grsecurity forums

[kolargol]

Hi,

Recently i was trying to build kernel with gcc 5.1, and after using latest patch (3.1-3.14.43-201505171736) i got this error: (vanilla kernel builds OK)

Code: Select all

*** WARNING *** there are active plugins, do not report this as a bug unless you can reproduce it without enabling any plugins.
Event                            | Plugins
PLUGIN_FINISH_TYPE               | randomize_layout_plugin
PLUGIN_FINISH_DECL               | randomize_layout_plugin
PLUGIN_ATTRIBUTES                | latent_entropy_plugin randomize_layout_plugin
PLUGIN_START_UNIT                | latent_entropy_plugin
PLUGIN_ALL_IPA_PASSES_START      | randomize_layout_plugin
arch/x86/kernel/paravirt.c: In function ‘get_call_destination’:
arch/x86/kernel/paravirt.c:125:33: internal compiler error: in count_type_elements, at expr.c:5689
  struct paravirt_patch_template tmpl = {
                                 ^
Please submit a full bug report,
with preprocessed source if appropriate.
See <http://gcc.gnu.org/bugs.html> for instructions.
scripts/Makefile.build:308: recipe for target 'arch/x86/kernel/paravirt.o' failed
make[2]: *** [arch/x86/kernel/paravirt.o] Error 1
scripts/Makefile.build:455: recipe for target 'arch/x86/kernel' failed
make[1]: *** [arch/x86/kernel] Error 2
Makefile:915: recipe for target 'arch/x86' failed
make: *** [arch/x86] Error 2


Plugin size_overflow is of course off.

thanks,

[PaX Team]

can you determine which plugin causes this?

[kolargol]

yes, it is randomize_layout_plugin, after disabling GRKERNSEC_RANDSTRUCT grsec compile fine. So this seems to be second plugin not compatible with 5.1 (although i saw that ephox fixed size_overflow plugin for 5.1 on github but it's not ported to patch yet)

[kolargol]

it seems i was too optimistic, another problem on 5.1 this time seems with acl:

Code: Select all

  CC      grsecurity/gracl.o
In file included from /usr/src/linux-3.14.43/arch/x86/include/asm/processor.h:15:0,
                 from /usr/src/linux-3.14.43/arch/x86/include/asm/thread_info.h:23,
                 from include/linux/thread_info.h:54,
                 from /usr/src/linux-3.14.43/arch/x86/include/asm/preempt.h:6,
                 from include/linux/preempt.h:20,
                 from include/linux/spinlock.h:50,
                 from include/linux/seqlock.h:35,
                 from include/linux/time.h:5,
                 from include/linux/stat.h:18,
                 from include/linux/module.h:10,
                 from grsecurity/gracl.c:2:
/usr/src/linux-3.14.43/arch/x86/include/asm/current.h:17:17: error: ‘get_current’ is static but used in inline function ‘gr_acl_tpe_check’ which is not static [-Werror]
 #define current get_current()
                 ^
grsecurity/gracl.c:156:6: note: in expansion of macro ‘current’
  if (current->role->roletype & GR_ROLE_TPE)
      ^
In file included from include/linux/linkage.h:4:0,
                 from include/linux/kernel.h:6,
                 from grsecurity/gracl.c:1:
grsecurity/gracl.c:154:17: error: ‘gr_status’ is static but used in inline function ‘gr_acl_tpe_check’ which is not static [-Werror]
  if (unlikely(!(gr_status & GR_READY)))
                 ^
include/linux/compiler.h:175:42: note: in definition of macro ‘unlikely’
 # define unlikely(x) __builtin_expect(!!(x), 0)
                                          ^
cc1: all warnings being treated as errors
scripts/Makefile.build:308: recipe for target 'grsecurity/gracl.o' failed
make[1]: *** [grsecurity/gracl.o] Error 1
Makefile:915: recipe for target 'grsecurity' failed
make: *** [grsecurity] Error 2


[spender]

Can you try the patch just uploaded?

Thanks,
-Brad

[kolargol]

thanks for the patch, it fixes all above problems, and kernel build is done, but on grsec buildtime i see this errors:

LD grsecurity/built-in.o
/usr/src/linux-3.14.43/grsecurity/Makefile:47: recipe for target 'grsecurity/grsec_hidesym.o' failed
make[1]: [grsecurity/grsec_hidesym.o] Error 1 (ignored)
/usr/src/linux-3.14.43/grsecurity/Makefile:47: recipe for target 'grsecurity/grsec_hidesym.o' failed
make[1]: [grsecurity/grsec_hidesym.o] Error 1 (ignored)
/usr/src/linux-3.14.43/grsecurity/Makefile:47: recipe for target 'grsecurity/grsec_hidesym.o' failed
make[1]: [grsecurity/grsec_hidesym.o] Error 1 (ignored)
grsec: protected kernel image paths
LD drivers/amba/built-in.o

[spender]

That's fine, those errors can be ignored (as it mentions in the log). It's part of HIDESYM attempting to change the permissions of your /boot, /lib/modules*, and kernel source directories to prevent reading by unprivileged users. If these aren't already modified to do that, you should do so manually with chmod 700.

-Brad

[kolargol]

yes, thanks. Anyway seems that system do not boot with that kernel + patch on ec2, i am trying to investigate why it hung, for now i got not much:

Code: Select all

backend at /local/domain/0/backend/vbd/660/2128
104857600 sectors of 512 bytes
**************************


    GNU GRUB  version 0.97  (7864320K lower / 0K upper memory)



+-------------------------------------------------------------------------+||||||||||||||||||||||||+-------------------------------------------------------------------------+

    Use the ^ and v keys to select which entry is highlighted.

