Hello!
I have compiled grsec (patch 1.99g) with the official 2.4.20 kernel and rebooted the system. It is a production server. Ever since I am running into "Segmentation faults" - only during kernel compilation. But they appear randomly - it looks like a RAM problem.
My system is a dual SMP PIII, 1,2 GB ECC reg. RAM.
Does anybody else have similar problems?
Thanks!
Habermas
"Randomized" Segmentation faults
5 posts
• Page 1 of 1
"Randomized" Segmentation faults
by Habermas » Mon May 19, 2003 7:43 am
- Habermas
- Posts: 5
- Joined: Mon May 19, 2003 7:38 am
It was a grsecurity issue!
by Habermas » Sat May 24, 2003 7:48 am
Hey!
After installing an older, not-grsec kernel, I found out that the compiling problem (segmentation faults) is indeed a GR-Security issue. Without the grsec-kernel the server runs just fine without any segfaults.
Any idea?
Cheers,
Habermas
After installing an older, not-grsec kernel, I found out that the compiling problem (segmentation faults) is indeed a GR-Security issue. Without the grsec-kernel the server runs just fine without any segfaults.
Any idea?
Cheers,
Habermas
- Habermas
- Posts: 5
- Joined: Mon May 19, 2003 7:38 am
Re: It was a grsecurity issue!
by PaX Team » Sat May 24, 2003 6:21 pm
can you post your .config file (or just the GRSEC options), also maybe try to disable all PaX options and see if there's a difference.Habermas wrote:After installing an older, not-grsec kernel, I found out that the compiling problem (segmentation faults) is indeed a GR-Security issue. Without the grsec-kernel the server runs just fine without any segfaults.
- PaX Team
- Posts: 2310
- Joined: Mon Mar 18, 2002 4:35 pm
Re: It was a grsecurity issue!
by Habermas » Sun May 25, 2003 4:54 am
PaX Team wrote:can you post your .config file (or just the GRSEC options), also maybe try to disable all PaX options and see if there's a difference.
Ok, here is the .config with the GR part, hope it helps:
#
# Grsecurity
#
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MID is not set
# CONFIG_GRKERNSEC_HI is not set
CONFIG_GRKERNSEC_CUSTOM=y
#
# Address Space Protection
#
# CONFIG_GRKERNSEC_PAX_NOEXEC is not set
# CONFIG_GRKERNSEC_PAX_KERNEXEC is not set
CONFIG_GRKERNSEC_PAX_ASLR=y
CONFIG_GRKERNSEC_PAX_RANDKSTACK=y
CONFIG_GRKERNSEC_PAX_RANDUSTACK=y
CONFIG_GRKERNSEC_PAX_RANDMMAP=y
# CONFIG_GRKERNSEC_KMEM is not set
# CONFIG_GRKERNSEC_IO is not set
# CONFIG_GRKERNSEC_PROC_MEMMAP is not set
# CONFIG_GRKERNSEC_HIDESYM is not set
#
# ACL options
#
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
# CONFIG_GRKERNSEC_LINK is not set
# CONFIG_GRKERNSEC_FIFO is not set
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
# CONFIG_GRKERNSEC_CHROOT_UNIX is not set
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
# CONFIG_GRKERNSEC_CHROOT_SYSCTL is not set
# CONFIG_GRKERNSEC_CHROOT_CAPS is not set
#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
# CONFIG_GRKERNSEC_RESLOG is not set
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
# CONFIG_GRKERNSEC_SIGNAL is not set
# CONFIG_GRKERNSEC_FORKFAIL is not set
# CONFIG_GRKERNSEC_TIME is not set
#
# Executable Protections
#
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
# CONFIG_GRKERNSEC_TPE is not set
#
# Network Protections
#
# CONFIG_GRKERNSEC_RANDNET is not set
CONFIG_GRKERNSEC_RANDISN=y
CONFIG_GRKERNSEC_RANDID=y
CONFIG_GRKERNSEC_RANDSRC=y
CONFIG_GRKERNSEC_RANDRPC=y
CONFIG_GRKERNSEC_RANDPING=y
# CONFIG_GRKERNSEC_SOCKET is not set
#
# Sysctl support
#
CONFIG_GRKERNSEC_SYSCTL=y
#
# Logging options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4
If you need something else too, please let me know! There was no error message or anything like that in /var/log/messages or even /var/log/warn. Just a "usual" segfault.
I wouldn't want to retry the grsec-kernel since this is only happening on my production server.
Habermas
- Habermas
- Posts: 5
- Joined: Mon May 19, 2003 7:38 am
Re: It was a grsecurity issue!
by PaX Team » Sun May 25, 2003 7:26 am
this would have been one of my bets but apparently you're not using non-exec pages. the other thing i can think of is that the other grsecurity restrictions/ACLs trigger a bug in gcc/whereever, but to find it out you'd have to do some debugging on your production server (or at least take a look at the previously generated coredumps if you enabled them) - probably not a good idea. in any case, you could post your ACLs or at least the portions that are relevant for a kernel compilation, maybe we can spot a problem in there.Habermas wrote:# CONFIG_GRKERNSEC_PAX_NOEXEC is not set
# CONFIG_GRKERNSEC_PAX_KERNEXEC is not set
- PaX Team
- Posts: 2310
- Joined: Mon Mar 18, 2002 4:35 pm
5 posts
• Page 1 of 1