Page 1 of 1

Learning mode and cdrecord, cdrdao

PostPosted: Tue Mar 25, 2003 5:07 pm
by fonya
Hi!

I running grsec in learning mode, and I start cdrdao, or cdrecord, I got this:

NMI watchdog detected LOCKUP on CPU0, eip c011e1ed, registers:
. . .
Process: swapper (or cdrdao one time) (pid:0, stackpage=c0421000)
. . .
console shuts up

Sorry, for missing part of kernel messages, but I wrote it by hand.
I use PAX. If You think is usefull, I can paste my whole grsec realted kernel config.

The pc was frozen every time, and this can be reproduce.

The PC is an SMP pIII, with 1GB ram /highmem enabled/
Both cdrdao, and cdrecord are setuid program.

The acl settings:

/ l {
/
/opt rx
/home rw
/home/*/bin rwx
/mnt r
/dev
/dev/random r
/dev/urandom r
/dev/input rw
/dev/psaux rw
/dev/input/mice rw
/dev/tty0 rw
/dev/tty1 rw
/dev/tty2 rw
/dev/tty3 rw
/dev/tty4 rw
/dev/tty5 rw
/dev/tty6 rw
/dev/tty7 rw
/dev/tty8 rw
/dev/null rw
/dev/pts rw
/dev/ptmx rw
/dev/tty rw
/dev/dsp rw
/dev/mixer rw
/dev/console rw
/dev/mem h
/dev/kmem h
/dev/port h
/dev/zero rw
/bin rx
/sbin rx
/lib rx
/usr rx
/etc rx
/etc/postfix r
/etc/init.d h
/etc/shadow- h
/etc/shadow h
/proc rwx
/proc/sys r
/proc/kcore h
/root r
/tmp rw
/var rx
/var/cache rw
/var/spool rw
/var/spool/postfix/lib rx
/var/run rw
/var/tmp rw
/var/log
/boot r
/etc/grsec h

-CAP_ALL
}

/usr/bin/cdrecord l {
/ h

-CAP_ALL
RES_FSIZE 0 0
RES_DATA 0 0
RES_RSS 0 0
RES_NOFILE 0 0
RES_MEMLOCK 0 0
RES_STACK 0 0
RES_AS 0 0
RES_NPROC 0 0
RES_LOCKS 0 0

connect {
disabled
}
bind {
disabled
}
}

/usr/bin/cdrdao l {
/ h

-CAP_ALL
RES_FSIZE 0 0
RES_DATA 0 0
RES_RSS 0 0
RES_NOFILE 0 0
RES_MEMLOCK 0 0
RES_STACK 0 0
RES_AS 0 0
RES_NPROC 0 0
RES_LOCKS 0 0

connect {
disabled
}
bind {
disabled
}
}


Thanx a lot!

Re: Learning mode and cdrecord, cdrdao

PostPosted: Tue Mar 25, 2003 6:45 pm
by PaX Team
fonya wrote:NMI watchdog detected LOCKUP on CPU0, eip c011e1ed
can you check where this EIP value falls (in System.map)?
I use PAX. If You think is usefull, I can paste my whole grsec realted kernel config.
this would help definitely, also tell us what grsecurity and kernel version you're using.

PostPosted: Wed Mar 26, 2003 6:03 am
by fonya
can you check where this EIP value falls (in System.map)?

Nowhere /I hope I wrote it right, I'll make a remote logging, maybe send out the panic message/:
c011dfc0 t __schedule_tail
c011e0a1 t .text.lock.sched
c011e220 T get_dma_list
c011e280 T request_dma
c011e2c0 T free_dma

I use PAX. If You think is usefull, I can paste my whole grsec realted kernel config.
this would help definitely, also tell us what grsecurity and kernel version you're using.


I use 2.4.20, with grsec 1.9.9e, and some other patches:
crypto, bttv, emu10k1, some patch-o-matic patches, ext3-fix, acpi update, and the 2.4.21-pre5 patch.
Evening, I will try stock 2.4.20, with grsec-1.9.9e

BTW this hapend only, when I use learning mode, if I don't use acl, the kernel panic message not come up.

#
# Grsecurity
#
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MID is not set
# CONFIG_GRKERNSEC_HI is not set
CONFIG_GRKERNSEC_CUSTOM=y

#
# Address Space Protection
#
CONFIG_GRKERNSEC_PAX_NOEXEC=y
# CONFIG_GRKERNSEC_PAX_PAGEEXEC is not set
CONFIG_GRKERNSEC_PAX_SEGMEXEC=y
CONFIG_GRKERNSEC_PAX_EMUTRAMP=y
# CONFIG_GRKERNSEC_PAX_EMUSIGRT is not set
CONFIG_GRKERNSEC_PAX_MPROTECT=y
# CONFIG_GRKERNSEC_PAX_NOELFRELOCS is not set
CONFIG_GRKERNSEC_PAX_ASLR=y
CONFIG_GRKERNSEC_PAX_RANDKSTACK=y
CONFIG_GRKERNSEC_PAX_RANDUSTACK=y
CONFIG_GRKERNSEC_PAX_RANDMMAP=y
CONFIG_GRKERNSEC_PAX_RANDEXEC=y
CONFIG_GRKERNSEC_KMEM=y
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_HIDESYM=y

#
# ACL options
#
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=1001
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y

#
# Kernel Auditing
#
CONFIG_GRKERNSEC_AUDIT_GROUP=y
CONFIG_GRKERNSEC_AUDIT_GID=1007
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_AUDIT_IPC=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y

#
# Executable Protections
#
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
CONFIG_GRKERNSEC_TPE=y
# CONFIG_GRKERNSEC_TPE_ALL is not set
CONFIG_GRKERNSEC_TPE_GID=1005
#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RANDISN=y
CONFIG_GRKERNSEC_RANDID=y
CONFIG_GRKERNSEC_RANDSRC=y
CONFIG_GRKERNSEC_RANDRPC=y
CONFIG_GRKERNSEC_RANDPING=y
CONFIG_GRKERNSEC_SOCKET=y
CONFIG_GRKERNSEC_SOCKET_ALL=y
CONFIG_GRKERNSEC_SOCKET_ALL_GID=1004
CONFIG_GRKERNSEC_SOCKET_CLIENT=y
CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=1003
CONFIG_GRKERNSEC_SOCKET_SERVER=y
CONFIG_GRKERNSEC_SOCKET_SERVER_GID=1002

#
# Sysctl support
#
# CONFIG_GRKERNSEC_SYSCTL is not set

#
# Logging options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4

PostPosted: Wed Mar 26, 2003 8:38 am
by PaX Team
fonya wrote:Nowhere /I hope I wrote it right, I'll make a remote logging, maybe send out the panic message/:
c011dfc0 t __schedule_tail
c011e0a1 t .text.lock.sched
c011e220 T get_dma_list
ok, looks like a scheduler deadlock. can you enable spinlock debugging in the kernel config and see what happens?
Evening, I will try stock 2.4.20, with grsec-1.9.9e
this is indeed important to exclude interference from the other patches.

PostPosted: Fri Mar 28, 2003 4:49 am
by fonya
Evening, I will try stock 2.4.20, with grsec-1.9.9e

this is indeed important to exclude interference from the other patches.


I try it yesterday, and I got the same result, without hex table :(
Sorry, but I forget to include spinlock debugging, but a next try...