grsecurity forums

[linkfanel]

Hello,

I get an annoying bug with the 2.6.17.4 kernel and the last grsecurity-2.1.9-2.6.17.4-200607120947.patch : processes receiving UDP packets will seemingly crash on a '14: Bad address' error. As for DNS resolution for instance :

Code: Select all

4:05 linkfanel@prue ~% host www.google.com
errno2result.c:109: unable to convert errno to isc_result: 14: Bad address
;; communications error: unexpected error
errno2result.c:109: unable to convert errno to isc_result: 14: Bad address
;; communications error: unexpected error
;; connection timed out; no servers could be reached
zsh: exit 1     host www.google.com


A simple piece of code listening to a UDP socket will give the same error on receiving a packet.

This problem happens only when I enable the 'Prevent invalid userland pointer dereference' option : everything works fine if I disable it.

Tests run on my IBM Thinkpad T42, .config available at http://andrea.via.ecp.fr/config-2.6.17.4-grsec_prue

[lobo]

I experienced the same problem with a 2.6.17.5 kernel and the latest grsecurity patch from ~spender.

Here is the strace output from "dig http://www.grsecurity.net"

http://silentwire.net/~lobo/files/grsec-dnsresolv.txt

[PaX Team]

can you guys post an strace -f output while nscd is turned off? i'm pretty sure it's the IP checksumming code again, but i need some leads as to what addresses are involved. you can also turn off randomization so that the addresses are easier to correlate.

edit: can you also try the PaX patch alone?

[lobo]

I wasn't able to compile the kernel with the pax patch (pax-linux-2.6.17-test11.patch). I got the same error message with 2.6.17 and 2.6.17.5.

Code: Select all

fs/built-in.o: In function `load_elf_binary':binfmt_elf.c:(.text+0x264e0): undefined reference to `pax_set_initial_flags'
make[1]: *** [.tmp_vmlinux1] Error 1
make[1]: Leaving directory `/home/lobo/tmp/linux-2.6.17'
make: *** [stamp-build] Error 2


But here is the strace -f output, until I get a working pax-only kernel. Nscd isn't installed on this server and randomization features were disabled.

http://silentwire.net/~lobo/files/grsec-dnsresolv2.txt

[PaX Team]

I wasn't able to compile the kernel with the pax patch (pax-linux-2.6.17-test11.patch). I got the same error message with 2.6.17 and 2.6.17.5.

your ACL hook method is not set to 'none'.

But here is the strace -f output, until I get a working pax-only kernel. Nscd isn't installed on this server and randomization features were disabled.

thanks, i see that the failing recvmsg did provide a valid address on a thread stack, i still don't see why accessing it from the kernel would fail though. also, can you tell me which package provides /usr/lib/libisc.so.11? bind-tools doesn't seem to.

[lobo]

Thx it was the ACL hook.

libisc.so.11 ist from the libisc11 Debian package and belongs to bind9.
If you want me to do some other tests, don't hessitate to ask, I have installed a test server here.

[linkfanel]

Here is the output of a simple strace -f perl -e 'use IO::Socket; $s=IO::Socket::INET->new(LocalPort=>1242,Proto=>"udp"); <$s>;' : http://andrea.via.ecp.fr/strace-perl

I tried with a nc -u -l -p 1242, and it doesn't give the same result, though it seems to hang after the first packet anyway : http://andrea.via.ecp.fr/strace-netcat

If you mind those are perl and netcat from debian sid. I hope this can help.

[PaX Team]

can you guys test -test13 please?

[lobo]

can you guys test -test13 please?

Yes, it works now, with -test13 and a 2.6.17.6 linux kernel

[linkfanel]

I confirm, linux 2.6.17.6 patched with -test13 works well. Thanks