CONFIG_PAX_MPROTECT_COMPAT not doing what it is supposed to

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

CONFIG_PAX_MPROTECT_COMPAT not doing what it is supposed to

Postby careta » Sun Jan 10, 2016 6:31 am

With CONFIG_PAX_MPROTECT_COMPAT I still get a lot of failures in python, wine, chromium, firefox and other apps:

[ 632.469892] PAX: execution attempt in: <anonymous mapping>, 6df338502000-6df3386c8000 6df338502000
[ 632.469898] PAX: terminating task: /usr/bin/python2.7(blueman-applet):2757, uid/euid: 1000/1000, PC: 00006df338502010, SP: 0000712573c87e28
[ 632.469900] PAX: bytes at PC: 49 bb e2 fe ed 34 f3 6d 00 00 49 ba 10 20 50 38 f3 6d 00 00
[ 632.469909] PAX: bytes at SP-8: 000000000421aca0 00006df3354ace8a 000000000421aca0 0000000004656e90 0000000000000000 00006df3357708e0 0000712573c87e68 0000712573c87e70 00000000043d5a20 0000000004657e30 00006df338502010

[ 756.846834] PAX: execution attempt in: <anonymous mapping>, 6c72bacaf000-6c72bacbf000 6c72bacaf000
[ 756.846841] PAX: terminating task: /usr/lib/iceweasel/iceweasel(iceweasel):2892, uid/euid: 1000/1000, PC: 00006c72bacaf710, SP: 00007bb17b3e94f8
[ 756.846844] PAX: bytes at PC: 55 48 8b ec 53 41 54 41 55 41 56 41 57 ff 75 18 4c 8b f4 4c
[ 756.846854] PAX: bytes at SP-8: 00006c72ab49b400 00006c72b6dfd6cc 0000000000000000 00007bb17b3e96c8 0000001bab49003e 00000001000003e1 00006c72ab49b400 00006c729eff5c00 00007bb17b3ea1b0 0000000000000000 0000000000000000

[ 1366.097395] PAX: execution attempt in: <anonymous mapping>, 10001000-10180000 10001000
[ 1366.097399] PAX: terminating task: /media/msata/.PlayOnLinux/wine/linux-x86/1.9.0/bin/wine-preloader(idaq.exe):4808, uid/euid: 1000/1000, PC: 000000001014ce9d, SP: 000000000032fd7c
[ 1366.097401] PAX: bytes at PC: 8b ff 55 8b ec 83 7d 0c 01 75 05 e8 1b 08 00 00 ff 75 08 8b
[ 1366.097409] PAX: bytes at SP-8: 00000000 00000000 e59f54f6 10000000 00000001 00000001 1014ce9d 00111c08 e5a72cb0 0032fed8 e59f83fd 1014ce9d 10000000 00000001 00000001 ffffffff e5a40b80 00000000 e5a72cb0 00112d10 00000001 10000000

[ 1539.115260] PAX: execution attempt in: <anonymous mapping>, 6628e8406000-6628e8444000 6628e8406000
[ 1539.115266] PAX: terminating task: /usr/lib/chromium/chromium(chromium):5216, uid/euid: 1000/1000, PC: 00006628e842f680, SP: 0000761c01397b98
[ 1539.115268] PAX: bytes at PC: 55 48 89 e5 49 ba 00 00 00 00 01 00 00 00 41 52 41 52 41 54
[ 1539.115278] PAX: bytes at SP-8: 0000761c01397d08 00000a97de175fe9 0000000300000000 0000761c01397d08 00000a97e4fc3190 00000a97e4f78e60 00000a97e4fc3198 0000761c01397e38 0000000000000000 00000000ffffffff d7338779f2e37900
careta
 
Posts: 11
Joined: Sun May 18, 2014 6:43 pm

Re: CONFIG_PAX_MPROTECT_COMPAT not doing what it is supposed

Postby spender » Sun Jan 10, 2016 8:14 am

No, it's doing exactly what it's supposed to do. Over the past decade or so, due to SELinux implementing similar checks as PAX_MPROTECT, apps that previously used RWX allocations without checking the return value or having any kind of fallback now are doing so, so it's not recommended to use PAX_MPROTECT_COMPAT on modern systems, especially on a desktop. What will happen due to PAX_MPROTECT_COMPAT is those RWX allocations will be silently demoted to RW, and when an execution attempt then happens in that RW allocation that the app thinks is RWX, you see exactly the kinds of logs you've pasted here. These apps (with the exception of python that should only need EMUTRAMP enabled) all need MPROTECT disabled on them as they need to be able to generate arbitrary code at runtime.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: CONFIG_PAX_MPROTECT_COMPAT not doing what it is supposed

Postby careta » Sun Jan 10, 2016 6:10 pm

Thanks for confirming Brad, I'll disable it then.

Is there a public wiki or something where I can put the apps that need it disabled? It would be a good idea to add to the grsecurity site.

How can I identify whether a program needs trampolines or mprotect? Trial and error?
careta
 
Posts: 11
Joined: Sun May 18, 2014 6:43 pm

Re: CONFIG_PAX_MPROTECT_COMPAT not doing what it is supposed

Postby PaX Team » Sun Jan 10, 2016 10:41 pm

careta wrote:Is there a public wiki or something where I can put the apps that need it disabled? It would be a good idea to add to the grsecurity site.
how about patches against paxctld? ;)
How can I identify whether a program needs trampolines or mprotect? Trial and error?
that's a bit harder, you basically need to decode the machine code dumped in the PaX kill report and see they match any of the emulated trampolines. it's probably best if you just post them here and we'll figure it out for you.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: CONFIG_PAX_MPROTECT_COMPAT not doing what it is supposed

Postby careta » Mon Jan 11, 2016 6:11 pm

PaX Team wrote:how about patches against paxctld? ;)

Not sure what you mean by that... you want to build a blacklist on paxctl? Identify the program and apply/remove the correct protections? And where can I find the repo for paxctl?

FYI, at least in Debian, python2.7 only needs mprotect off, emutramp doesn't need to be enabled.
careta
 
Posts: 11
Joined: Sun May 18, 2014 6:43 pm

Re: CONFIG_PAX_MPROTECT_COMPAT not doing what it is supposed

Postby PaX Team » Mon Jan 11, 2016 6:30 pm

careta wrote:Not sure what you mean by that... you want to build a blacklist on paxctl?
not paxctl but paxctld, from https://grsecurity.net/download.php .
FYI, at least in Debian, python2.7 only needs mprotect off, emutramp doesn't need to be enabled.
that's the wrong way about it, enabling EMUTRAMP is always preferred to disabling MPROTECT, you should only do the latter if EMUTRAMP isn't enough.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: CONFIG_PAX_MPROTECT_COMPAT not doing what it is supposed

Postby careta » Tue Jan 12, 2016 7:50 pm

PaX Team wrote:not paxctl but paxctld, from https://grsecurity.net/download.php .
FYI, at least in Debian, python2.7 only needs mprotect off, emutramp doesn't need to be enabled.
that's the wrong way about it, enabling EMUTRAMP is always preferred to disabling MPROTECT, you should only do the latter if EMUTRAMP isn't enough.


Ok I'll have a look at paxctld.
However I've just confirmed and for me at least EMUTRAMP is not enough. It definitely needs MPROTECT disabled
careta
 
Posts: 11
Joined: Sun May 18, 2014 6:43 pm


Return to grsecurity support