grsecurity forums

[konsul]

hello. can anyone help to track troubles with run subject progs? my situation: kernel 2.4.20 + last grsec stable release on x86. all chpax restrict disabled for server binary. but server failed to start with 'segmentatuon fault' error. grsec are DISABLED (obly patched kernel).. i can't understand this situation. strace return folowing:

----------------------------

strace -ff -o cgsrv /etc/init.d/CommuniGate start
Starting CommuniGate Pro /opt/CommuniGate/CGServer --Base /var/CommuniGate --Daemon
setbpt: ptrace(PTRACE_POKETEXT, ...): Input/output error
Process 9391 attached
Process 18490 suspended
Process 25646 attached
Process 26837 attached
Process 18490 resumed
Process 9391 detached
Process 9289 attached
Process 9289 detached
Process 22939 attached
Process 27402 attached
Process 17088 attached
Process 29450 attached
Process 25646 detached
Real-time signal 1
---------------------------

strace debug file show a lot of "rt_sigprocmask(SIG_SETMASK, NULL, [RTMIN], = 0
rt_sigsuspend([]--- SIGRTMIN (Real-time signal 0) ---
) = -1 EINTR (Interrupted system call)
sigreturn() = ? (mask now [RTMIN])
rt_sigprocmask(SIG_SETMASK, NULL, [RTMIN], = 0
rt_sigsuspend([]--- SIGRTMIN (Real-time signal 0) ---
) = -1 EINTR (Interrupted system call)" lines... what is it?

[PaX Team]

all chpax restrict disabled for server binary.

setbpt: ptrace(PTRACE_POKETEXT, ...): Input/output error

are you sure you did disable all PaX features on this binary? the above ptrace error message can normally happen only when MPROTECT and one of PAGEEXEC/SEGMEXEC are active.

[konsul]

yes i am.
---------------------------
/root/chpax/chpax -v ./CGServer

----[ chpax 0.2 : Current flags for ./CGServer ]----

* Paging based PAGE_EXEC : disabled
* Trampolines : emulated
* mprotect() : not restricted
* mmap() base : not randomized
* ET_EXEC base : not randomized
* Segmentation based PAGE_EXEC : disabled

maintainer:/opt/CommuniGate# ./CGServer
Initiating CommuniGate Pro Server
Segmentation fault

.....
maintainer:/opt/CommuniGate# /root/chpax/chpax -v ./CGServer

----[ chpax 0.2 : Current flags for ./CGServer ]----

* Paging based PAGE_EXEC : enabled (overridden)
* Trampolines : emulated
* mprotect() : not restricted
* mmap() base : not randomized
* ET_EXEC base : not randomized
* Segmentation based PAGE_EXEC : enabled

maintainer:/opt/CommuniGate# ./CGServer
Initiating CommuniGate Pro Server
Segmentation fault

-----------------------------------------
log do not contain any records about chpax, possibly it's a grsec restriction has effect..but grsec disabled... i don't understand.

[PaX Team]

log do not contain any records about chpax, possibly it's a grsec restriction has effect..but grsec disabled... i don't understand.

indeed, it's most likely not PaX because i just tried both the statically and the dynamically linked versions of CommuniGate Pro 4.0.6 and they started up fine.

[konsul]

so.. i recompile kernel with any debug options, and log looks like this:

-------------------
grsec: From x.x.x.x: exec of /opt/CommuniGate/CGServer (./CGServer ) by (bash:27776) UID(0) EUID(0), parent (bash:12312) UID(0) EUID(0)
grsec: From x.x.x.x: signal 11 sent to (CGServer:27776) UID(0) EUID(0), parent (bash:12312) UID(0) EUID(0)
--------------------

is anybody help to determine source of troubles?

[PaX Team]

is anybody help to determine source of troubles?

i should have asked it at beginning, but does CommuniGate work on your system with a vanilla kernel at all? second question, can you try out the statically linked version (i think you used the one in the .rpm which is a dynamically linked one, if it's the other way around, then try the .rpm of course)?

[spender]

I've just tried Communigate (both the static and dynamically linked versions) on a system with grsec, and it worked perfectly in both cases. This isn't a grsecurity issue, but some other problem with your system.

-Brad

[konsul]

i'm real in trouble. just for test, i install communigate on host with grsecurity-1.9.7-2.4.19.patch and it's working!!! some interesting, host which do not run cgp - is a production web server, and no any miscompatible was found with apache, ftpd, kernel anymore...later, i try to recompile clear kernel without any patches..so look.

[konsul]

so. i try the dinamicaly linked version of cgp, and it's working.... all right, thanls for help