grsecurity forums

Posted: **Mon Dec 10, 2012 1:25 pm**

config: http://pastebin.com/KnmZqV1z

blackhat results: http://pastebin.com/UNFnjCkG
Shouldn't I be getting back "return address contains a NULL byte." for the strcopy?

I know checksec.sh also doesn't necessarily report accurately but it's showing features disabled.

GCC stack protector support: Enabled
Strict user copy checks: Disabled
Enforce read-only kernel data: Disabled
Restrict /dev/mem access: Enabled
Restrict /dev/kmem access: Enabled

* grsecurity / PaX: Custom GRKERNSEC

Non-executable kernel pages: Disabled
Prevent userspace pointer deref: Disabled
Prevent kobject refcount overflow: Enabled
Bounds check heap object copies: Enabled
Disable writing to kmem/mem/port: Enabled
Disable privileged I/O: Disabled
Harden module auto-loading: Enabled
Hide kernel symbols: Enabled

I disable privileged I/O on purpose. But I have non-executable kernel pages enabled in my config. And strict user copy checks/ read only kernel data got disabled?

Posted: **Mon Dec 10, 2012 3:29 pm**

GBit wrote:Shouldn't I be getting back "return address contains a NULL byte." for the strcopy?

which version of paxtest is this? also the aslr values seem to indicate that you compiled a 32 bit version of paxtest and not a native 64 bit version that your kernel would also support.

But I have non-executable kernel pages enabled in my config.

KERNEXEC is not enabled in the config you posted.

And strict user copy checks/ read only kernel data got disabled?

those are vanilla kernel features for which we have better alternatives (USERCOPY/KERNEXEC).

Posted: **Mon Dec 10, 2012 3:37 pm**

Ah, yes. I did a 32bit paxtest, which was not smart haha, I was wondering why the ASLR values seemed low (though higher than vanilla).

For kernexec, since it doesn't seem to be an available option in 'menuconfig' - what values does it take?

PaxTest doesn't seem to compile.

paxtest-0.9.9# make linux64
make -f Makefile.psm THEARCH=-m64
make[1]: Entering directory `/home/colin/Downloads/paxtest-0.9.9'
gcc -O2 -Wa,--noexecstack -D_FORTIFY_SOURCE=0 -DRUNDIR=\".\" -fno-stack-protector -m64 -o chpax-0.7/aout.o -c chpax-0.7/aout.c
<command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined [enabled by default]
chpax-0.7/aout.c:1:0: note: this is the location of the previous definition
gcc -O2 -Wa,--noexecstack -D_FORTIFY_SOURCE=0 -DRUNDIR=\".\" -fno-stack-protector -m64 -o chpax-0.7/chpax.o -c chpax-0.7/chpax.c
<command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined [enabled by default]
chpax-0.7/chpax.c:1:0: note: this is the location of the previous definition
gcc -O2 -Wa,--noexecstack -D_FORTIFY_SOURCE=0 -DRUNDIR=\".\" -fno-stack-protector -m64 -o chpax-0.7/elf32.o -c chpax-0.7/elf32.c
<command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined [enabled by default]
chpax-0.7/elf32.c:1:0: note: this is the location of the previous definition
gcc -O2 -Wa,--noexecstack -D_FORTIFY_SOURCE=0 -DRUNDIR=\".\" -fno-stack-protector -m64 -o chpax-0.7/elf64.o -c chpax-0.7/elf64.c
<command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined [enabled by default]
chpax-0.7/elf64.c:1:0: note: this is the location of the previous definition
gcc -O2 -Wa,--noexecstack -D_FORTIFY_SOURCE=0 -DRUNDIR=\".\" -fno-stack-protector -m64 -o chpax-0.7/flags.o -c chpax-0.7/flags.c
<command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined [enabled by default]
chpax-0.7/flags.c:1:0: note: this is the location of the previous definition
gcc -O2 -Wa,--noexecstack -D_FORTIFY_SOURCE=0 -DRUNDIR=\".\" -fno-stack-protector -m64 -o chpax-0.7/io.o -c chpax-0.7/io.c
<command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined [enabled by default]
chpax-0.7/io.c:1:0: note: this is the location of the previous definition
gcc -m64 -o chpax chpax-0.7/aout.o chpax-0.7/chpax.o chpax-0.7/elf32.o chpax-0.7/elf64.o chpax-0.7/flags.o chpax-0.7/io.o
gcc -O2 -Wa,--noexecstack -D_FORTIFY_SOURCE=0 -DRUNDIR=\".\" -fno-stack-protector -m64 -fPIC -o shlibtest.o -c shlibtest.c
<command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined [enabled by default]
shlibtest.c:1:0: note: this is the location of the previous definition
gcc -m64 -shared -o shlibtest.so shlibtest.o
gcc -O2 -Wa,--noexecstack -D_FORTIFY_SOURCE=0 -DRUNDIR=\".\" -fno-stack-protector -m64 -fPIC -o shlibtest2.o -c shlibtest2.c
<command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined [enabled by default]
shlibtest2.c:1:0: note: this is the location of the previous definition
gcc -m64 -shared -o shlibtest2.so shlibtest2.o
gcc -O2 -Wa,--noexecstack -D_FORTIFY_SOURCE=0 -DRUNDIR=\".\" -fno-stack-protector -m64 -o body.o -c body.c
<command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined [enabled by default]
body.c:1:0: note: this is the location of the previous definition
gcc -O2 -Wa,--noexecstack -D_FORTIFY_SOURCE=0 -DRUNDIR=\".\" -fno-stack-protector -m64 -o anonmap.o -c anonmap.c
<command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined [enabled by default]
anonmap.c:1:0: note: this is the location of the previous definition
gcc -m64 -lpthread -o anonmap body.o anonmap.o
body.o: In function `main':
body.c:(.text.startup+0x6b): undefined reference to `pthread_create'
body.c:(.text.startup+0x7f): undefined reference to `pthread_kill'
collect2: error: ld returned 1 exit status
make[1]: *** [anonmap] Error 1
rm shlibtest.o shlibtest2.o
make[1]: Leaving directory `/home/colin/Downloads/paxtest-0.9.9'
make: *** [linux64] Error 2

