grsecurity forums


https://forums.grsecurity.net./

Did I screw up my config somewhere? (2.6.31.7)

https://forums.grsecurity.net./viewtopic.php?f=3&t=2229

Page 1 of 1

Did I screw up my config somewhere? (2.6.31.7)

PostPosted: Tue Dec 08, 2009 11:21 pm
by a nobody
Running a 2.6.31.7 kernel with the current stable patch. The behaviour was the same on 2.6.31.6 with the 2.6.31.6 patch (and the same config)

Did I screw it up somewhere, or is this expected behaviour?

Paxtest gives me:

Executable anonymous mapping : Vulnerable
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Vulnerable
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Executable stack (mprotect) : Killed
Anonymous mapping randomisation test : 18 bits (guessed)
Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (ET_DYN) : 24 bits (guessed)
Main executable randomisation (ET_EXEC) : 15 bits (guessed)
Main executable randomisation (ET_DYN) : 14 bits (guessed)
Shared library randomisation test : 15 bits (guessed)
Stack randomisation test (SEGMEXEC) : 24 bits (guessed)
Stack randomisation test (PAGEEXEC) : 24 bits (guessed)
Return to function (strcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : Vulnerable
Return to function (memcpy) : Vulnerable
Return to function (memcpy, RANDEXEC) : Vulnerable
Executable shared library bss : Killed
Executable shared library data : Killed
Writable text segments : Killed

PaX config is:

CONFIG_PAX=y
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
# CONFIG_PAX_SEGMEXEC is not set
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_NOELFRELOCS is not set
CONFIG_PAX_KERNEXEC=y
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
# CONFIG_PAX_MEMORY_SANITIZE is not set
CONFIG_PAX_MEMORY_UDEREF=y
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_USERCOPY=y

System is stable Debian (if it matters) running on an AMD64 chip running as 32bit.

Re: Did I screw up my config somewhere? (2.6.31.7)

PostPosted: Wed Dec 09, 2009 12:49 am
by a nobody
As it turns out, I did screw up my config.

If anyone else is in the same boat, make sure you have CONFIG_X86_PAE enabled (which in turn requires 64GB highmem), or the NX bit won't be enabled. Once I turned that on the anonymous mapping tests got killed.

Still, a question... with NX disabled in segmentation mode PaX still functions (just with a significant performance hit) ... why did the anonymous mapping tests succeed?

Re: Did I screw up my config somewhere? (2.6.31.7)

PostPosted: Wed Dec 09, 2009 5:23 am
by Grach
Still, a question... with NX disabled in segmentation mode PaX still functions (just with a significant performance hit) ... why did the anonymous mapping tests succeed?


# CONFIG_PAX_SEGMEXEC is not set


Seems like you had no SEGMEXEC enabled. You could search through the PaX and grsec logs to find the reason why the other test procs were killed.

Re: Did I screw up my config somewhere? (2.6.31.7)

PostPosted: Wed Dec 09, 2009 12:23 pm
by a nobody
Yeah I misspoke. What I meant to say was that PAGEEXEC still works without NX, just with a performance hit (and that was enabled) ... so I guess the question is still why did the anonymous mapping tests fail?

Re: Did I screw up my config somewhere? (2.6.31.7)

PostPosted: Fri Dec 11, 2009 7:01 pm
by PaX Team
a nobody wrote:Yeah I misspoke. What I meant to say was that PAGEEXEC still works without NX, just with a performance hit (and that was enabled) ... so I guess the question is still why did the anonymous mapping tests fail?
hmm, there should be nothing special with non-exec anon mappings, i'll try to reproduce it and see what's up.

Re: Did I screw up my config somewhere? (2.6.31.7)

PostPosted: Fri Dec 11, 2009 10:36 pm
by a nobody
I recompiled with 64GB highmem and NX, the anon mapping tests were killed as expected, so it looks like it's only an issue for those of us dumb enough to run pageexec without NX.

Re: Did I screw up my config somewhere? (2.6.31.7)

PostPosted: Sat Dec 12, 2009 12:57 pm
by Oscon
a nobody wrote:Running a 2.6.31.7 kernel with the current stable patch. The behaviour was the same on 2.6.31.6 with the 2.6.31.6 patch (and the same config)

Did I screw it up somewhere, or is this expected behaviour?

Paxtest gives me:
...
Main executable randomisation (ET_EXEC) : 15 bits (guessed)
...
System is stable Debian (if it matters) running on an AMD64 chip running as 32bit.


Which paxtest did you use ?

- paxtest 0.9.7-pre4 from debian lenny for example ?
-or a newer paxtest 0.9.7-pre6 from spender's home?

I remember there is a "new" getmain1 /for test of ET_EXEC rand./ in the newer paxtest. / static void->void /
The "new" getmain1 ought to return without randomisation (on debian or smiliar x86_32 binary distribution). :(

Re: Did I screw up my config somewhere? (2.6.31.7)

PostPosted: Sat Dec 12, 2009 5:09 pm
by a nobody
pre4 and pre5. Didn't know about pre6.

Re: Did I screw up my config somewhere? (2.6.31.7)

PostPosted: Sat Dec 12, 2009 5:25 pm
by Oscon
a nobody wrote:pre4 and pre5. Didn't know about pre6.

There is here.
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/