grsecurity forums

[Carlos Carvalho]

It seems the forum is prefered over the mailing list, so I'll try here...

Firefox gets in an infinite loop of mmap/munmap on a Debian machine with kernel 3.1.7. However, with 2.6.37.4 it works fine. The grsec config is the same. Additionally, chromium (debian) refuses to run because of the executable ram. I disabled pax_mprotect and now chromium runs but firefox didn't change.

I've seen https://bugs.gentoo.org/show_bug.cgi?id=278698 but paxctl -r but it says "firefox does not have a PT_PAX_FLAGS program header".

Is it possible to make firefox run again with 3.1.7? Also why is it different from 2.6.37.4?

I really need to try 3.1.7 because of lockup problems with 2.6* (unrelated to grsec), and 3.1.7 is the first 3* that runs in this machine.

[spender]

You will hit yourself after you read this:

viewtopic.php?f=3&t=2603

-Brad

[Carlos Carvalho]

Thanks. I managed to make firefox work with paxctl -Cr in /usr/lib/xulrunner-9.0/xulrunner-stub /usr/lib/iceape/iceape-bin.

Then I recompiled with CONFIG_PAX_MPROTECT. It' d be nice to have a sysctl for it Now firefox doesn't start, it aborts with no error msgs. Worked around disabling pax_mprotect for it with
paxctl -m /usr/lib/xulrunner-9.0/xulrunner-stub
Oh well... What does it use mprotect for?

The remaining problem is chromium. It aborts with "/usr/lib/chromium/chromium: error while loading shared libraries: cannot make segment writable for relocation: Permission denied" Trying the obvious
paxctl -Cm /usr/lib/chromium/chromium
however doesn't work. It says "file /usr/lib/chromium/chromium cannot have a PT_PAX_FLAGS program header, creation failed". Why can't it have such a header??

Does it mean that I have to disable pax_mprotect in the kernel?

BTW, I find forcing pax_mprotect for user programs somewhat intrusive. I think the user has the right to do such things in his programs; I'm only using it to protect system software. Is there a way to turn it on only for files in certain filesystems, without enumerating each one?

[PaX Team]

Now firefox doesn't start, it aborts with no error msgs. Worked around disabling pax_mprotect for it with paxctl -m /usr/lib/xulrunner-9.0/xulrunner-stub
Oh well... What does it use mprotect for?

JIT compiler(s) for javascript, iirc. i think there's a patch in gentoo that disables them at configure time (you used to be able to do this without patching but not anymore).

The remaining problem is chromium. It aborts with "/usr/lib/chromium/chromium: error while loading shared libraries: cannot make segment writable for relocation: Permission denied"

that's due to text relocations probably in one of the libraries it loads, you can find it out by stracing chromium.

Trying the obvious paxctl -Cm /usr/lib/chromium/chromium however doesn't work. It says "file /usr/lib/chromium/chromium cannot have a PT_PAX_FLAGS program header, creation failed". Why can't it have such a header??

can you post the binary or at least its readelf -eW output? also did you try paxctl -c? it should be the preferred method when creating a new PT_PAX_FLAGS header.

BTW, I find forcing pax_mprotect for user programs somewhat intrusive. I think the user has the right to do such things in his programs; I'm only using it to protect system software.

the *need* to generate code at runtime is not a right but a property of code. the *ability* to generate code at runtime is however a right that you can grant or take away. collision occurs when the need exceeds the ability, this is what happens when you enable MPROTECT on apps that need to generate code at runtime. so if a user wants to generate code in his programs he just has to grant them the ability to do so, PaX itself has discretionary control over these features for this purpose (you can turn this into mandatory control with grsec's RBAC).

Is there a way to turn it on only for files in certain filesystems, without enumerating each one?

you can control PaX features only systemwide or per file.

[Carlos Carvalho]

The remaining problem is chromium. It aborts with "/usr/lib/chromium/chromium: error while loading shared libraries: cannot make segment writable for relocation: Permission denied"

that's due to text relocations probably in one of the libraries it loads, you can find it out by stracing chromium.

How exactly? There are lots of opens and mmaps and mprotects... I couldn't identify the starting address with anything.

Trying the obvious paxctl -Cm /usr/lib/chromium/chromium however doesn't work. It says
file /usr/lib/chromium/chromium cannot have a PT_PAX_FLAGS program header, creation failed". Why can't it have such a header??

can you post the binary or at least its readelf -eW output?

ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: DYN (Shared object file)
Machine: Intel 80386
Version: 0x1
Entry point address: 0x1a2e80
Start of program headers: 52 (bytes into file)
Start of section headers: 49205376 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 10
Size of section headers: 40 (bytes)
Number of section headers: 37
Section header string table index: 36

