFIG_GRKERNSEC_FIFO=y > CONFIG_GRKERNSEC_CHROOT=y > CONFIG_GRKERNSEC_CHROOT_MOUNT=y > CONFIG_GRKERNSEC_CHROOT_DOUBLE=y > CONFIG_GRKERNSEC_CHROOT_PIVOT=y > CONFIG_GRKERNSEC_CHROOT_CHDIR=y > CONFIG_GRKERNSEC_CHROOT_CHMOD=y > CONFIG_GRKERNSEC_CHROOT_FCHDIR=y > CONFIG_GRKERNSEC_CHROOT_MKNOD=y > CONFIG_GRKERNSEC_CHROOT_SHMAT=y > CONFIG_GRKERNSEC_CHROOT_UNIX=y > CONFIG_GRKERNSEC_CHROOT_FINDTASK=y > CONFIG_GRKERNSEC_CHROOT_NICE=y > CONFIG_GRKERNSEC_CHROOT_SYSCTL=y > CONFIG_GRKERNSEC_CHROOT_CAPS=y > > # > # Kernel Auditing > # > CONFIG_GRKERNSEC_AUDIT_GROUP=y > CONFIG_GRKERNSEC_AUDIT_GID=2007 > CONFIG_GRKERNSEC_EXECLOG=y > CONFIG_GRKERNSEC_RESLOG=y > CONFIG_GRKERNSEC_CHROOT_EXECLOG=y > CONFIG_GRKERNSEC_AUDIT_CHDIR=y > CONFIG_GRKERNSEC_AUDIT_MOUNT=y > CONFIG_GRKERNSEC_SIGNAL=y > CONFIG_GRKERNSEC_FORKFAIL=y > CONFIG_GRKERNSEC_TIME=y > CONFIG_GRKERNSEC_PROC_IPADDR=y > # CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set > > # > # Executable Protections > # > CONFIG_GRKERNSEC_EXECVE=y > CONFIG_GRKERNSEC_DMESG=y > # CONFIG_GRKERNSEC_HARDEN_PTRACE is not set > CONFIG_GRKERNSEC_TPE=y > CONFIG_GRKERNSEC_TPE_ALL=y > CONFIG_GRKERNSEC_TPE_INVERT=y > CONFIG_GRKERNSEC_TPE_GID=2005 > > # > # Network Protections > # > CONFIG_GRKERNSEC_RANDNET=y > CONFIG_GRKERNSEC_BLACKHOLE=y > CONFIG_GRKERNSEC_SOCKET=y > CONFIG_GRKERNSEC_SOCKET_ALL=y > CONFIG_GRKERNSEC_SOCKET_ALL_GID=2004 > CONFIG_GRKERNSEC_SOCKET_CLIENT=y > CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=2003 > CONFIG_GRKERNSEC_SOCKET_SERVER=y > CONFIG_GRKERNSEC_SOCKET_SERVER_GID=2002 > > #> # Sysctl support > # > CONFIG_GRKERNSEC_SYSCTL=y > CONFIG_GRKERNSEC_SYSCTL_ON=y > > # > # Logging Options > # > CONFIG_GRKERNSEC_FLOODTIME=10 > CONFIG_GRKERNSEC_FLOODBURST=4 2098a2193,2222 > CONFIG_PAX=y > > # > # PaX Control > # > CONFIG_PAX_SOFTMODE=y > CONFIG_PAX_EI_PAX=y > CONFIG_PAX_PT_PAX_FLAGS=y > CONFIG_PAX_NO_ACL_FLAGS=y > # CONFIG_PAX_HAVE_ACL_FLAGS is not set > # CONFIG_PAX_HOOK_ACL_FLAGS is not set > > # > # Non-executable pages > # > CONFIG_PAX_NOEXEC=y > CONFIG_PAX_PAGEEXEC=y > CONFIG_PAX_SEGMEXEC=y > # CONFIG_PAX_EMUTRAMP is not set > CONFIG_PAX_MPROTECT=y > # CONFIG_PAX_NOELFRELOCS is not set > CONFIG_PAX_KERNEXEC=y > > # > # Address Space Layout Randomization > # > CONFIG_PAX_ASLR=y > CONFIG_PAX_RANDKSTACK=y > CONFIG_PAX_RANDUSTACK=y > CONFIG_PAX_RANDMMAP=y 2104a2229,2230 > CONFIG_PAX_REFCOUNT=y > CONFIG_PAX_USERCOPY=y

Diff with the configuration without pax:

Code: Select all: < # CONFIG_PAX is not set --- > CONFIG_PAX=y > > # > # PaX Control > # > CONFIG_PAX_SOFTMODE=y > CONFIG_PAX_EI_PAX=y > CONFIG_PAX_PT_PAX_FLAGS=y > CONFIG_PAX_NO_ACL_FLAGS=y > # CONFIG_PAX_HAVE_ACL_FLAGS is not set > # CONFIG_PAX_HOOK_ACL_FLAGS is not set > > # > # Non-executable pages > # > CONFIG_PAX_NOEXEC=y > CONFIG_PAX_PAGEEXEC=y > CONFIG_PAX_SEGMEXEC=y > # CONFIG_PAX_EMUTRAMP is not set > CONFIG_PAX_MPROTECT=y > # CONFIG_PAX_NOELFRELOCS is not set > CONFIG_PAX_KERNEXEC=y > > # > # Address Space Layout Randomization > # > CONFIG_PAX_ASLR=y > CONFIG_PAX_RANDKSTACK=y > CONFIG_PAX_RANDUSTACK=y > CONFIG_PAX_RANDMMAP=y 2199,2202c2227,2230 < # CONFIG_PAX_MEMORY_SANITIZE is not set < # CONFIG_PAX_MEMORY_UDEREF is not set < # CONFIG_PAX_REFCOUNT is not set < # CONFIG_PAX_USERCOPY is not set --- > CONFIG_PAX_MEMORY_SANITIZE=y > CONFIG_PAX_MEMORY_UDEREF=y > CONFIG_PAX_REFCOUNT=y > CONFIG_PAX_USERCOPY=y

To keep the comparison correct I did not include the VM86 option from the latest patch.
Any hints?
Or should I just tag X -psmxe with paxctl?

Posted: **Wed Nov 04, 2009 3:24 pm**

Realised after posting I overwrote the vmlinux correspong with the error.

Recreated all:
http://www.aoi-karin.net/security/grsec ... .error.txt
http://www.aoi-karin.net/security/grsecurity/config
http://www.aoi-karin.net/security/grsecurity/vmlinux

Posted: **Fri Nov 06, 2009 6:05 pm**

specs wrote:Realised after posting I overwrote the vmlinux correspong with the error.

Recreated all:
http://www.aoi-karin.net/security/grsec ... .error.txt
http://www.aoi-karin.net/security/grsecurity/config
http://www.aoi-karin.net/security/grsecurity/vmlinux

i've fixed it already, it will be in the next patch.

Posted: **Wed Nov 11, 2009 1:11 pm**

With 2.6.31.6 and the latest patch I can start X on the machine with problems. Thanks.
Unfortunately it seems I run into other problems (firefox on i386 100% cpuload). But that bug has been filed as far as I can see.

grsecurity forums

Crash with X.org and Intel driver

Crash with X.org and Intel driver

Re: Crash with X.org and Intel driver

Re: Crash with X.org and Intel driver

Re: Crash with X.org and Intel driver