grsecurity forums

[npavlidis]

Hello all,

The system:
centos 5.x latest
2.6.32.41-4.art.x86_64
gradm-2.2.1-2.el5.art

I have been asked to install the oci8 extension to our webservers and so I did... but!

php -v segfaults and apache wont start, so I did:

execstack -c /usr/lib64/php/modules/oci8.so and even
chpax -m /usr/lib64/php/modules/oci8.so

but still the strace shows:

open("/usr/lib/oracle/11.2/client64/lib/libnnz11.so", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\17\5\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=7898628, ...}) = 0
mmap(NULL, 3964192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x6a943a4fe000
mprotect(0x6a943a783000, 1044480, PROT_NONE) = 0
mmap(0x6a943a882000, 270336, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x284000) = 0x6a943a882000
mmap(0x6a943a8c4000, 7456, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x6a943a8c4000
mprotect(0x6a9447217000, 3492, PROT_READ|PROT_WRITE) = -1 EACCES (Permission denied)
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++

The only solution I have found is to disable mprotect on /usr/bin/php AND /usr/bin/httpd which I want to avoid to be honest...

Any help would be much appreciated.

Thanks

Nik

[spender]

For starters, run execstack -c on /usr/lib/oracle/11.2/client64/lib/libnnz11.so and any other libraries in that directory. Running chpax on libraries has no effect.

-Brad

[npavlidis]

Yeap that did it,

Code: Select all

execstack -c /usr/lib64/php/modules/oci8.so
execstack -c /usr/lib/oracle/11.2/client64/lib/libnnz11.so

both required

I will keep an eye on it and add more libraries if it starts complaining again but so far everything seems to be running as it should.

Many thanks Brad

Cheers,

Nik

Edit:

I ended up doing execstack -c to *.so (the basics worked with the above but as you start using the application php segfaults again)

[spender]

Can you give the error/strace again?

-Brad