grsecurity forums

Posted: **Sun Jun 15, 2003 3:08 pm**

Logs:

-----------------
22759a22760,22762
-----------------
Jun 14 17:47:59 map PAX: terminating task: /opt/drweb/drweb(drweb):18538,
uid/euid: 0/0, EIP: 22871B18, ESP: 5E5581BC

Jun 14 17:47:59 map PAX: bytes at EIP: 53 56 8b 54 24 18 52 8b 4c 24 18 51 8b
5c 24 18 53 8b 74 24

Jun 14 17:47:59 map grsec: attempted resource overstep by requesting 4096 for
RLIMIT_CORE against limit 0 by (drweb:18538) UID(0) EUID(0), parent
(bash:10716) UID(0) EUID(0)

But *trace logs of drweb (without grsec) does not contains any rlimit(RLIMIT_CORE ...) calls! Why?

Posted: **Sun Jun 15, 2003 3:39 pm**

The coredump is attempted by the kernel if the process is dumpable (eg isn't suid root or a few other things). The application itself doesn't request the coredump.

-Brad

Posted: **Mon Jun 16, 2003 7:01 am**

Klopp wrote:Jun 14 17:47:59 map PAX: terminating task: /opt/drweb/drweb(drweb):18538,
uid/euid: 0/0, EIP: 22871B18, ESP: 5E5581BC

Jun 14 17:47:59 map PAX: bytes at EIP: 53 56 8b 54 24 18 52 8b 4c 24 18 51 8b
5c 24 18 53 8b 74 24

this is PaX in action, drweb tried to execute code from non-executable memory. on a first look it seems to be some kind of runtime loaded module using a homegrown loader a'la XFree86 (malloc() vs. mmap()). a temporary solution is chpax -sp /opt/drweb/drweb, otherwise someone should fix drweb itself to use proper file mappings for loading modules.

grsecurity forums

drweb + rlimit

drweb + rlimit

Re: drweb + rlimit