grsecurity-2.2.1-2.6.36.2-201012221906 apache2 problem

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

grsecurity-2.2.1-2.6.36.2-201012221906 apache2 problem

Postby coderx » Fri Dec 24, 2010 1:11 pm

after booting the kernel apache is running but i cant get any file

# wget http://x.x.x.x/aaaa
--2010-12-24 x:x:x-- http://x.x.x.x/aaaa
Connecting to x.x.x.x:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: x (xK) [text/plain]
Saving to: 'aaaa'

0% [ ] 0 --.-K/s in 0s

2010-12-24 x:x:x (0.00 B/s) - Connection closed at byte 0. Retrying.

Bad address: core_output_filter: writing data to the network
thats in error_log

nothing is touched in my apache i mean i didnt changed any confs soon

when i boot the default debian kernel without grsecurity, apache works fine again
there is nothing from kernel messages and apache doesnt segfault but i cant get any file
any idea what is the problem ?
coderx
 
Posts: 37
Joined: Tue Mar 25, 2008 3:57 am

Re: grsecurity-2.2.1-2.6.36.2-201012221906 apache2 problem

Postby specs » Fri Dec 24, 2010 2:13 pm

You post little information to work with. I could only assume you did use a vanilla kernel to trigger the problem. And I assume you use a i386 system.

Testing on a different system (amd64 + same patch) i found no problem with apache2. For testing with i386 I would need to reboot.
Looking a little around for the error I found few links for the combination grsecurity and core_output_filter, but I did find a lot with just apache and core_output_filter. Some mentioning apache should give a clear error instead of a warning (Bug 45986).

The option involved seems to be "EnableSendfile Off". I also found a link mentioning "EnableMMAP off" could have some influence.
This directive controls whether httpd may use the sendfile support from the kernel ..

http://httpd.apache.org/docs/2.0/mod/co ... lesendfile
specs
 
Posts: 190
Joined: Sun Mar 26, 2006 7:00 am

Re: grsecurity-2.2.1-2.6.36.2-201012221906 apache2 problem

Postby coderx » Fri Dec 24, 2010 2:24 pm

# uname -a
Linux xxx 2.6.36.2-grsec #1 SMP Thu Dec 23 12:48:35 2010 i686 GNU/Linux
# cat /etc/issue
Debian GNU/Linux squeeze/sid \n \l
# /usr/sbin/apache2 -V
Server version: Apache/2.2.16 (Debian)
Server built: Nov 14 2010 18:15:00
coderx
 
Posts: 37
Joined: Tue Mar 25, 2008 3:57 am

Re: grsecurity-2.2.1-2.6.36.2-201012221906 apache2 problem

Postby specs » Fri Dec 24, 2010 2:43 pm

After a reboot I tested again. Apache2 works fine it seems when using a normal (graphical) webbrowser.
However using wget I do get a problem both on i386 and amd64, only when connecting to debian apache2 2.2.16 on grsec-2.6.36.2-201012221906. Using lynx everything works fine.
Off course now I realize I did not use wget in the previous tests specifically.

The other system I tested (no debian) used the same apache version, but did work with wget.

In short: problem is reproducable, but perhaps paxteam or spender could tell if further information is required.
Last edited by specs on Fri Dec 24, 2010 2:52 pm, edited 1 time in total.
specs
 
Posts: 190
Joined: Sun Mar 26, 2006 7:00 am

Re: grsecurity-2.2.1-2.6.36.2-201012221906 apache2 problem

Postby coderx » Fri Dec 24, 2010 2:49 pm

try with some big file like 1 mb and use browser it ll not work i tested with firefox too
coderx
 
Posts: 37
Joined: Tue Mar 25, 2008 3:57 am

Re: grsecurity-2.2.1-2.6.36.2-201012221906 apache2 problem

Postby specs » Fri Dec 24, 2010 3:30 pm

After adding the EnableSendfile directive to httpd.conf I can't reproduce the bug (at least not without reboot), whether I enable it or disable it.
specs
 
Posts: 190
Joined: Sun Mar 26, 2006 7:00 am

Re: grsecurity-2.2.1-2.6.36.2-201012221906 apache2 problem

Postby PaX Team » Sat Dec 25, 2010 3:45 am

coderx wrote:after booting the kernel apache is running but i cant get any file
if you have UDEREF enabled then it's a known bug and will be fixed in the next patch.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm


Return to grsecurity support

cron