grsecurity forums

Hi,

it seems something is breaking VirtualBox 4.3.10 (latest version) with grsecurity-3.0-3.14.4-201405141623. I have confirmed this to be a grsecurity bug as the stock Debian 3.14.4 kernel works fine.
When you start a VM, the virtualbox UI shows an error and the machine shows "Aborted". The kernel modules appear to be locked and cannot be unloaded.

VirtualBox dmesg stack trace:

Code: Select all

[  349.861719] vboxpci: vboxPciOsDevInit: dev=1a202000
[  349.861742] vboxpci: vboxPciOsDevInit: dev=1a202000 pdev=           (nil)
[  349.861811] BUG: unable to handle kernel paging request at 0000000000080000
[  349.861860] IP: [<ffffffffa0e668aa>] ffffffffa0e668aa
[  349.861888] PGD 1f2ef9067 PUD 1f2ef8067 PMD 0
[  349.861921] Thread overran stack, or stack corrupted
[  349.862007] Oops: 0002 [#1] PREEMPT SMP
[  349.862007] Modules linked in: ctr ccm cpufreq_userspace cpufreq_stats cpufreq_powersave cpufreq_conservative pci_stub vboxpci(O) vboxnetadp(O) vboxnetflt(O) vboxdrv(O) nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables xt_tcpudp xt_conntrack iptable_filter iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack ip_tables x_tables fuse vmwgfx ttm vmxnet3 tp_smapi(O) thinkpad_ec(O) loop ppdev lp btusb bluetooth 6lowpan_iphc crc16 snd_hda_codec_conexant snd_hda_codec_generic mousedev uvcvideo videobuf2_vmalloc videobuf2_memops coretemp videobuf2_core videodev kvm_intel media kvm microcode serio_raw psmouse evdev i2c_i801 arc4 thinkpad_acpi snd_seq_dummy nvram snd_seq_midi snd_seq_oss snd_seq_midi_event iwldvm mac80211 lpc_ich snd_rawmidi iwlwifi snd_hda_intel snd_seq snd_hda_codec snd_seq_device snd_hwdep cfg80211 snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd wmi soundcore rfkill battery ac i915 parport_pc parport tpm_tis drm_kms_helper tpm video drm button acpi_cpufreq i2c_algo_bit mei_me i2c_core intel_agp intel_gtt mei processor xfs crc32c libcrc32c sg sd_mod crct10dif_generic sr_mod crc_t10dif cdrom crct10dif_common hid_generic usbhid hid atkbd libps2 firewire_ohci firewire_core crc_itu_t ahci libahci libata scsi_mod thermal i8042 serio e1000e uhci_hcd ehci_pci ehci_hcd usbcore usb_common ptp pps_core
[  349.862007] CPU: 0 PID: 4438 Comm: EMT Tainted: G           O 3.14.4-grsec-dirty #8
[  349.862007] Hardware name: LENOVO 7417PLU/7417PLU, BIOS 7VET95WW (3.25 ) 10/10/2012
[  349.862007] task: ffff8801f2df2100 ti: ffff8801f2df25a0 task.ti: ffff8801f2df25a0
[  349.862007] RIP: 0010:[<ffffffffa0e668aa>]  [<ffffffffa0e668aa>] ffffffffa0e668aa
[  349.862007] RSP: 0018:ffff880099ff3c50  EFLAGS: 00010246
[  349.862007] RAX: 0000000000000000 RBX: ffffffffa0e635f0 RCX: ffff8801f2c7ba10
[  349.862007] RDX: ffff8801db4d27a0 RSI: 0000000000000292 RDI: 0000000000000292
[  349.862007] RBP: ffff880099ff3c88 R08: 3a696370786f6276 R09: 00000000000003c0
[  349.862007] R10: 766544734f696350 R11: 6564203a74696e49 R12: 0000000000000000
[  349.862007] R13: ffff8801f2c7ba88 R14: 0000000000080000 R15: 000000001a202000
[  349.862007] FS:  0000705e19aed700(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000
[  349.862007] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  349.862007] CR2: 0000000000080000 CR3: 00000001f2f86000 CR4: 00000000000407f0
[  349.862007] Stack:
[  349.883221]  ffff8801f2c7ba10 ffff8801f2c7ba10 ffffc9001a202000 0000000000000000
[  349.883221]  00000000beef0000 ffffffffa0dee1a0 ffff8801db4d2650 ffff880099ff3cb8
[  349.883221]  ffffffffa0f53f9a ffffffffa0e635f0 ffff8800afee3410 ffffc9001a202000
[  349.883221] Call Trace:
[  349.883221]  [<ffffffffa0e01185>] ? rtR0MemAllocEx+0x1f5/0x2b0 [vboxdrv]
[  349.883221]  [<ffffffffa0df8b14>] ? supdrvIOCtl+0x15d4/0x2c00 [vboxdrv]
[  349.883221]  [<ffffffff811b3668>] ? check_heap_object+0x38/0x100
[  349.883221]  [<ffffffffa0df253d>] ? VBoxDrvLinuxIOCtl_4_3_10+0x19d/0x470 [vboxdrv]
[  349.883221]  [<ffffffff811e6651>] ? do_vfs_ioctl+0x451/0x740
[  349.883221]  [<ffffffff811f1945>] ? __fget+0x75/0xa0
[  349.883221]  [<ffffffff811f19e2>] ? __fget_light+0x32/0x80
[  349.883221]  [<ffffffff811e69c1>] ? SyS_ioctl+0x81/0xa0
[  349.883221]  [<ffffffff815bf5d9>] ? system_call_fastpath+0x1a/0x1f
[  349.883221] Code: ff 85 c0 41 89 c4 78 32 48 8b 4d c8 8b 75 d0 4c 8d 69 78 48 89 4d d0 4c 89 ef ff 91 80 00 00 00 48 8b 4d d0 85 c0 41 89 c4 78 4a <4d> 89 2e 48 8b 43 f8 48 89 41 18 48 89 4b f8 48 8b 7b f0 e8 ce
[  349.883221] RIP  [<ffffffffa0e668aa>] ffffffffa0e668aa
[  349.883221]  RSP <ffff880099ff3c50>
[  349.883221] CR2: 0000000000080000
[  349.914637] ---[ end trace ca6665cdcf9c172e ]---


