grsecurity forums

by **dserrano5** » Thu Oct 17, 2013 3:38 pm

Hi,

I've recovered from the oblivion an old box I had, running 2.6.39.2-grsec. Yeah I know this kernel is probably unsupported, I just upgraded this box to debian 7 but grub-probe is getting killed, preventing me to use a new kernel (grub-install seems to run grub-probe). I want to upgrade, I promise!

Googling around my problem I found this thread. In it, the OP had some PaX flags that didn't make sense and once he run 'paxctl -z' on the binary everything started to work for him.

That's not my case:

Code: Select all: # paxctl -v grub-probe PaX control v0.7 Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu> file grub-probe does not have a PT_PAX_FLAGS program header, try conversion # paxctl -c grub-probe file grub-probe had a PT_GNU_STACK program header, converted # paxctl -v grub-probe PaX control v0.7 Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu> - PaX flags: -------x-e-- [grub-probe] RANDEXEC is disabled EMUTRAMP is disabled # paxctl -z grub-probe # paxctl -v /usr/sbin/grub-probe PaX control v0.7 Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu> - PaX flags: ------------ [/usr/sbin/grub-probe] # strace -tt grub-probe --device /dev/sda1 [ blah blah ] 21:15:23.723492 open("/dev/sda", O_RDONLY|O_LARGEFILE) = 3 21:15:23.723824 fstat64(3, {st_mode=S_IFBLK|0660, st_rdev=makedev(8, 0), ...}) = 0 21:15:23.724328 ioctl(3, BLKGETSIZE64, 0x5b415ba0) = 0 21:15:23.724660 ioctl(3, BLKSSZGET, 0x5b415bac) = 0 21:15:23.724966 close(3) = 0 21:15:23.725384 gettimeofday({1382037323, 725560}, NULL) = 0 21:15:23.725845 open("/dev/sda", O_RDONLY|O_SYNC|O_LARGEFILE|0x100000) = 3 21:15:23.726400 _llseek(3, 0, [0], SEEK_SET) = 0 21:15:23.726757 read(3, "\353c\220\20\216\320\274\0\260\270\0\0\216\330\216\300\373\276\0|\277\0\6\271\0\2\363\244\352!\6\0"..., 512) = 512 21:15:23.727133 read(3, "RV\276\33\201\3509\1^\277\364\201f\213-\203}\10\0\17\204\342\0\200|\377\0tFf\213\35"..., 32256) = 32256 21:15:23.733833 +++ killed by SIGKILL +++ Killed # zgrep CONFIG_PAX /proc/config.gz CONFIG_PAX=y # CONFIG_PAX_SOFTMODE is not set CONFIG_PAX_EI_PAX=y CONFIG_PAX_PT_PAX_FLAGS=y # CONFIG_PAX_NO_ACL_FLAGS is not set CONFIG_PAX_HAVE_ACL_FLAGS=y # CONFIG_PAX_HOOK_ACL_FLAGS is not set CONFIG_PAX_NOEXEC=y CONFIG_PAX_PAGEEXEC=y CONFIG_PAX_SEGMEXEC=y # CONFIG_PAX_EMUTRAMP is not set CONFIG_PAX_MPROTECT=y # CONFIG_PAX_MPROTECT_COMPAT is not set CONFIG_PAX_ELFRELOCS=y CONFIG_PAX_KERNEXEC=y CONFIG_PAX_ASLR=y CONFIG_PAX_RANDKSTACK=y CONFIG_PAX_RANDUSTACK=y CONFIG_PAX_RANDMMAP=y CONFIG_PAX_MEMORY_SANITIZE=y # CONFIG_PAX_MEMORY_STACKLEAK is not set CONFIG_PAX_MEMORY_UDEREF=y CONFIG_PAX_REFCOUNT=y CONFIG_PAX_USERCOPY=y

RBAC isn't active (gradm isn't even installed). FWIW the processor ir a Via Nehemiah.

by **PaX Team** » Thu Oct 17, 2013 4:07 pm

it's probably nested function trampolines that trigger PaX (check the kernel log for the kill message) and since you don't have EMUTRAMP in your kernel, you'll have to disable MPROTECT on the grub binaries instead.

by **dserrano5** » Thu Oct 17, 2013 4:45 pm

Code: Select all: [4342974.627561] PAX: From 192.168.1.8: execution attempt in: <anonymous mapping>, 5b32f000-5b350000 bffdf000 [4342974.627624] PAX: terminating task: /usr/sbin/grub-probe(grub-probe):12220, uid/euid: 0/0, PC: 5b34eee4, SP: 5b34ec1c [4342974.627691] PAX: bytes at PC: b9 dc ee 34 5b e9 d2 63 d3 ac 89 51 a3 f2 34 5b 10 ef 34 5b [4342974.627780] PAX: bytes at SP-4: 08098d30 08076540 080c9400 5b34ee74 0808abee 0808a244 00000000 00000080 00000083 00000800 00000000 173ca800 00000000 00000000 00000000 00000000 5b34ec74 00000000 00000000 00000000 00000000

Code: Select all: # paxctl -m grub-probe

Code: Select all: [4343057.530485] PAX: From 192.168.1.8: execution attempt in: <anonymous mapping>, 58233000-58254000 bffdf000 [4343057.530548] PAX: terminating task: /usr/sbin/grub-probe(grub-probe):12228, uid/euid: 0/0, PC: 58253044, SP: 58252d7c [4343057.530619] PAX: bytes at PC: b9 3c 30 25 58 e9 72 22 e3 af 5c 4f 03 34 25 58 70 30 25 58 [4343057.530708] PAX: bytes at SP-4: 08098d30 08076540 080c8530 58252fd4 0808abee 0808a244 00000000 00000080 00000083 00000800 00000000 173ca800 00000000 00000000 00000000 00000000 58252dd4 00000000 00000000 00000000 00000000

However I think I solved it by brute force, which I could have tried before asking :roll:

Code: Select all: # for I in e p m x r s; do paxctl -z grub-probe; paxctl -$I grub-probe; paxctl -v grub-probe; grub-probe --target=fs --device /dev/sda1; done [ several failures ] PaX control v0.7 Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu> - PaX flags: ---s-------- [grub-probe] SEGMEXEC is disabled ext2

I needed to 'paxctl -s' all /usr/sbin/grub-* binaries to be able to 'grub-install /dev/sda'. Now when called from apt-get it still fails, but I'm confident I'll be able to sort it out. Thanks for answering!

by **BitL0G1c** » Thu Oct 24, 2013 12:44 pm

To make grub work on Debian I do:

Code: Select all: paxctl -Czpms /usr/sbin/grub-probe paxctl -Czpms /usr/bin/grub-mount paxctl -Czpms /usr/bin/grub-script-check paxctl -Czpms /usr/sbin/grub-mkdevicemap

grsecurity forums

grub-probe getting sigkill

grub-probe getting sigkill

Re: grub-probe getting sigkill

Re: grub-probe getting sigkill

Re: grub-probe getting sigkill