grub-probe Killed under grsecurity

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

grub-probe Killed under grsecurity

Postby cmouse » Sat Sep 18, 2010 5:36 am

grub-probe is killed under grsecurity despite paxctl

[152627.570577] PAX: From 83.100.71.8: execution attempt in: <anonymous mapping>, 71e6f4005000-71e6f401b000 7ffffffe9000
[152627.571093] PAX: terminating task: /usr/sbin/grub-probe(grub-probe):6072, uid/euid: 0/0, PC: 000071e6f40199f0, SP: 000071e6f40199b8
[152627.571624] PAX: bytes at PC: 41 bb b0 99 40 00 49 ba e0 99 01 f4 e6 71 00 00 49 ff e3 1d
[152627.572133] PAX: bytes at SP-8: 000071e6f401a060 0000000000409812 000071e6f401a060 000071e6f4019ac0 000071e6f401a060 00000000004098f2 0000000000000000 00000000006474a0 ba49004099b0bb41 000071e6f40199e0 000143ee1de3ff49

# paxctl -v /usr/sbin/grub-probe
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu>

- PaX flags: -p-s-m-xE--r [/usr/sbin/grub-probe]
PAGEEXEC is disabled
SEGMEXEC is disabled
MPROTECT is disabled
RANDEXEC is disabled
EMUTRAMP is enabled
RANDMMAP is disabled

CONFIG_PAX=y
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_ELFRELOCS=y
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
# CONFIG_PAX_MEMORY_SANITIZE is not set
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_USERCOPY=y

grsecurity version 2.2.0-2.6.32.21-201009130811
kernel version 2.6.32.21-grsec
cmouse
 
Posts: 98
Joined: Tue Dec 17, 2002 10:58 am

Re: grub-probe Killed under grsecurity

Postby spender » Sat Sep 18, 2010 4:38 pm

Are you using the RBAC system and enforcing PaX flags on the binary through it?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: grub-probe Killed under grsecurity

Postby cmouse » Sun Sep 19, 2010 5:54 am

RBAC is disabled in kernel with CONFIG_GRKERNSEC_NO_RBAC=y
cmouse
 
Posts: 98
Joined: Tue Dec 17, 2002 10:58 am

Re: grub-probe Killed under grsecurity

Postby PaX Team » Sun Sep 19, 2010 3:33 pm

cmouse wrote:RBAC is disabled in kernel with CONFIG_GRKERNSEC_NO_RBAC=y
can you run this binary in gdb and then look at what PaX flags got enabled on it in /proc/pid/status?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: grub-probe Killed under grsecurity

Postby cmouse » Mon Sep 20, 2010 2:40 am

~# objdump -x /usr/sbin/grub-probe

/usr/sbin/grub-probe: file format elf64-x86-64
/usr/sbin/grub-probe
architecture: i386:x86-64, flags 0x00000112:
EXEC_P, HAS_SYMS, D_PAGED
start address 0x0000000000401ff0

~# gdb /usr/sbin/grub-probe
(gdb) break main
Function "main" not defined.
(gdb) break *0x0000000000401ff0
Breakpoint 1 at 0x401ff0
(gdb) r
Starting program: /usr/sbin/grub-probe
During startup program terminated with signal SIGKILL, Killed.

~# strace /usr/sbin/grub-probe
execve("/usr/sbin/grub-probe", ["/usr/sbin/grub-probe"], [/* 19 vars */] <unfinished ...>
+++ killed by SIGKILL +++
Killed

any other ideas? =)
cmouse
 
Posts: 98
Joined: Tue Dec 17, 2002 10:58 am

Re: grub-probe Killed under grsecurity

Postby cmouse » Mon Sep 20, 2010 2:43 am

And for comparison:

~# strace /bin/ls
execve("/bin/ls", ["/bin/ls"], [/* 19 vars */]) = 0
brk(0) = 0x623a50
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x673c27a32000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
<snip/>
getdents(3, /* 0 entries */, 32768) = 0
close(3) = 0
close(1) = 0
close(2) = 0
exit_group(0) = ?
~#
cmouse
 
Posts: 98
Joined: Tue Dec 17, 2002 10:58 am

Re: grub-probe Killed under grsecurity

Postby tjh » Mon Sep 20, 2010 5:21 pm

I've seen this before.
You're calling something else that calls grub-update, aren't you? Or are you actually running grub-update itself?

grub-update inherits the flags from the calling process I think.

I know I've seen this when installing new kernels on Debian/Ubuntu boxes. I forget the exact binary, but there's another in /usr/sbin or /sbin that if you change the pax flags for, everything works fine.
tjh
 
Posts: 102
Joined: Sat Oct 16, 2004 8:19 pm

Re: grub-probe Killed under grsecurity

Postby PaX Team » Mon Sep 20, 2010 9:37 pm

cmouse wrote:~# strace /usr/sbin/grub-probe
execve("/usr/sbin/grub-probe", ["/usr/sbin/grub-probe"], [/* 19 vars */] <unfinished ...>
+++ killed by SIGKILL +++
Killed

any other ideas? =)
yeah, the above makes it obvious now that it's a SIGKILL during execve itself, which usually happens for illegal flag combinations that is your case as well: EMUTRAMP makes little sense when non-exec pages aren't enforced, so turn back PAGEEXEC/SEGMEXEC on. the next question is why you ended up with such a flag combination, did something not work before with what the toolchain created by default for this binary (i assume EMUTRAMP was enabled due to the nested function trampolines)?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: grub-probe Killed under grsecurity

Postby cmouse » Tue Sep 21, 2010 2:44 am

Yes, well, it kept crashing.

Then I ran paxctl -c /usr/sbin/grub-probe, and did a best guess (apparently very bad one) on trying to make it work. It seems that it had some flags turned on automatically by paxctl when it does the conversion. Now I ran paxctl -z and it worked fine.
cmouse
 
Posts: 98
Joined: Tue Dec 17, 2002 10:58 am


Return to grsecurity support