grsecurity forums

[wao]

Hello,
I've grsecurity-2.1.14-2.6.33-201003071645.patch applied to the linux-2.6.33, and it seems to paxtest-0.9.9 vulnerable.

Code: Select all

Mode: blackhat
Linux 23.s 2.6.33-grsec #1 Mon Mar 8 14:53:30 GMT+1 2010 i686 i686 i386 GNU/Linux
Executable anonymous mapping             : Vulnerable
Executable bss                           : Vulnerable
Executable data                          : Vulnerable
Executable heap                          : Vulnerable
Executable stack                         : Vulnerable
Executable shared library bss            : Vulnerable
Executable shared library data           : Vulnerable
Executable anonymous mapping (mprotect)  : Vulnerable
Executable bss (mprotect)                : Vulnerable
Executable data (mprotect)               : Vulnerable
Executable heap (mprotect)               : Vulnerable
Executable stack (mprotect)              : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Writable text segments                   : Killed
Anonymous mapping randomisation test     : 18 bits (guessed)
Heap randomisation test (ET_EXEC)        : 13 bits (guessed)
Heap randomisation test (PIE)            : 24 bits (guessed)
Main executable randomisation (ET_EXEC)  : No randomisation
Main executable randomisation (PIE)      : 16 bits (guessed)
Shared library randomisation test        : 18 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 23 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 24 bits (guessed)
Return to function (strcpy)              : Vulnerable
Return to function (memcpy)              : Vulnerable
Return to function (strcpy, PIE)         : Vulnerable
Return to function (memcpy, PIE)         : Vulnerable


Code: Select all

gcc version 4.4.3 20100127 (Red Hat 4.4.3-4) (GCC)

With grsecurity-2.1.14-2.6.32.9-201003071225.patch linux-2.6.32.9 paxtest-0.9.9 seems fine.

Code: Select all

Mode: blackhat
Linux 23.s 2.6.32.9-grsec #3 Tue Mar 2 22:34:25 GMT+1 2010 i686 i686 i386 GNU/Linux
Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable shared library bss            : Killed
Executable shared library data           : Killed
Executable anonymous mapping (mprotect)  : Killed
Executable bss (mprotect)                : Killed
Executable data (mprotect)               : Killed
Executable heap (mprotect)               : Killed
Executable stack (mprotect)              : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments                   : Killed
Anonymous mapping randomisation test     : 17 bits (guessed)
Heap randomisation test (ET_EXEC)        : 13 bits (guessed)
Heap randomisation test (PIE)            : 23 bits (guessed)


I also tried at gentoo, with patched gcc, with i686-pc-linux-gnu-4.3.4-hardenednopie.specs

Code: Select all

gcc version 4.3.4 (Gentoo 4.3.4 p1.0, pie-10.1.5)

But I got same results.
It's possible that commit went wrong?

[PaX Team]

I've grsecurity-2.1.14-2.6.33-201003071645.patch applied to the linux-2.6.33, and it seems to paxtest-0.9.9 vulnerable.

that's certainly not normal . can you try to enable PAE/HIGHMEM64G and see if the results change? also i assume that your userland remained the same, so it's truly a kernel issue (SEGMEXEC in your case, but i don't immediately see what i could have screwed up so badly).

[cormander]

At least for 64bit, it's working for me on 2.6.33:

http://build.cormander.com/job/linux-2. ... /1/console

At the end of the build is the boot test where it runs grtest and paxtest. Here are the applicable results for me:

Code: Select all

PaXtest - Copyright(c) 2003,2004 by Peter Busser
Released under the GNU Public Licence version 2 or later

Writing output to paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser
Released under the GNU Public Licence version 2 or later

Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable shared library bss            : Killed
Executable shared library data           : Killed
Executable anonymous mapping (mprotect)  : Killed
Executable bss (mprotect)                : Killed
Executable data (mprotect)               : Killed
Executable heap (mprotect)               : Killed
Executable stack (mprotect)              : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments                   : Killed
Anonymous mapping randomisation test     : 33 bits (guessed)
Heap randomisation test (ET_EXEC)        : 13 bits (guessed)
Heap randomisation test (PIE)            : 40 bits (guessed)
Main executable randomisation (ET_EXEC)  : No randomisation
Main executable randomisation (PIE)      : 32 bits (guessed)
Shared library randomisation test        : 33 bits (guessed)
/usr/libexec/paxtest/getstack1: Success
Stack randomisation test (SEGMEXEC)      : Stack randomisation test (PAGEEXEC)      : 40 bits (guessed)
Return to function (strcpy)              : paxtest: return address contains a NULL byte.
Return to function (memcpy)              : Vulnerable
Return to function (strcpy, PIE)         : paxtest: return address contains a NULL byte.
Return to function (memcpy, PIE)         : Vulnerable


I'd run it on 32bit as well but it currently doesn't boot inside xen, and I don't run a bare-metal 32bit machine I can test this on...

[wao]

Code: Select all

Mode: blackhat
Linux 26.s 2.6.33-grsec #2 Tue Mar 9 22:22:16 CET 2010 i686 i686 i386 GNU/Linux

Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable shared library bss            : Killed
Executable shared library data           : Killed
Executable anonymous mapping (mprotect)  : Killed
Executable bss (mprotect)                : Killed
Executable data (mprotect)               : Killed
Executable heap (mprotect)               : Killed
Executable stack (mprotect)              : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments                   : Killed
Anonymous mapping randomisation test     : 18 bits (guessed)
Heap randomisation test (ET_EXEC)        : 13 bits (guessed)
Heap randomisation test (PIE)            : 24 bits (guessed)
Main executable randomisation (ET_EXEC)  : No randomisation
Main executable randomisation (PIE)      : 16 bits (guessed)
Shared library randomisation test        : 18 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 23 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 24 bits (guessed)
Return to function (strcpy)              : Vulnerable
Return to function (memcpy)              : Vulnerable
Return to function (strcpy, PIE)         : Vulnerable
Return to function (memcpy, PIE)         : Vulnerable


Quite better. But what about last 4 lines?

[PaX Team]

Code: Select all

Return to function (strcpy)              : Vulnerable
Return to function (memcpy)              : Vulnerable
Return to function (strcpy, PIE)         : Vulnerable
Return to function (memcpy, PIE)         : Vulnerable


Quite better. But what about last 4 lines?

that's normal, there's not ret2libc protection in the kernel.

[PaX Team]

Quite better.

can you send me your previous .config please?