grsecurity forums

Hello,
after compile kernel with grsecurity patch, I have problems with install grub on my server. With other kernel all works fine. Where is problem?

Code: Select all

sh:~# uname -a
Linux sh 2.6.32.59-grsec #1 SMP Fri Apr 13 15:17:19 CEST 2012 i686 GNU/Linux
sh:~# grub
grub: asmstub.c:170: grub_stage2: Assertion `ret == 0' failed.
Aborted
sh:~# grub --version
grub (GNU GRUB 0.97)

Code: Select all

sh:~# grub
grub: asmstub.c:170: grub_stage2: Assertion `ret == 0' failed.
Aborted

i tried to find this assert in the gentoo patched grub sources to no avail, so first i'd need to know what distro/sources you have there for grub. also try to strace it to see what it did last before the assert.

Hello, this is debian lenny. Please, do not say "you must upgrade to squeeze", because we using software from company, where have not support in squeeze.

asdfg wrote:Hello, this is debian lenny. Please, do not say "you must upgrade to squeeze", because we using software from company, where have not support in squeeze.

ok, so an strace output would have saved me time to figure it out but here's the solution: turn off MPROTECT on the grub binary (chpax/paxctl/etc, whatever you use).

asdfg: Please, when coming here for FREE support for your company, do not tell us what "not to say." Just provide the information you were asked for.

Thanks,
-Brad

Ok, sorry. "We are company" with two people, I am one and the second is my brother. This is all, none big company...

Code: Select all

# strace grub
execve("/usr/sbin/grub", ["grub"], [/* 18 vars */]) = 0
brk(0)                                  = 0x8e29a80
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x53a66000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=36421, ...}) = 0
mmap2(NULL, 36421, PROT_READ, MAP_PRIVATE, 3, 0) = 0x53a5d000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/libncurses.so.5", O_RDONLY)  = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p\243\0\0004\0\0\0\344"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=202188, ...}) = 0
mmap2(NULL, 202004, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x53a2b000
mmap2(0x53a5a000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2f) = 0x53a5a000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/i686/cmov/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260e\1\0004\0\0\0\4"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1413540, ...}) = 0
mmap2(NULL, 1418864, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x538d0000
mmap2(0x53a25000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x155) = 0x53a25000
mmap2(0x53a28000, 9840, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x53a28000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/i686/cmov/libdl.so.2", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`\n\0\0004\0\0\0H"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=9680, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x538cf000
mmap2(NULL, 12412, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x538cb000
mmap2(0x538cd000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0x538cd000
close(3)                                = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x538ca000
set_thread_area({entry_number:-1 -> 6, base_addr:0x538ca6b0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
mprotect(0x53a25000, 4096, PROT_READ)   = 0
munmap(0x53a5d000, 36421)               = 0
sync()                                  = 0
mmap2(NULL, 4198400, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x534c9000
mprotect(0x534c9000, 4194319, PROT_READ|PROT_WRITE|PROT_EXEC) = -1 EACCES (Permission denied)
brk(0)                                  = 0x8e29a80
brk(0x8e4aa80)                          = 0x8e4aa80
brk(0x8e4b000)                          = 0x8e4b000
write(2, "grub: asmstub.c:170: grub_stage2:"..., 63grub: asmstub.c:170: grub_stage2: Assertion `ret == 0' failed.
) = 63
rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
gettid()                                = 25077
tgkill(25077, 25077, SIGABRT)           = 0
--- SIGABRT (Aborted) @ 0 (0) ---
+++ killed by SIGABRT +++

# dmesg
[48442.900946] grsec: From XXX.XXX.XXX.XXX: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/sbin/grub[grub:25310] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:24833] uid/euid:0/0 gid/egid:0/0
[90416.669106] grsec: From XXX.XXX.XXX.XXX: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/sbin/grub[grub:25077] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/strace[strace:25076] uid/euid:0/0 gid/egid:0/0



Thanks.

Run chpax -m /usr/sbin/grub
or paxctl -Czm /usr/sbin/grub

-Brad

Resolved by

Code: Select all

# paxctl -Cpermxs /usr/sbin/gru

Thanks.

Hello

I recently have been encountering the same problem, but the solutions presented here did not fix my problem:

Code: Select all

paxctl -Czm /sbin/grub
grub
grub: asmstub.c:215: grub_stage2: Assertion `simstack_alloc_base != ((void *) -1)' failed.
Aborted

Code: Select all

paxctl -Cpermxs /sbin/grub
grub
grub: asmstub.c:215: grub_stage2: Assertion `simstack_alloc_base != ((void *) -1)' failed.
Aborted

Any ideas? Thanks much for your time!
hanji

hanji wrote:Any ideas? Thanks much for your time!

your grub version and an strace would be helpful .

Did you enable support for PT_PAX_FLAGS marking in your kernel? You won't be able to use the markings created by paxctl otherwise.

-Brad

spender wrote:Did you enable support for PT_PAX_FLAGS marking in your kernel? You won't be able to use the markings created by paxctl otherwise.

-Brad

Hmmm.. checking the kernel config, I see the following:

Code: Select all

# CONFIG_PAX_PT_PAX_FLAGS is not set

PaX Team wrote:

hanji wrote:Any ideas? Thanks much for your time!

your grub version and an strace would be helpful .

Relevant strace portion:

Code: Select all

29362 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x51cb1000
29362 set_thread_area({entry_number:-1 -> 6, base_addr:0x51cb18d0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
29362 mprotect(0x51cb4000, 4096, PROT_READ) = 0
29362 mprotect(0x51e12000, 8192, PROT_READ) = 0
29362 mprotect(0x51e66000, 8192, PROT_READ) = 0
29362 mprotect(0x10732000, 4096, PROT_READ) = 0
29362 mprotect(0x51e8f000, 4096, PROT_READ) = 0
29362 munmap(0x51e69000, 24797)         = 0
29362 sync()                            = 0
29362 mmap2(NULL, 6303744, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = -1 EPERM (Operation not permitted)
29362 brk(0)                            = 0x1074b510
29362 brk(0x1076c510)                   = 0x1076c510
29362 brk(0x1076d000)                   = 0x1076d000
29362 write(2, "grub: asmstub.c:215: grub_stage2"..., 91) = 91
29362 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x51e6f000
29362 brk(0x1076c000)                   = 0x1076c000
29362 rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
29362 gettid()                          = 29362
29362 tgkill(29362, 29362, SIGABRT)     = 0
29362 --- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=29362, si_uid=0} ---
29362 +++ killed by SIGABRT +++

Grub version: grub-0.97-r12

Thanks!
hanji

it's clear that MPROTECT is still enabled on grub, that's the reason for the mmap failure. now the question is which PaX flag control method you enabled in your kernel.

Enabled PT_PAX_FLAGS in the kernel and rebooted.. problem solved.

Thanks!
hanji