Issues with 2.6.32.39-grsec

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Issues with 2.6.32.39-grsec

Postby amdfanatyk » Tue May 03, 2011 3:58 am

#1 Firefox 3.5.19 doesn't run. Instead it locks for infinite time and consumes 100% of CPU time.
(2.6.32.36-grsec is not affected)
amdfanatyk
 
Posts: 50
Joined: Tue Oct 18, 2005 3:52 pm

Re: Issues with 2.6.32.39-grsec

Postby PaX Team » Tue May 03, 2011 5:07 am

amdfanatyk wrote:#1 Firefox 3.5.19 doesn't run. Instead it locks for infinite time and consumes 100% of CPU time.
(2.6.32.36-grsec is not affected)
is it http://forums.grsecurity.net/viewtopic.php?f=3&t=2201?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: Issues with 2.6.32.39-grsec

Postby amdfanatyk » Tue May 03, 2011 6:31 am

I have no idea but the fact is that the same version of Firefox works with .36-grsec and doesn't work with .39-grsec.
amdfanatyk
 
Posts: 50
Joined: Tue Oct 18, 2005 3:52 pm

Re: Issues with 2.6.32.39-grsec

Postby spender » Tue May 03, 2011 9:32 am

Can you paste the EI_PAX and PT_PAX_FLAGS portions of your .config?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Issues with 2.6.32.39-grsec

Postby amdfanatyk » Tue May 03, 2011 11:24 am

Code: Select all
#
# PaX
#
CONFIG_ARCH_TRACK_EXEC_LIMIT=y
CONFIG_PAX=y

#
# PaX Control
#
CONFIG_PAX_SOFTMODE=y
# CONFIG_PAX_EI_PAX is not set
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_SEGMEXEC=y
# CONFIG_PAX_EMUTRAMP is not set
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_MPROTECT_COMPAT=y
CONFIG_PAX_ELFRELOCS=y
CONFIG_PAX_KERNEXEC=y
CONFIG_PAX_KERNEXEC_MODULE_TEXT=16

#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
# CONFIG_PAX_RANDKSTACK is not set
# CONFIG_PAX_RANDUSTACK is not set
CONFIG_PAX_RANDMMAP=y

#
# Miscellaneous hardening features
#
# CONFIG_PAX_MEMORY_SANITIZE is not set
# CONFIG_PAX_MEMORY_UDEREF is not set
# CONFIG_PAX_REFCOUNT is not set
# CONFIG_PAX_USERCOPY is not set
# CONFIG_KEYS is not set
# CONFIG_SECURITY is not set
# CONFIG_SECURITYFS is not set
# CONFIG_SECURITY_FILE_CAPABILITIES is not set
# CONFIG_IMA is not set
CONFIG_CRYPTO=y
amdfanatyk
 
Posts: 50
Joined: Tue Oct 18, 2005 3:52 pm

Re: Issues with 2.6.32.39-grsec

Postby spender » Tue May 03, 2011 6:50 pm

Your problem is described here:

viewtopic.php?f=3&t=2603

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Issues with 2.6.32.39-grsec

Postby amdfanatyk » Wed May 04, 2011 1:34 pm

I don't get it. I don't see any difference between help from 2.6.32.36-grsec
If you have applications not marked by the PT_PAX_FLAGS ELF
program header then you MUST enable the EI_PAX marking support
otherwise they will not get any protection.

and 2.6.32.39-grsec
If you have applications not marked by the PT_PAX_FLAGS ELF
program header then you MUST enable the EI_PAX marking support
otherwise they will not get any protection.

.
amdfanatyk
 
Posts: 50
Joined: Tue Oct 18, 2005 3:52 pm

Re: Issues with 2.6.32.39-grsec

Postby spender » Wed May 04, 2011 1:48 pm

Yeah the documentation wasn't updated properly for .32 though it is correct in .38. I was made aware of it last night and will fix it in the next patch.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Issues with 2.6.32.39-grsec

Postby amdfanatyk » Thu Jun 23, 2011 3:10 am

Can I use pax_softmode=1 to restore previous behaviour? Or it will disable even more protection?
amdfanatyk
 
Posts: 50
Joined: Tue Oct 18, 2005 3:52 pm


Return to grsecurity support

cron