Page 1 of 1

Problems with Nodejs and PAX

PostPosted: Sun Sep 21, 2014 10:07 am
by peerchemist
Nodejs gets killed by PAX, however I can not deduct where the problem is.
When I run nodejs, output is only "Killed".

dmesg:
Code: Select all
[  528.753935] PAX: From 10.42.0.1: execution attempt in: (null), 00000000-00000000 00000000
[  528.763248] PAX: terminating task: /usr/bin/node(node):409, uid/euid: 1000/1000, PC: ffff0fc0, SP: beffad48
[  528.774059] PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
[  528.783058] PAX: bytes at SP-4: b6b95410 ffff0fa0 0059fa74 00000000 00000000 00000001 005a7b30 beffad7c 0033bce4 00000000 00000004 005a7b3d 00000001 beffadc4 003d7e00 005a0660 005a7b38 00000001 00240510 0059f880 00000002


uname -a:
Code: Select all
3.14.6-3-GRSEC #1 PREEMPT Fri Aug 15 18:00:30 CEST 2014 armv6l GNU/Linux


paxctl -v /usr/bin/node:

PaX flags: -----m-x-e-- [/usr/bin/node]
MPROTECT is disabled
RANDEXEC is disabled
EMUTRAMP is disabled


MPROTECT is disabled as recommended here: http://stackoverflow.com/questions/8655 ... ntoo-amd64
but no effect.

PAX is in softmode, this is sysctl conf: https://github.com/peerchemist/Peerbox/ ... ysctl.conf

Kernel config: https://github.com/peerchemist/Peerbox/ ... sec/config

This is nodejs PKGBUILD: https://github.com/archlinuxarm/PKGBUIL ... s/PKGBUILD

Re: Problems with Nodejs and PAX

PostPosted: Mon Sep 22, 2014 7:34 pm
by spender
Hi,

You need to enable CONFIG_GRKERNSEC_OLD_ARM_USERLAND:
Code: Select all
config GRKERNSEC_OLD_ARM_USERLAND
        bool "Old ARM userland compatibility"
        depends on ARM && (CPU_V6 || CPU_V6K || CPU_V7)
        help
          If you say Y here, stubs of executable code to perform such operations
          as "compare-exchange" will be placed at fixed locations in the ARM vector
          table.  This is unfortunately needed for old ARM userland meant to run
          across a wide range of processors.  Without this option enabled,
          the get_tls and data memory barrier stubs will be emulated by the kernel,
          which is enough for Linaro userlands or other userlands designed for v6
          and newer ARM CPUs.  It's recommended that you try without this option enabled
          first, and only enable it if your userland does not boot (it will likely fail
          at init time).


Your nodejs binary is attempting to execute the cmpxchg kuser helper at its fixed address (0xffff0fc0). Alternatively, you could try to find an updated nodejs source that doesn't require this, or submit a bugreport to have it detect the need to use the kuser helper (so that it can also be compatible with certain new upstream configurations). The responsible code is at: http://code.dyne.org/jmx/tree/node.js/d ... bc8efaf3b8

-Brad

Re: Problems with Nodejs and PAX

PostPosted: Wed Sep 24, 2014 6:18 am
by peerchemist
I've contacted v8 devs and they say that this configuration is not supported and that I need to deliver possible fix if I want to use it this way.
Is there any security tradeof if using GRKERNSEC_OLD_ARM_USERLAND?

Thanks.

Re: Problems with Nodejs and PAX

PostPosted: Wed Sep 24, 2014 7:54 am
by spender
There is, you have essentially some ROP gadgets at fixed addresses that slightly devalue the benefit of ASLR. If you haven't already, inform them of the upstream CONFIG_KUSER_HELPERS which will be disabled on ever more devices in the future. Surely they support the mainline kernel which has had this since version 3.10? Please give me the link to the discussion as well -- if they're not willing to make the change, I'll give it some visibility and hopefully another person will.

-Brad

Re: Problems with Nodejs and PAX

PostPosted: Wed Sep 24, 2014 1:08 pm
by peerchemist
https://code.google.com/p/v8/issues/detail?id=3595

Later on they tell me the same you did, about new version of v8 do not require kuser helper.
I have not yet tested node v0.11 (development version with newer v8). I'll do that within a week and post results here.

Thanks once again.