PaX Test results seem off

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

PaX Test results seem off

Postby GBit » Mon Dec 10, 2012 1:25 pm

config: http://pastebin.com/KnmZqV1z

blackhat results: http://pastebin.com/UNFnjCkG
Shouldn't I be getting back "return address contains a NULL byte." for the strcopy?

I know checksec.sh also doesn't necessarily report accurately but it's showing features disabled.
GCC stack protector support: Enabled
Strict user copy checks: Disabled
Enforce read-only kernel data: Disabled
Restrict /dev/mem access: Enabled
Restrict /dev/kmem access: Enabled

* grsecurity / PaX: Custom GRKERNSEC

Non-executable kernel pages: Disabled
Prevent userspace pointer deref: Disabled
Prevent kobject refcount overflow: Enabled
Bounds check heap object copies: Enabled
Disable writing to kmem/mem/port: Enabled
Disable privileged I/O: Disabled
Harden module auto-loading: Enabled
Hide kernel symbols: Enabled

I disable privileged I/O on purpose. But I have non-executable kernel pages enabled in my config. And strict user copy checks/ read only kernel data got disabled?
GBit
 
Posts: 81
Joined: Mon Jun 04, 2012 3:31 pm

Re: PaX Test results seem off

Postby PaX Team » Mon Dec 10, 2012 3:29 pm

GBit wrote:Shouldn't I be getting back "return address contains a NULL byte." for the strcopy?
which version of paxtest is this? also the aslr values seem to indicate that you compiled a 32 bit version of paxtest and not a native 64 bit version that your kernel would also support.
But I have non-executable kernel pages enabled in my config.
KERNEXEC is not enabled in the config you posted.
And strict user copy checks/ read only kernel data got disabled?
those are vanilla kernel features for which we have better alternatives (USERCOPY/KERNEXEC).
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: PaX Test results seem off

Postby GBit » Mon Dec 10, 2012 3:37 pm

Ah, yes. I did a 32bit paxtest, which was not smart haha, I was wondering why the ASLR values seemed low (though higher than vanilla).

For kernexec, since it doesn't seem to be an available option in 'menuconfig' - what values does it take?


PaxTest doesn't seem to compile.

paxtest-0.9.9# make linux64
make -f Makefile.psm THEARCH=-m64
make[1]: Entering directory `/home/colin/Downloads/paxtest-0.9.9'
gcc -O2 -Wa,--noexecstack -D_FORTIFY_SOURCE=0 -DRUNDIR=\".\" -fno-stack-protector -m64 -o chpax-0.7/aout.o -c chpax-0.7/aout.c
<command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined [enabled by default]
chpax-0.7/aout.c:1:0: note: this is the location of the previous definition
gcc -O2 -Wa,--noexecstack -D_FORTIFY_SOURCE=0 -DRUNDIR=\".\" -fno-stack-protector -m64 -o chpax-0.7/chpax.o -c chpax-0.7/chpax.c
<command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined [enabled by default]
chpax-0.7/chpax.c:1:0: note: this is the location of the previous definition
gcc -O2 -Wa,--noexecstack -D_FORTIFY_SOURCE=0 -DRUNDIR=\".\" -fno-stack-protector -m64 -o chpax-0.7/elf32.o -c chpax-0.7/elf32.c
<command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined [enabled by default]
chpax-0.7/elf32.c:1:0: note: this is the location of the previous definition
gcc -O2 -Wa,--noexecstack -D_FORTIFY_SOURCE=0 -DRUNDIR=\".\" -fno-stack-protector -m64 -o chpax-0.7/elf64.o -c chpax-0.7/elf64.c
<command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined [enabled by default]
chpax-0.7/elf64.c:1:0: note: this is the location of the previous definition
gcc -O2 -Wa,--noexecstack -D_FORTIFY_SOURCE=0 -DRUNDIR=\".\" -fno-stack-protector -m64 -o chpax-0.7/flags.o -c chpax-0.7/flags.c
<command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined [enabled by default]
chpax-0.7/flags.c:1:0: note: this is the location of the previous definition
gcc -O2 -Wa,--noexecstack -D_FORTIFY_SOURCE=0 -DRUNDIR=\".\" -fno-stack-protector -m64 -o chpax-0.7/io.o -c chpax-0.7/io.c
<command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined [enabled by default]
chpax-0.7/io.c:1:0: note: this is the location of the previous definition
gcc -m64 -o chpax chpax-0.7/aout.o chpax-0.7/chpax.o chpax-0.7/elf32.o chpax-0.7/elf64.o chpax-0.7/flags.o chpax-0.7/io.o
gcc -O2 -Wa,--noexecstack -D_FORTIFY_SOURCE=0 -DRUNDIR=\".\" -fno-stack-protector -m64 -fPIC -o shlibtest.o -c shlibtest.c
<command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined [enabled by default]
shlibtest.c:1:0: note: this is the location of the previous definition
gcc -m64 -shared -o shlibtest.so shlibtest.o
gcc -O2 -Wa,--noexecstack -D_FORTIFY_SOURCE=0 -DRUNDIR=\".\" -fno-stack-protector -m64 -fPIC -o shlibtest2.o -c shlibtest2.c
<command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined [enabled by default]
shlibtest2.c:1:0: note: this is the location of the previous definition
gcc -m64 -shared -o shlibtest2.so shlibtest2.o
gcc -O2 -Wa,--noexecstack -D_FORTIFY_SOURCE=0 -DRUNDIR=\".\" -fno-stack-protector -m64 -o body.o -c body.c
<command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined [enabled by default]
body.c:1:0: note: this is the location of the previous definition
gcc -O2 -Wa,--noexecstack -D_FORTIFY_SOURCE=0 -DRUNDIR=\".\" -fno-stack-protector -m64 -o anonmap.o -c anonmap.c
<command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined [enabled by default]
anonmap.c:1:0: note: this is the location of the previous definition
gcc -m64 -lpthread -o anonmap body.o anonmap.o
body.o: In function `main':
body.c:(.text.startup+0x6b): undefined reference to `pthread_create'
body.c:(.text.startup+0x7f): undefined reference to `pthread_kill'
collect2: error: ld returned 1 exit status
make[1]: *** [anonmap] Error 1
rm shlibtest.o shlibtest2.o
make[1]: Leaving directory `/home/colin/Downloads/paxtest-0.9.9'
make: *** [linux64] Error 2
GBit
 