    Press enter to boot the selected OS, 'e' to edit the

    commands before booting, or 'c' for a command-line.  EC2_ESK                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      The highlighted entry will be booted automatically in 3 seconds.    The highlighted entry will be booted automatically in 2 seconds.    The highlighted entry will be booted automatically in 1 seconds.     Booting 'EC2_ESK'

root (hd0)

 Filesystem type is xfs, using whole disk

kernel /boot/vmlinuz-3.14.43-grsec-esk-pv root=/dev/xvda1

close blk: backend at /local/domain/0/backend/vbd/660/2049
close blk: backend at /local/domain/0/backend/vbd/660/2128


[PaX Team]

this is probably the same bug that i fixed already for 4.0 and now 3.14 as well, should be in the next grsec.

[kolargol]

yes, i can confirm that reverting patch fixes problem (running vanilla on same config).

[kolargol]

latest patch (grsecurity-3.1-3.14.43-201505191737.patch):

Starting Copy rules generated while the root was ro...
[ 1.353633] ffff8801d456fc70: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
[ 1.353645] ffff8801d456fc80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
[ 1.353654] ffff8801d456fc90: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
[ 1.353660] ffff8801d456fca0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
[ 1.353667] XFS (xvda1): Internal error xfs_agi_read_verify at line 1580 of file fs/xfs/xfs_ialloc.c. Caller 0xffffffff812ec87d
[ 1.353676] CPU: 0 PID: 126 Comm: kworker/0:1H Not tainted 3.14.43-grsec-esk-pv #1
[ 1.353682] Workqueue: xfslogd ffffffff812ec810
[ 1.353687] 0000000000000000 1c114c0c536bc810 0000000000000000 0000000000000001
[ 1.353695] ffffffff81722154 ffff8801d4981010 ffffffff812ef24f ffffffff812ec87d
[ 1.353703] ffff8801d456fc70 ffff8801d44ee600 ffff8801d4981010 ffff8801dee0db40
[ 1.353710] Call Trace:
[ 1.353720] [<ffffffff81722154>] ? dump_stack+0x41/0x51
[ 1.353729] [<ffffffff812ef24f>] ? xfs_corruption_error+0x8f/0xa0
[ 1.353735] [<ffffffff812ec87d>] ? xfs_buf_iodone_work+0x6d/0x90
[ 1.353743] [<ffffffff813316d0>] ? xfs_agi_read_verify+0xf0/0x110
[ 1.353749] [<ffffffff812ec87d>] ? xfs_buf_iodone_work+0x6d/0x90
[ 1.353755] [<ffffffff812ec87d>] ? xfs_buf_iodone_work+0x6d/0x90
[ 1.353763] [<ffffffff81092fd5>] ? process_one_work+0x135/0x420
[ 1.353769] [<ffffffff810933d8>] ? worker_thread+0x118/0x490
[ 1.353778] [<ffffffff810932c0>] ? process_one_work+0x420/0x420
[ 1.353784] [<ffffffff8109ae8c>] ? kthread+0xcc/0xf0
[ 1.353789] [<ffffffff8109adc0>] ? insert_kthread_work+0x40/0x40
[ 1.353796] [<ffffffff81728509>] ? ret_from_fork+0x49/0x80
[ 1.353802] [<ffffffff8109adc0>] ? insert_kthread_work+0x40/0x40
[ 1.353807] XFS (xvda1): Corruption detected. Unmount and run xfs_repair
[ 1.353825] XFS (xvda1): metadata I/O error: block 0x2 ("xfs_trans_read_buf_map") error 117 numblks 1
[ 1.353835] XFS (xvda1): xfs_do_force_shutdown(0x1) called from line 376 of file fs/xfs/xfs_trans_buf.c. Return address = 0xffffffff8134bea8
[ 1.354377] XFS (xvda1): I/O Error Detected. Shutting down filesystem
[ 1.354386] XFS (xvda1): Please umount the filesystem and rectify the problem(s)
[ OK ] Started Load/Save Random Seed.
[ OK ] Started Create Volatile Files and Directories.
[FAILED] Failed to start Copy rules generated while the root was ro.
See 'systemctl status udev-finish.service' for details.
[ 1.374982] grsec: Invalid alignment/Bus error occurred at 00006cdd93664e48 in /bin/systemctl[systemctl:169] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
[ 1.375004] grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /bin/systemctl[systemctl:169] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
[ 1.375163] systemd-journald[153]: Received request to flush runtime journal from PID 1
[FAILED] Failed to start Trigger Flushing of Journal to Persistent Storage.
...
...
...

[spender]

This bug had been reported before: viewtopic.php?f=3&t=4187 but the reporter didn't follow up with our steps to track down the source of the problem.
Since PaX had been ruled out previously, can you first try disabling KSTACKOVERFLOW to see if that solves the problem? If not, can you try a binary search approach to disabling grsecurity features to determine the culprit?

Thanks!
-Brad

[kolargol]

disabling KSTACKOVERFLOW do not improve situation. What should i disable next? Actually i can replace kernel and build it quite fast on ec2.

[kolargol]

update: setting grsec to automatic and "performance" fixes issue, this narrows things a bit...

[kolargol]

ok after few builds and testing i have found reason for this xfs crash, it is PAX_MEMORY_SANITIZE , i hope that helps :)