Section Headers:
[Nr] Name Type Addr Off Size ES Flg Lk Inf Al
[ 0] NULL 00000000 000000 000000 00 0 0 0
[ 1] .interp PROGBITS 00000174 000174 000013 00 A 0 0 1
[ 2] .note.ABI-tag NOTE 00000188 000188 000020 00 A 0 0 4
[ 3] .note.gnu.build-id NOTE 000001a8 0001a8 000024 00 A 0 0 4
[ 4] .dynsym DYNSYM 000001cc 0001cc 00b7c0 10 A 5 1 4
[ 5] .dynstr STRTAB 0000b98c 00b98c 0119c4 00 A 0 0 1
[ 6] .hash HASH 0001d350 01d350 004e0c 04 A 4 0 4
[ 7] .gnu.hash GNU_HASH 0002215c 02215c 000290 04 A 4 0 4
[ 8] .gnu.version VERSYM 000223ec 0223ec 0016f8 02 A 4 0 2
[ 9] .gnu.version_r VERNEED 00023ae4 023ae4 000530 00 A 5 18 4
[10] .rel.dyn REL 00024014 024014 16f100 08 A 4 0 4
[11] .rel.plt REL 00193114 193114 005460 08 A 4 13 4
[12] .init PROGBITS 00198574 198574 000030 00 AX 0 0 4
[13] .plt PROGBITS 001985b0 1985b0 00a8d0 04 AX 0 0 16
[14] .text PROGBITS 001a2e80 1a2e80 231bab8 00 AX 0 0 16
[15] malloc_hook PROGBITS 024be940 24be940 000800 00 AX 0 0 16
[16] google_malloc PROGBITS 024bf140 24bf140 005b34 00 AX 0 0 16
[17] .fini PROGBITS 024c4c74 24c4c74 00001c 00 AX 0 0 4
[18] .rodata PROGBITS 024c4ca0 24c4ca0 35aa4d 00 A 0 0 32
[19] .gcc_except_table PROGBITS 0281f6f0 281f6f0 000510 00 A 0 0 4
[20] .eh_frame PROGBITS 0281fc00 281fc00 4d948c 00 A 0 0 4
[21] .eh_frame_hdr PROGBITS 02cf908c 2cf908c 0eeb0c 00 A 0 0 4
[22] .tbss NOBITS 02de8d40 2de7d40 000004 00 WAT 0 0 4
[23] .data.rel.ro.local PROGBITS 02de8d40 2de7d40 03216c 00 WA 0 0 32
[24] .ctors PROGBITS 02e1aeac 2e19eac 000008 00 WA 0 0 4
[25] .dtors PROGBITS 02e1aeb4 2e19eb4 000008 00 WA 0 0 4
[26] .jcr PROGBITS 02e1aebc 2e19ebc 000004 00 WA 0 0 4
[27] .data.rel.ro PROGBITS 02e1aec0 2e19ec0 0bcfc4 00 WA 0 0 32
[28] .dynamic DYNAMIC 02ed7e84 2ed6e84 000280 08 WA 5 0 4
[29] .got PROGBITS 02ed8104 2ed7104 0044b8 00 WA 0 0 4
[30] .got.plt PROGBITS 02edc5bc 2edb5bc 002a3c 00 WA 0 0 4
[31] .data PROGBITS 02edf000 2ede000 00ea50 00 WA 0 0 32
[32] .init_array INIT_ARRAY 02eeda50 2eeca50 00049c 00 WA 0 0 4
[33] .bss NOBITS 02eedf00 2eeceec 03ebae 00 WA 0 0 32
[34] .note.gnu.gold-version NOTE 00000000 2eeceec 00001c 00 0 0 4
[35] .gnu_debuglink PROGBITS 00000000 2eecf08 000010 00 0 0 1
[36] .shstrtab STRTAB 00000000 2eecf18 000167 00 0 0 1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings)
I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown)
O (extra OS processing required) o (OS specific), p (processor specific)

Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR 0x000034 0x00000034 0x00000034 0x00140 0x00140 R 0x4
INTERP 0x000174 0x00000174 0x00000174 0x00013 0x00013 R 0x1
[Requesting program interpreter: /lib/ld-linux.so.2]
LOAD 0x000000 0x00000000 0x00000000 0x2de7b98 0x2de7b98 R E 0x1000
LOAD 0x2de7d40 0x02de8d40 0x02de8d40 0x1051ac 0x143d6e RW 0x1000
DYNAMIC 0x2ed6e84 0x02ed7e84 0x02ed7e84 0x00280 0x00280 RW 0x4
NOTE 0x000188 0x00000188 0x00000188 0x00044 0x00044 R 0x4
GNU_EH_FRAME 0x2cf908c 0x02cf908c 0x02cf908c 0xeeb0c 0xeeb0c R 0x4
LOOS+5041580 0x000000 0x00000000 0x00000000 0x00000 0x00000 0
TLS 0x2de7d40 0x02de8d40 0x02de8d40 0x00000 0x00004 R 0x4
GNU_RELRO 0x2de7d40 0x02de8d40 0x02de8d40 0xf62c0 0xf62c0 R 0x1

Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .note.ABI-tag .note.gnu.build-id .dynsym .dynstr .hash .gnu.hash .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text malloc_hook google_malloc .fini .rodata .gcc_except_table .eh_frame .eh_frame_hdr
03 .data.rel.ro.local .ctors .dtors .jcr .data.rel.ro .dynamic .got .got.plt .data .init_array .bss
04 .dynamic
05 .note.ABI-tag .note.gnu.build-id
06 .eh_frame_hdr
07
08 .tbss
09 .data.rel.ro.local .ctors .dtors .jcr .data.rel.ro .dynamic .got .got.plt

also did you try paxctl -c? it should be the preferred method when creating a new PT_PAX_FLAGS header.

It worked! After creating it with -c I used -m and now it runs, at least as far as I've lightly tested.

[PaX Team]

ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: DYN (Shared object file)

ah, it's a PIE, in such cases (and assuming you can't use paxctl -c) first you have to rebase the file with prelink -r to make room for the new ELF header then you can try paxctl -C.