Posts: 81
Joined: Mon Jun 04, 2012 3:31 pm

Re: PaX Test results seem off

Postby PaX Team » Mon Dec 10, 2012 4:04 pm

GBit wrote:For kernexec, since it doesn't seem to be an available option in 'menuconfig' - what values does it take?
you enabled Xen which KERNEXEC is not compatible with.
PaxTest doesn't seem to compile.
try paxtest from spender's home dir instead.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: PaX Test results seem off

Postby GBit » Mon Dec 10, 2012 4:07 pm

That's .9.9 from his directory.
GBit
 
Posts: 81
Joined: Mon Jun 04, 2012 3:31 pm

Re: PaX Test results seem off

Postby PaX Team » Mon Dec 10, 2012 4:20 pm

GBit wrote:That's .9.9 from his directory.
ah, i see what's going on, it's a bug in the makefile where it puts -lpthread before the object files. try something like this for a quick fix, based on the patch that gentoo carries (beware of whitespace damage, the lines have to be prefixed with a tab, not spaces):
Code: Select all
diff -Naur paxtest-0.9.9.orig/Makefile paxtest-0.9.9/Makefile
--- paxtest-0.9.9.orig/Makefile 2010-02-22 18:47:19.000000000 -0500
+++ paxtest-0.9.9/Makefile      2010-08-09 07:50:53.000000000 -0400
@@ -136,7 +138,7 @@

 $(EXEC_TESTS) $(MPROT_TESTS): body.o
        $(CC) $(CFLAGS) -o $@.o -c $@.c
-       $(CC) $(LDFLAGS) $(PTHREAD) -o $@ $< $@.o
+       $(CC) $(LDFLAGS) -o $@ $< $@.o $(PTHREAD)

 $(RAND_TESTS): randbody.o
        $(CC) $(CFLAGS) -o $@.o -c $@.c
@@ -185,7 +187,7 @@

 $(MPROTSH_TESTS): body.o shlibtest.so
        $(CC) $(CFLAGS) -o $@.o -c $@.c
-       $(CC) $(LDFLAGS) $(DL) $(PTHREAD) -o $@ $@.o $^
+       $(CC) $(LDFLAGS) -o $@ $@.o $^ $(DL) $(PTHREAD)

 # used for RANDEXEC'd binaries
 retbody.o: body.c
@@ -194,12 +196,12 @@
 # build as ET_EXEC (recommended by PaX Team, not really a requirement)
 $(RET_TESTS): retbody.o
        $(CC) $(CFLAGS) $(CC_ETEXEC) -o $@.o -c $@.c
-       $(CC) $(LDFLAGS) $(LD_ETEXEC) $(PTHREAD) -o $@ $< $@.o
+       $(CC) $(LDFLAGS) $(LD_ETEXEC) -o $@ $< $@.o $(PTHREAD)

 # build as ET_EXEC (not in Adamantix's Makefile)
 $(RETX_TESTS): retbody.o
        $(CC) $(CFLAGS) $(CC_ETEXEC) -o $@.o -c $@.c
-       $(CC) $(LDFLAGS) $(LD_ETEXEC) $(PTHREAD) -o $@ $< $@.o
+       $(CC) $(LDFLAGS) $(LD_ETEXEC) -o $@ $< $@.o $(PTHREAD)
        -$(PAXBIN) -C $@
        $(PAXBIN) -SPXM $@

@@ -212,4 +214,4 @@
        $(CC) $(SHLDFLAGS) -shared -o $@ $<

 $(SHLIB_TESTS): body.o $(SHLIBS) shlibbss.o shlibdata.o
-       $(CC) $(LDFLAGS) $(PTHREAD) -o $@ body.o $@.o $(SHLIBS) $(DL)
+       $(CC) $(LDFLAGS) -o $@ body.o $@.o $(SHLIBS) $(DL) $(PTHREAD)
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: PaX Test results seem off

Postby GBit » Mon Dec 10, 2012 4:48 pm

Not sure what to do with that. I tried replacing the data in makefile.psm (as that's what it seems to be?) and then replacing the whitespace... but that seems to have made things worse haha so I assume I've messed something up.
GBit
 
Posts: 81
Joined: Mon Jun 04, 2012 3:31 pm

Re: PaX Test results seem off

Postby PaX Team » Mon Dec 10, 2012 5:06 pm

it's a patch against the main Makefile, but don't worry about it, just wait for spender's updated paxtest.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: PaX Test results seem off

Postby GBit » Mon Dec 10, 2012 6:04 pm

Sounds good, thanks.

edit: Yeah, the whitespace murdered the patch. I got half of it fixed, seemingly. The other half is broken.
GBit
 
Posts: 81
Joined: Mon Jun 04, 2012 3:31 pm


Return to grsecurity support