apache ssl problems: PAX terminates execution attempt

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

apache ssl problems: PAX terminates execution attempt

Postby Dwokfur » Sun Apr 17, 2011 6:55 am

On thursday I was about to upgrade apache-2.2.16 to -2.2.17.
It compiled flawlessly as always. However after I restarted the daemon the
ssl connections timed out. I tried to revert the installation to the
previous version, but the symptoms remained.

I had to restore apache from my backup.

If I recompile the current version of apache it's also unusable.
Now I'm stuck.

The linking seems to be the same:
correct module
ldd /usr/lib/apache2/modules/mod_ssl.so
linux-gate.so.1 => (0x4f33b000)
libssl.so.1.0.0 => /usr/lib/libssl.so.1.0.0 (0x4f287000)
libcrypto.so.1.0.0 => /usr/lib/libcrypto.so.1.0.0 (0x4f0fb000)
libgmp.so.3 => /usr/lib/libgmp.so.3 (0x4f0aa000)
libdl.so.2 => /lib/libdl.so.2 (0x4f0a6000)
libz.so.1 => /lib/libz.so.1 (0x4f08f000)
libpthread.so.0 => /lib/libpthread.so.0 (0x4f075000)
libc.so.6 => /lib/libc.so.6 (0x4ef16000)
/lib/ld-linux.so.2 (0x4f33c000)
incorrect module
ldd /usr/lib/apache2/modules/mod_ssl.so
linux-gate.so.1 => (0x4c38c000)
libssl.so.1.0.0 => /usr/lib/libssl.so.1.0.0 (0x4c2d7000)
libcrypto.so.1.0.0 => /usr/lib/libcrypto.so.1.0.0 (0x4c14b000)
libgmp.so.3 => /usr/lib/libgmp.so.3 (0x4c0fa000)
libdl.so.2 => /lib/libdl.so.2 (0x4c0f6000)
libz.so.1 => /lib/libz.so.1 (0x4c0df000)
libpthread.so.0 => /lib/libpthread.so.0 (0x4c0c5000)
libc.so.6 => /lib/libc.so.6 (0x4bf66000)
/lib/ld-linux.so.2 (0x4c38d000)

Here is an exmaple of two a PAX terminations:
Apr 17 01:47:51 atoth kernel: PAX: From 66.249.71.137: execution attempt
in: (null), 00000000-00000000 00000000
Apr 17 01:47:51 atoth kernel: PAX: terminating task:
/usr/sbin/apache2(apache2):3531, uid/euid: 81/81, PC: 00000058, SP:
484c1a7c
Apr 17 01:47:51 atoth kernel: PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ??
?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
Apr 17 01:47:51 atoth kernel: PAX: bytes at SP-4: 484c1b18 4e5c60f4
158393c4 484c1af8 484c1af4 00000000 4e83b317 4e5de8c8 4e83c7b9 4e5d52a2
155058f0 484c1b08 00000dcb 07fc8be9 00000001 4e50c07f 484c1ae8 4e525980
00000001 484c1af8 484c1af4
Apr 17 01:47:51 atoth kernel: PAX: From 66.249.71.137: execution attempt
in: (null), 00000000-00000000 00000000
Apr 17 01:47:51 atoth kernel: PAX: terminating task:
/usr/sbin/apache2(apache2):3554, uid/euid: 81/81, PC: 00000058, SP:
484c1d2c
Apr 17 01:47:51 atoth kernel: PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ??
?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
Apr 17 01:47:51 atoth kernel: PAX: bytes at SP-4: 484c1dc8 4e5c60f4
158393c4 484c1da8 484c1da4 00000000 0000000b 00000000 484c1da8 4e3e314b
00004458 4e57a7d9 0000029c 0000000b 0000000a 0000000c 4e57a7d9 0000029a
0000000b 484c1da8 484c1da4

The linking consistency is OK. Revdep-ebuild and lafilefixer --justfixit
finds no packages to recompile.
But my current toolchain still produces unusable apache packages.
Reverting to the old binary makes the problem go away.
Paxctl -m couldn't solve the problem.

Portage 2.1.9.42
hardened/linux/x86
gcc-4.5.2
glibc-2.13-r2
kernel: 2.6.38-hardened
gentoo-1.12.14
apache-2.2.16
openssl-1.0.0d
openssh-5.8_p1-r1

I couldn't find any other useful messages in the log.
It might not be the ssl module. If I go for a non-ssl page, it gets correctly served.
How I should continue tracking down the problem?

Thanks:
Dw.
Dwokfur
 
Posts: 99
Joined: Tue Jun 08, 2004 10:07 am

Re: apache ssl problems: PAX terminates execution attempt

Postby Dwokfur » Mon Apr 18, 2011 12:37 am

This one seems to be a problem with gcc-4.5.2 using -O2.
Please take a look at on:
http://bugs.gentoo.org/show_bug.cgi?id=363443

Dw.
Dwokfur
 
Posts: 99
Joined: Tue Jun 08, 2004 10:07 am


Return to grsecurity support