Grub

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Grub

Postby asdfg » Sun Apr 15, 2012 6:48 am

Hello,
after compile kernel with grsecurity patch, I have problems with install grub on my server. With other kernel all works fine. Where is problem?
Code: Select all
sh:~# uname -a
Linux sh 2.6.32.59-grsec #1 SMP Fri Apr 13 15:17:19 CEST 2012 i686 GNU/Linux
sh:~# grub
grub: asmstub.c:170: grub_stage2: Assertion `ret == 0' failed.
Aborted
sh:~# grub --version
grub (GNU GRUB 0.97)
asdfg
 
Posts: 4
Joined: Sun Apr 15, 2012 6:46 am

Re: Grub

Postby PaX Team » Sun Apr 15, 2012 7:50 am

Code: Select all
sh:~# grub
grub: asmstub.c:170: grub_stage2: Assertion `ret == 0' failed.
Aborted
i tried to find this assert in the gentoo patched grub sources to no avail, so first i'd need to know what distro/sources you have there for grub. also try to strace it to see what it did last before the assert.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: Grub

Postby asdfg » Sun Apr 15, 2012 7:53 am

Hello, this is debian lenny. Please, do not say "you must upgrade to squeeze", because we using software from company, where have not support in squeeze.
asdfg
 
Posts: 4
Joined: Sun Apr 15, 2012 6:46 am

Re: Grub

Postby PaX Team » Sun Apr 15, 2012 8:47 am

asdfg wrote:Hello, this is debian lenny. Please, do not say "you must upgrade to squeeze", because we using software from company, where have not support in squeeze.
ok, so an strace output would have saved me time to figure it out but here's the solution: turn off MPROTECT on the grub binary (chpax/paxctl/etc, whatever you use).
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: Grub

Postby spender » Sun Apr 15, 2012 9:11 am

asdfg: Please, when coming here for FREE support for your company, do not tell us what "not to say." Just provide the information you were asked for.

Thanks,
-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Grub

Postby asdfg » Sun Apr 15, 2012 6:21 pm

Ok, sorry. "We are company" with two people, I am one and the second is my brother. This is all, none big company...

Code: Select all
# strace grub
execve("/usr/sbin/grub", ["grub"], [/* 18 vars */]) = 0
brk(0)                                  = 0x8e29a80
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x53a66000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=36421, ...}) = 0
mmap2(NULL, 36421, PROT_READ, MAP_PRIVATE, 3, 0) = 0x53a5d000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/libncurses.so.5", O_RDONLY)  = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p\243\0\0004\0\0\0\344"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=202188, ...}) = 0
mmap2(NULL, 202004, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x53a2b000
mmap2(0x53a5a000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2f) = 0x53a5a000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/i686/cmov/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260e\1\0004\0\0\0\4"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1413540, ...}) = 0
mmap2(NULL, 1418864, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x538d0000
mmap2(0x53a25000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x155) = 0x53a25000
mmap2(0x53a28000, 9840, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x53a28000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/i686/cmov/libdl.so.2", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`\n\0\0004\0\0\0H"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=9680, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x538cf000
mmap2(NULL, 12412, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x538cb000
mmap2(0x538cd000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0x538cd000
close(3)                                = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x538ca000
set_thread_area({entry_number:-1 -> 6, base_addr:0x538ca6b0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
mprotect(0x53a25000, 4096, PROT_READ)   = 0
munmap(0x53a5d000, 36421)               = 0
sync()                                  = 0
mmap2(NULL, 4198400, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x534c9000
mprotect(0x534c9000, 4194319, PROT_READ|PROT_WRITE|PROT_EXEC) = -1 EACCES (Permission denied)
brk(0)                                  = 0x8e29a80
brk(0x8e4aa80)                          = 0x8e4aa80
brk(0x8e4b000)                          = 0x8e4b000
write(2, "grub: asmstub.c:170: grub_stage2:"..., 63grub: asmstub.c:170: grub_stage2: Assertion `ret == 0' failed.
) = 63
rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
gettid()                                = 25077
tgkill(25077, 25077, SIGABRT)           = 0
--- SIGABRT (Aborted) @ 0 (0) ---
+++ killed by SIGABRT +++

# dmesg
[48442.900946] grsec: From XXX.XXX.XXX.XXX: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/sbin/grub[grub:25310] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:24833] uid/euid:0/0 gid/egid:0/0
[90416.669106] grsec: From XXX.XXX.XXX.XXX: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/sbin/grub[grub:25077] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/strace[strace:25076] uid/euid:0/0 gid/egid:0/0