My PaX kernel config:

Code: Select all

CONFIG_PAX_USERCOPY_SLABS=y
CONFIG_PAX=y
# CONFIG_PAX_SOFTMODE is not set
# CONFIG_PAX_EI_PAX is not set
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_XATTR_PAX_FLAGS is not set
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
# CONFIG_PAX_EMUTRAMP is not set
# CONFIG_PAX_MPROTECT is not set
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD=""
CONFIG_PAX_ASLR=y
# CONFIG_PAX_RANDKSTACK is not set
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
# CONFIG_PAX_MEMORY_SANITIZE is not set
CONFIG_PAX_MEMORY_STACKLEAK=y
CONFIG_PAX_MEMORY_STRUCTLEAK=y
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_USERCOPY=y
# CONFIG_PAX_USERCOPY_DEBUG is not set
CONFIG_PAX_SIZE_OVERFLOW=y
CONFIG_PAX_LATENT_ENTROPY=y


My grsec kernel config:

Code: Select all

CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_CONFIG_AUTO is not set
CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
# CONFIG_GRKERNSEC_KMEM is not set
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_JIT_HARDEN=y
CONFIG_GRKERNSEC_PERF_HARDEN=y
CONFIG_GRKERNSEC_RAND_THREADSTACK=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
# CONFIG_GRKERNSEC_BRUTE is not set
# CONFIG_GRKERNSEC_MODHARDEN is not set
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_RANDSTRUCT=y
CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE=y
# CONFIG_GRKERNSEC_KERN_LOCKOUT is not set
CONFIG_GRKERNSEC_NO_RBAC=y
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
# CONFIG_GRKERNSEC_PROC is not set
CONFIG_GRKERNSEC_LINK=y
# CONFIG_GRKERNSEC_SYMLINKOWN is not set
# CONFIG_GRKERNSEC_FIFO is not set
# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
# CONFIG_GRKERNSEC_ROFS is not set
CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
CONFIG_GRKERNSEC_CHROOT_INITRD=y
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
# CONFIG_GRKERNSEC_SIGNAL is not set
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
# CONFIG_GRKERNSEC_PROC_IPADDR is not set
# CONFIG_GRKERNSEC_DMESG is not set
# CONFIG_GRKERNSEC_HARDEN_PTRACE is not set
# CONFIG_GRKERNSEC_PTRACE_READEXEC is not set
# CONFIG_GRKERNSEC_SETXID is not set
CONFIG_GRKERNSEC_HARDEN_IPC=y
# CONFIG_GRKERNSEC_TPE is not set
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_BLACKHOLE=y
CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
# CONFIG_GRKERNSEC_SOCKET is not set
# CONFIG_GRKERNSEC_DENYUSB is not set
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=6


Any idea what might be wrong and how to resolve it?

Thanks!

careta wrote:it seems something is breaking VirtualBox 4.3.10 (latest version)

what happens with 4.3.12?