Page 1 of 1

2.6.38.3: cannot make segment writable for relocation

PostPosted: Mon Apr 18, 2011 3:26 pm
by moseleymark
I rolled a grsec/pax 2.6.38.3 today. Everything booted just fine, ACL loads just fine. I did have one quirk though. On boxes that have been running 2.6.38.2 up till this morning (and pretty much every previous grsec-able kernel in the recent past), I'm getting the following when trying to start up apache:

(slightly redacted, so ignore any path weirdness)
httpd: Syntax error on line 94 of /etc/apache/conf/httpd.conf: Cannot load /usr/lib/apache2/modules/mod_perl.so into server: /usr/lib/apache2/modules/mod_perl.so: cannot make segment writable for relocation: Permission denied

strace shows:

mprotect(0xa03d6000, 1675264, PROT_READ|PROT_WRITE) = -1 EACCES (Permission denied)

On 2.6.38.2 and earlier, this loads just fine. I've tinkered with mprotect protections in chpax with no improvement (on both mod_perl.so and the httpd binary itself). I also gave CONFIG_PAX_MPROTECT_COMPAT a try, for the heck of it, with no improvement.

The next thing to try would be to disable CONFIG_PAX_MPROTECT but I figured before doing something that precipitous, I should probably ask here. I'm more than happy to post whatever info would be helpful.

I see there's a lot of PAX-related changes from pax-linux-2.6.38.2-test5.patch to pax-linux-2.6.38.2-test9.patch. Any changes I need to make related to those? Thanks!

Re: 2.6.38.3: cannot make segment writable for relocation

PostPosted: Mon Apr 18, 2011 3:34 pm
by moseleymark
Actually, here's something else I just noticed in 2.6.38.3:

PAX: From 10.1.1.221: execution attempt in: <anonymous mapping>, bc345000-bc366000 bffdf000
PAX: terminating task: /usr/sbin/grub-probe(grub-probe):6637, uid/euid: 0/0, PC: bc365734, SP: bc3656dc
PAX: bytes at PC: b9 30 57 36 bc e9 22 65 ce 4b b9 30 57 36 bc e9 a8 63 ce 4b
PAX: bytes at SP-4: a742c190 0804985b 08075e08 a740f094 00000004 fffff000 08067260 bc365734 bc365718 0804bd84 bc365734 00000000 00003003 000061b0 bc3659ab 08075c80 bc365748 0804bae4 bc365734 00000000 00000000

Not seen that in 2.6.38.2.

Re: 2.6.38.3: cannot make segment writable for relocation

PostPosted: Mon Apr 18, 2011 5:37 pm
by spender
what was your PaX configuration for PAX_EI_PAX and PAX_PT_PAX_FLAGS?

-Brad

Re: 2.6.38.3: cannot make segment writable for relocation

PostPosted: Mon Apr 18, 2011 5:38 pm
by PaX Team
moseleymark wrote:Cannot load /usr/lib/apache2/modules/mod_perl.so into server: /usr/lib/apache2/modules/mod_perl.so: cannot make segment writable for relocation: Permission denied
did you search the forum for this error message? :) hint: text relocations

Re: 2.6.38.3: cannot make segment writable for relocation

PostPosted: Mon Apr 18, 2011 5:39 pm
by PaX Team
moseleymark wrote:PAX: From 10.1.1.221: execution attempt in: <anonymous mapping>, bc345000-bc366000 bffdf000
PAX: terminating task: /usr/sbin/grub-probe(grub-probe):6637, uid/euid: 0/0, PC: bc365734, SP: bc3656dc
PAX: bytes at PC: b9 30 57 36 bc e9 22 65 ce 4b b9 30 57 36 bc e9 a8 63 ce 4b
this is the gcc nested function trampoline, you need to enable EMUTRAMP in the kernel .config and on the binary.

