grsecurity forums

grub-probe is killed under grsecurity despite paxctl

[152627.570577] PAX: From 83.100.71.8: execution attempt in: <anonymous mapping>, 71e6f4005000-71e6f401b000 7ffffffe9000
[152627.571093] PAX: terminating task: /usr/sbin/grub-probe(grub-probe):6072, uid/euid: 0/0, PC: 000071e6f40199f0, SP: 000071e6f40199b8
[152627.571624] PAX: bytes at PC: 41 bb b0 99 40 00 49 ba e0 99 01 f4 e6 71 00 00 49 ff e3 1d
[152627.572133] PAX: bytes at SP-8: 000071e6f401a060 0000000000409812 000071e6f401a060 000071e6f4019ac0 000071e6f401a060 00000000004098f2 0000000000000000 00000000006474a0 ba49004099b0bb41 000071e6f40199e0 000143ee1de3ff49

# paxctl -v /usr/sbin/grub-probe
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu>

- PaX flags: -p-s-m-xE--r [/usr/sbin/grub-probe]
PAGEEXEC is disabled
SEGMEXEC is disabled
MPROTECT is disabled
RANDEXEC is disabled
EMUTRAMP is enabled
RANDMMAP is disabled

CONFIG_PAX=y
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_ELFRELOCS=y
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
# CONFIG_PAX_MEMORY_SANITIZE is not set
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_USERCOPY=y

grsecurity version 2.2.0-2.6.32.21-201009130811
kernel version 2.6.32.21-grsec

Are you using the RBAC system and enforcing PaX flags on the binary through it?

-Brad

RBAC is disabled in kernel with CONFIG_GRKERNSEC_NO_RBAC=y

cmouse wrote:RBAC is disabled in kernel with CONFIG_GRKERNSEC_NO_RBAC=y

can you run this binary in gdb and then look at what PaX flags got enabled on it in /proc/pid/status?

~# objdump -x /usr/sbin/grub-probe

/usr/sbin/grub-probe: file format elf64-x86-64
/usr/sbin/grub-probe
architecture: i386:x86-64, flags 0x00000112:
EXEC_P, HAS_SYMS, D_PAGED
start address 0x0000000000401ff0

~# gdb /usr/sbin/grub-probe
(gdb) break main
Function "main" not defined.
(gdb) break *0x0000000000401ff0
Breakpoint 1 at 0x401ff0
(gdb) r
Starting program: /usr/sbin/grub-probe
During startup program terminated with signal SIGKILL, Killed.

~# strace /usr/sbin/grub-probe
execve("/usr/sbin/grub-probe", ["/usr/sbin/grub-probe"], [/* 19 vars */] <unfinished ...>
+++ killed by SIGKILL +++
Killed

any other ideas? =)

And for comparison:

~# strace /bin/ls
execve("/bin/ls", ["/bin/ls"], [/* 19 vars */]) = 0
brk(0) = 0x623a50
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x673c27a32000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
<snip/>
getdents(3, /* 0 entries */, 32768) = 0
close(3) = 0
close(1) = 0
close(2) = 0
exit_group(0) = ?
~#

I've seen this before.
You're calling something else that calls grub-update, aren't you? Or are you actually running grub-update itself?

grub-update inherits the flags from the calling process I think.

I know I've seen this when installing new kernels on Debian/Ubuntu boxes. I forget the exact binary, but there's another in /usr/sbin or /sbin that if you change the pax flags for, everything works fine.

cmouse wrote:~# strace /usr/sbin/grub-probe
execve("/usr/sbin/grub-probe", ["/usr/sbin/grub-probe"], [/* 19 vars */] <unfinished ...>
+++ killed by SIGKILL +++
Killed

any other ideas? =)

yeah, the above makes it obvious now that it's a SIGKILL during execve itself, which usually happens for illegal flag combinations that is your case as well: EMUTRAMP makes little sense when non-exec pages aren't enforced, so turn back PAGEEXEC/SEGMEXEC on. the next question is why you ended up with such a flag combination, did something not work before with what the toolchain created by default for this binary (i assume EMUTRAMP was enabled due to the nested function trampolines)?

Yes, well, it kept crashing.

Then I ran paxctl -c /usr/sbin/grub-probe, and did a best guess (apparently very bad one) on trying to make it work. It seems that it had some flags turned on automatically by paxctl when it does the conversion. Now I ran paxctl -z and it worked fine.