Posted: **Mon Dec 10, 2012 4:04 pm**

GBit wrote:For kernexec, since it doesn't seem to be an available option in 'menuconfig' - what values does it take?

you enabled Xen which KERNEXEC is not compatible with.

PaxTest doesn't seem to compile.

try paxtest from spender's home dir instead.

Posted: **Mon Dec 10, 2012 4:07 pm**

That's .9.9 from his directory.

Posted: **Mon Dec 10, 2012 4:20 pm**

GBit wrote:That's .9.9 from his directory.

ah, i see what's going on, it's a bug in the makefile where it puts -lpthread before the object files. try something like this for a quick fix, based on the patch that gentoo carries (beware of whitespace damage, the lines have to be prefixed with a tab, not spaces):

Code: Select all: diff -Naur paxtest-0.9.9.orig/Makefile paxtest-0.9.9/Makefile --- paxtest-0.9.9.orig/Makefile 2010-02-22 18:47:19.000000000 -0500 +++ paxtest-0.9.9/Makefile 2010-08-09 07:50:53.000000000 -0400 @@ -136,7 +138,7 @@ $(EXEC_TESTS) $(MPROT_TESTS): body.o $(CC) $(CFLAGS) -o $@.o -c $@.c - $(CC) $(LDFLAGS) $(PTHREAD) -o $@ $< $@.o + $(CC) $(LDFLAGS) -o $@ $< $@.o $(PTHREAD) $(RAND_TESTS): randbody.o $(CC) $(CFLAGS) -o $@.o -c $@.c @@ -185,7 +187,7 @@ $(MPROTSH_TESTS): body.o shlibtest.so $(CC) $(CFLAGS) -o $@.o -c $@.c - $(CC) $(LDFLAGS) $(DL) $(PTHREAD) -o $@ $@.o $^ + $(CC) $(LDFLAGS) -o $@ $@.o $^ $(DL) $(PTHREAD) # used for RANDEXEC'd binaries retbody.o: body.c @@ -194,12 +196,12 @@ # build as ET_EXEC (recommended by PaX Team, not really a requirement) $(RET_TESTS): retbody.o $(CC) $(CFLAGS) $(CC_ETEXEC) -o $@.o -c $@.c - $(CC) $(LDFLAGS) $(LD_ETEXEC) $(PTHREAD) -o $@ $< $@.o + $(CC) $(LDFLAGS) $(LD_ETEXEC) -o $@ $< $@.o $(PTHREAD) # build as ET_EXEC (not in Adamantix's Makefile) $(RETX_TESTS): retbody.o $(CC) $(CFLAGS) $(CC_ETEXEC) -o $@.o -c $@.c - $(CC) $(LDFLAGS) $(LD_ETEXEC) $(PTHREAD) -o $@ $< $@.o + $(CC) $(LDFLAGS) $(LD_ETEXEC) -o $@ $< $@.o $(PTHREAD) -$(PAXBIN) -C $@ $(PAXBIN) -SPXM $@ @@ -212,4 +214,4 @@ $(CC) $(SHLDFLAGS) -shared -o $@ $< $(SHLIB_TESTS): body.o $(SHLIBS) shlibbss.o shlibdata.o - $(CC) $(LDFLAGS) $(PTHREAD) -o $@ body.o $@.o $(SHLIBS) $(DL) + $(CC) $(LDFLAGS) -o $@ body.o $@.o $(SHLIBS) $(DL) $(PTHREAD)

Posted: **Mon Dec 10, 2012 4:48 pm**

Not sure what to do with that. I tried replacing the data in makefile.psm (as that's what it seems to be?) and then replacing the whitespace... but that seems to have made things worse haha so I assume I've messed something up.

Posted: **Mon Dec 10, 2012 5:06 pm**

it's a patch against the main Makefile, but don't worry about it, just wait for spender's updated paxtest.

Posted: **Mon Dec 10, 2012 6:04 pm**

Sounds good, thanks.

edit: Yeah, the whitespace murdered the patch. I got half of it fixed, seemingly. The other half is broken.

grsecurity forums

PaX Test results seem off

PaX Test results seem off

Re: PaX Test results seem off

Re: PaX Test results seem off

Re: PaX Test results seem off

Re: PaX Test results seem off

Re: PaX Test results seem off

Re: PaX Test results seem off

Re: PaX Test results seem off

Re: PaX Test results seem off