paxctl -z inconsistency?

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

paxctl -z inconsistency?

Postby Hugo Mildenberger » Tue Aug 10, 2010 5:53 am

On a X86 P4 gentoo system running 2.6.34-hardened-r1 configured not to emulate elf trampolins, I wondered about the behavious of paxctl -z. Why EMUTRAMP changes state after running paxctl -z?

Code: Select all
echo "void main(){}" |gcc -x c -  -o test
paxctl -v test
paxctl -z test
paxctl -v test


This script produces the following output:
    PaX control v0.5
    Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu>

    - PaX flags: -------x-e-- [test]
    RANDEXEC is disabled
    EMUTRAMP is disabled

    PaX control v0.5
    Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu>

    - PaX flags: -------x---- [test]
    RANDEXEC is disabled



Here is the PaX related kernel config
Code: Select all
CONFIG_PAX=y

#
# PaX Control
#
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
# CONFIG_PAX_PAGEEXEC is not set
CONFIG_PAX_SEGMEXEC=y
# CONFIG_PAX_EMUTRAMP is not set
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_NOELFRELOCS=y
CONFIG_PAX_KERNEXEC=y
CONFIG_PAX_KERNEXEC_MODULE_TEXT=4

#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y

#
# Miscellaneous hardening features
#
# CONFIG_PAX_MEMORY_SANITIZE is not set
CONFIG_PAX_MEMORY_UDEREF=y
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_USERCOPY=y
Hugo Mildenberger
 
Posts: 12
Joined: Sun Dec 13, 2009 6:14 pm

Re: paxctl -z inconsistency?

Postby PaX Team » Fri Aug 13, 2010 6:29 am

Hugo Mildenberger wrote:On a X86 P4 gentoo system running 2.6.34-hardened-r1 configured not to emulate elf trampolins, I wondered about the behavious of paxctl -z. Why EMUTRAMP changes state after running paxctl -z?
-z should zero out all bits in the PT_PAX_FLAGS header so the problem is actually not that EMUTRAMP has changed but that RANDEXEC has not. since i couldn't reproduce this here, can you send me your paxctl binary please?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: paxctl -z inconsistency?

Postby Hugo Mildenberger » Sat Aug 14, 2010 3:07 pm

PaX Team wrote: -z should zero out all bits in the PT_PAX_FLAGS header so the problem is actually not that EMUTRAMP has changed but that RANDEXEC has not. since i couldn't reproduce this here, can you send me your paxctl binary please?


Will do. But then, if it was not the kernel as I thought before, is setting defaults for these flags? ld? And RANDEXEC somehow interfering without the kernel actually support it could well explain a good part of the problems I see with gdb. Strange.
Hugo Mildenberger
 
Posts: 12
Joined: Sun Dec 13, 2009 6:14 pm

Re: paxctl -z inconsistency?

Postby spender » Sat Aug 14, 2010 7:30 pm

Hi Hugo,

The PaX flags on your binary aren't an inconsistency. The paxctl binary recognized that the binary you were clearing flags on was a PIE binary, so it disabled RANDEXEC as RANDEXEC would not be needed for a PIE binary. Here's the relevant code from paxctl:

Code: Select all
253     if (ehdr->e_type == ET_DYN) {
254       phdr[pax_flags].p_flags &= ~((state->flags_off | PF_RANDEXEC) & (ElfW(Elf, _Word))~PF_NORANDEXEC);
255       phdr[pax_flags].p_flags |= (state->flags_on | PF_NORANDEXEC) & (ElfW(Elf, _Word))~PF_RANDEXEC;
256     } else {
257       phdr[pax_flags].p_flags &= ~state->flags_off;
258       phdr[pax_flags].p_flags |= state->flags_on;
259     }


-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity support

cron