Re: 2.6.38.3: cannot make segment writable for relocation

PostPosted: Mon Apr 18, 2011 6:30 pm
by moseleymark
Heh, you two responded so quickly in turn, I didn't have time to reply to each one separately :)

Brad:
Here's my PAX config:
# grep PAX .config
CONFIG_PAX_PER_CPU_PGD=y
CONFIG_PAX_ENABLE_PAE=y
CONFIG_PAX=y
CONFIG_PAX_SOFTMODE=y
# CONFIG_PAX_EI_PAX is not set
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_SEGMEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_MPROTECT_COMPAT=y # Was originally unset, with the same effect
# CONFIG_PAX_ELFRELOCS is not set
CONFIG_PAX_KERNEXEC=y
CONFIG_PAX_KERNEXEC_MODULE_TEXT=14
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_MEMORY_SANITIZE=y
CONFIG_PAX_MEMORY_UDEREF=y
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_USERCOPY=y


PaX Team:

Re: search: I did indeed but the results were all quite old and didn't sound completely applicable. In my case, CONFIG_PAX_ELFRELOCS is not set. I've tried "chpax -pemrxs" (and plenty of permutations) on both the binary and the mod_perl.so to no effect. The part that's odd is that it's a case of something kind of breaking somewhat out of nowhere. The .config is identical to 2.6.38.2 (barring CONFIG_GRKERNSEC_KERN_LOCKOUT, which is unset); built on the same box as always; httpd/mod_perl.so hasn't changed in months.

Re: grub-probe: Is that due to some recent PAX change? EMUTRAMP is still enabled as before and the grub-probe binary hasn't changed recently (the vanilla Lenny i386 one, at least). I enabled trampolines on the binary:

# chpax -v /usr/sbin/grub-probe

----[ chpax 0.7 : Current flags for /usr/sbin/grub-probe (PEMRxS) ]----

* Paging based PAGE_EXEC : enabled (overridden)
* Trampolines : emulated
* mprotect() : restricted
* mmap() base : randomized
* ET_EXEC base : not randomized
* Segmentation based PAGE_EXEC : enabled

but still gets killed:

# grub-probe --device-map=/boot/grub/device.map -t device /
Killed

kern.log:
kernel: [14860.691650] PAX: From 10.1.1.221: execution attempt in: <anonymous mapping>, b7f6a000-b7f8b000 bffdf000
kernel: [14860.691655] PAX: terminating task: /usr/sbin/grub-probe(grub-probe):9493, uid/euid: 0/0, PC: b7f8a0f4, SP: b7f8a09c
kernel: [14860.691662] PAX: bytes at PC: b9 f0 a0 f8 b7 e9 62 1b 0c 50 b9 f0 a0 f8 b7 e9 e8 19 0c 50
kernel: [14860.691676] PAX: bytes at SP-4: a0093190 0804985b 08075be8 a0076094 00000004 fffff000 08067260 b7f8a0f4 b7f8a0d8 0804bd84 b7f8a0f4 00000000 00001abb 000061b0 b7f8a37f 08075a60 b7f8a108 0804bae4 b7f8a0f4 00000000 00000000

Re: 2.6.38.3: cannot make segment writable for relocation

PostPosted: Mon Apr 18, 2011 6:46 pm
by spender
# CONFIG_PAX_EI_PAX is not set
CONFIG_PAX_PT_PAX_FLAGS=y


So here's the reason: you didn't read the configuration help ;) Previously PaX was essentially disabled on every binary in your system. As the config help used to read (please notice the capitalized words):

Code: Select all
         If you have applications not marked by the PT_PAX_FLAGS ELF
         program header then you MUST enable the EI_PAX marking support
         otherwise they will not get any protection.


Your distro doesn't support marking with PT_PAX_FLAGS, so you needed to enable PAX_EI_PAX. The reason for this was that when PT_PAX_FLAGS was first introduced, there was no -C option in paxctl to create the program header for the PaX flags. In the latest patch I changed this, making mention of paxctl -C in the new configuration help, so that users like yourself who failed to read the configuration help still wouldn't be left with an unprotected userland ;)

For your mod_perl.so problem, you'll either have to recompile it without textrels or enable: CONFIG_PAX_ELFRELOCS

For grub, run:
paxctl -CzEx /usr/sbin/grub-probe

Alternatively, you can enable PAX_EI_PAX, and run:
chpax -E /usr/sbin/grub-probe

-Brad

Re: 2.6.38.3: cannot make segment writable for relocation

PostPosted: Mon Apr 18, 2011 7:34 pm
by moseleymark
Ok, that's all good to know. I like being protected.

To my *slight* credit, I've read that section god knows how many times in the past (though not for ages). To offset that credit, I just took it to mean the exact opposite, i.e. with EI_PAX, I needed to manually set flags on every binary. With 1500 boxes, that'd be a nightmare, esp with Debian overwriting them every update (or does it mean that regardless?). Keeping the ~100 different ACLs on them in order takes up enough of my time :)