Thanks.
Last edited by asdfg on Sun Apr 15, 2012 6:30 pm, edited 1 time in total.
asdfg
 
Posts: 4
Joined: Sun Apr 15, 2012 6:46 am

Re: Grub

Postby spender » Sun Apr 15, 2012 6:30 pm

Run chpax -m /usr/sbin/grub
or paxctl -Czm /usr/sbin/grub

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Grub

Postby asdfg » Sun Apr 15, 2012 6:32 pm

Resolved by
Code: Select all
# paxctl -Cpermxs /usr/sbin/gru
Thanks.
asdfg
 
Posts: 4
Joined: Sun Apr 15, 2012 6:46 am

Re: Grub

Postby hanji » Mon Aug 06, 2012 12:09 pm

Hello

I recently have been encountering the same problem, but the solutions presented here did not fix my problem:
Code: Select all
paxctl -Czm /sbin/grub
grub
grub: asmstub.c:215: grub_stage2: Assertion `simstack_alloc_base != ((void *) -1)' failed.
Aborted


Code: Select all
paxctl -Cpermxs /sbin/grub
grub
grub: asmstub.c:215: grub_stage2: Assertion `simstack_alloc_base != ((void *) -1)' failed.
Aborted


Any ideas? Thanks much for your time!
hanji
hanji
 
Posts: 5
Joined: Tue Jun 29, 2010 9:43 pm

Re: Grub

Postby PaX Team » Mon Aug 06, 2012 12:43 pm

hanji wrote:Any ideas? Thanks much for your time!
your grub version and an strace would be helpful ;).
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: Grub

Postby spender » Mon Aug 06, 2012 1:28 pm

Did you enable support for PT_PAX_FLAGS marking in your kernel? You won't be able to use the markings created by paxctl otherwise.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Grub

Postby hanji » Mon Aug 06, 2012 2:32 pm

spender wrote:Did you enable support for PT_PAX_FLAGS marking in your kernel? You won't be able to use the markings created by paxctl otherwise.

-Brad


Hmmm.. checking the kernel config, I see the following:
Code: Select all
# CONFIG_PAX_PT_PAX_FLAGS is not set
hanji
 
Posts: 5
Joined: Tue Jun 29, 2010 9:43 pm

Re: Grub

Postby hanji » Mon Aug 06, 2012 2:35 pm

PaX Team wrote:
hanji wrote:Any ideas? Thanks much for your time!
your grub version and an strace would be helpful ;).


Relevant strace portion:
Code: Select all
29362 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x51cb1000
29362 set_thread_area({entry_number:-1 -> 6, base_addr:0x51cb18d0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
29362 mprotect(0x51cb4000, 4096, PROT_READ) = 0
29362 mprotect(0x51e12000, 8192, PROT_READ) = 0
29362 mprotect(0x51e66000, 8192, PROT_READ) = 0
29362 mprotect(0x10732000, 4096, PROT_READ) = 0
29362 mprotect(0x51e8f000, 4096, PROT_READ) = 0
29362 munmap(0x51e69000, 24797)         = 0
29362 sync()                            = 0
29362 mmap2(NULL, 6303744, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = -1 EPERM (Operation not permitted)
29362 brk(0)                            = 0x1074b510
29362 brk(0x1076c510)                   = 0x1076c510
29362 brk(0x1076d000)                   = 0x1076d000
29362 write(2, "grub: asmstub.c:215: grub_stage2"..., 91) = 91
29362 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x51e6f000
29362 brk(0x1076c000)                   = 0x1076c000
29362 rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
29362 gettid()                          = 29362
29362 tgkill(29362, 29362, SIGABRT)     = 0
29362 --- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=29362, si_uid=0} ---
29362 +++ killed by SIGABRT +++


Grub version: grub-0.97-r12

Thanks!
hanji
hanji
 
Posts: 5
Joined: Tue Jun 29, 2010 9:43 pm

Re: Grub

Postby PaX Team » Mon Aug 06, 2012 2:59 pm

it's clear that MPROTECT is still enabled on grub, that's the reason for the mmap failure. now the question is which PaX flag control method you enabled in your kernel.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: Grub

Postby hanji » Mon Aug 06, 2012 11:39 pm

Enabled PT_PAX_FLAGS in the kernel and rebooted.. problem solved.

Thanks!
hanji
hanji
 
Posts: 5
Joined: Tue Jun 29, 2010 9:43 pm


Return to grsecurity support

cron