grsecurity forums

Skip to content

Paxtest

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.
Topic locked

Paxtest

Postby siti » Thu Oct 30, 2003 4:34 am

Hello,

When running paxtest I get two tests that should be killed or not work but are still working. I have enabled all useful options under Address Space Protection:

Code: Select all
[*] Enforce non-executable pages
[ ] Paging based non-executable pages
[*] Segmentation based non-executable pages
[ ]    Emulate trampolines     
[*]    Restrict mprotect()                   
[ ]     Disallow ELF text relocations (DANGEROUS)       
[*] Address Space Layout Randomization   
[*]   Randomize kernel stack base   
[*]   Randomize user stack base   
[*]   Randomize mmap() base   
[ ]   Randomize ET_EXEC base
[ ] Deny writing to /dev/kmem, /dev/mem, and /dev/port
[ ] Disable privileged I/O
[*] Remove addresses from /proc/pid/[maps|stat]
[*] Hide kernel symbols           



But:

Code: Select all
PaXtest - Copyright(c) 2003 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later
 
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later
 
Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable anonymous mapping (mprotect)  : Killed
Executable bss (mprotect)                : Killed
Executable data (mprotect)               : Killed
Executable heap (mprotect)               : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Executable stack (mprotect)              : Killed
Anonymous mapping randomisation test     : 16 bits (guessed)
Heap randomisation test (ET_EXEC)        : 25 bits (guessed)
Heap randomisation test (ET_DYN)         : 25 bits (guessed)
Main executable randomisation (ET_EXEC)  : 17 bits (guessed)
Main executable randomisation (ET_DYN)   : 17 bits (guessed)
Shared library randomisation test        : 16 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 23 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 23 bits (guessed)
Return to function (strcpy)              : Vulnerable
Return to function (strcpy, RANDEXEC)    : Vulnerable
Return to function (memcpy)              : Return to function (memcpy, RANDEXEC)    : Executable shared library bss   : Killed
Executable shared library data           : Killed
Writable text segments                   : Killed


I also have "hardened-gcc" (gentoo) installed which does ET_DYN. I have recompiled glibc with hardened-gcc enabled and paxtest with hardened-gcc .
siti
 
Posts: 18
Joined: Fri Aug 08, 2003 6:30 pm
Top

Postby spender » Thu Oct 30, 2003 11:25 am

You can't expect to pass the RANDEXEC tests when you don't have "Randomize ET_EXEC base" enabled in your kernel.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Top

Postby siti » Fri Oct 31, 2003 6:16 am

I now have "Randomize ET_EXEC base" in my kernel but still the "strcpy" tests are vulnerable. Is there any way I can fix these to stop them being vulnarable?
siti
 
Posts: 18
Joined: Fri Aug 08, 2003 6:30 pm
Top

Postby PaX Team » Fri Oct 31, 2003 7:24 am

siti wrote:I now have "Randomize ET_EXEC base" in my kernel but still the "strcpy" tests are vulnerable. Is there any way I can fix these to stop them being vulnarable?
which version of paxtest are you using? a few days ago i fixed some bugs related to the stack layout of code produced by gcc 3.2+ (it seems that you're using gentoo which in turn uses 3.2+ by default). the latest version is http://pageexec.virtualave.net/paxtest-0.9.4.tar.gz.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm
Top

Postby siti » Fri Oct 31, 2003 3:02 pm

I was using 0.94.
siti
 
Posts: 18
Joined: Fri Aug 08, 2003 6:30 pm
Top

Postby PaX Team » Fri Oct 31, 2003 4:53 pm

siti wrote:I was using 0.94.
ok, then something is still buggy (notice how the output of the memcpy tests are broken). could you please send me/make available your rettofunc2 and rettofunc2x binaries and tell me which gcc version you used (gentoo offers both 3.2.x and 3.3.x)?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm
Top

Postby Skry » Thu Jan 27, 2005 6:22 am

I had exactly the same problem, well, actually i figured it out today but anyways, tried everything i could think of to fix that situation. Nothing worked :) As i was not sure if the fault was in paxtest, or somewhere else, i emerged libsafe (which is listed as masked on gentoo btw) and now everything is working fine for me.

Code: Select all
Return to function (strcpy)              : Libsafe version 2.0.16
Detected an attempt to write across stack boundary.
Terminating /usr/lib/paxtest/rettofunc1.
Call stack:
Killed

Return to function (strcpy, RANDEXEC)    : Libsafe version 2.0.16
Detected an attempt to write across stack boundary.
Terminating /usr/lib/paxtest/rettofunc1x.
Call stack:
Killed

Return to function (memcpy)              : Libsafe version 2.0.16
Detected an attempt to write across stack boundary.
Terminating /usr/lib/paxtest/rettofunc2.
Call stack:
Killed

Return to function (memcpy, RANDEXEC)    : Libsafe version 2.0.16
Detected an attempt to write across stack boundary.
Terminating /usr/lib/paxtest/rettofunc2x.
Call stack:
Killed


I think i'm a bit late with my post :>
Skry
 
Posts: 1
Joined: Thu Jan 27, 2005 6:15 am
Top
Topic locked

Return to grsecurity support

Powered by phpBB® Forum Software © phpBB Group