denied executable mmap of

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

denied executable mmap of

Postby p1kus » Fri Aug 18, 2006 4:43 am

denied executable mmap of /etc/ld.so.cache by /sbin/gradm

strace gradm
...
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=48263, ...}) = 0
old_mmap(NULL, 48263, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f2d000
close(3) = 0
...

2.6.17.8-grsec, gradm v2.1.9

Can someone tell what is wrong?
p1kus
 
Posts: 15
Joined: Tue Jul 04, 2006 7:06 am

Postby spender » Sun Aug 20, 2006 12:04 pm

What distro and glibc version are you using? You seem to be the first person to have a glibc that wants to mmap /etc/ld.so.cache as executable.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby p1kus » Mon Aug 21, 2006 10:16 am

glibc-2.3.6 and slack 10.1, but it didnt happen before,
when i used
gradm v2.1.9
grsecurity-2.1.9-2.6.16.19-200606041421
i have got other problems

p1kus
p1kus
 
Posts: 15
Joined: Tue Jul 04, 2006 7:06 am

Re: denied executable mmap of

Postby PaX Team » Wed Aug 23, 2006 7:25 am

p1kus wrote:denied executable mmap of /etc/ld.so.cache by /sbin/gradm

strace gradm
...
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=48263, ...}) = 0
old_mmap(NULL, 48263, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f2d000
close(3) = 0
...

2.6.17.8-grsec, gradm v2.1.9

Can someone tell what is wrong?
your gcc probably doesn't emit PT_GNU_STACK or emits one with RWE rights (check readelf -l), that will turn on READ_IMPLIES_EXEC (if PaX/non-exec pages are disabled) and trigger grsec.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby p1kus » Thu Aug 24, 2006 3:40 am

readelf -l /sbin/gradm

Elf file type is EXEC (Executable file)
Entry point 0x8049570
There are 7 program headers, starting at offset 52

Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR 0x000034 0x08048034 0x08048034 0x000e0 0x000e0 R E 0x4
INTERP 0x000114 0x08048114 0x08048114 0x00013 0x00013 R 0x1
[Requesting program interpreter: /lib/ld-linux.so.2]
LOAD 0x000000 0x08048000 0x08048000 0x28d1c 0x28d1c R E 0x1000
LOAD 0x029000 0x08071000 0x08071000 0x02428 0x07b1c RW 0x1000
DYNAMIC 0x029014 0x08071014 0x08071014 0x000c8 0x000c8 RW 0x4
NOTE 0x000128 0x08048128 0x08048128 0x00020 0x00020 R 0x4
GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4

Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .note.ABI-tag .hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame
03 .ctors .dtors .jcr .dynamic .got .got.plt .data .bss
04 .dynamic
05 .note.ABI-tag
06

from PAX options are only enabled
PAX_MEMORY_SANITIZE
PAX_MEMORY_UDEREF
p1kus
 
Posts: 15
Joined: Tue Jul 04, 2006 7:06 am

Postby PaX Team » Fri Aug 25, 2006 3:51 pm

p1kus wrote:readelf -l /sbin/gradm
GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4
thanks, so gradm is clean at least. what about the parent process of gradm (probably your shell)?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby p1kus » Mon Aug 28, 2006 4:53 am

readelf -l /bin/bash
...
GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4
...

thanks for help
p1kus
 
Posts: 15
Joined: Tue Jul 04, 2006 7:06 am

Postby PaX Team » Mon Aug 28, 2006 5:25 pm

p1kus wrote:readelf -l /bin/bash
...
GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4
...

thanks for help
that's the problem then, your bash says it wants an executable stack, which it doesn't really, but due to the broken PT_GNU_STACK crap the kernel believes it and gives it one. then due to further broken crap in READ_IMPLIES_EXEC handling all children of bash will also get flagged by this and that's why you get the gradm failure. solution is to fix your userland, or at least bash so that it's not marked with an RWE GNU_STACK. the quick workaround is execstack -c. if you had enabled non-exec page support in PaX, all this would not have occured btw as i disable GNU_STACK handling for good.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby p1kus » Wed Aug 30, 2006 11:59 am

CONFIG_PAX=y
CONFIG_PAX_SOFTMODE=y
# CONFIG_PAX_EI_PAX is not set
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
CONFIG_PAX_HOOK_ACL_FLAGS=y
CONFIG_PAX_NOEXEC=y
# CONFIG_PAX_PAGEEXEC is not set
# CONFIG_PAX_SEGMEXEC is not set
# CONFIG_PAX_KERNEXEC is not set
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_NOVSYSCALL=y
CONFIG_PAX_MEMORY_SANITIZE=y
CONFIG_PAX_MEMORY_UDEREF=y

I have enabled non-exec page support (should other EXEC options be enabled?)
and I still have problem with denied executable mmap of /etc/ld.so.cache.
but i noticed that kernel have RWE GNU_STACK
readelf -l vmlinux
GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4

p1kus
p1kus
 
Posts: 15
Joined: Tue Jul 04, 2006 7:06 am

Postby PaX Team » Wed Aug 30, 2006 1:04 pm

p1kus wrote:I have enabled non-exec page support (should other EXEC options be enabled?)
yes, you need at least PAGEEXEC or SEGMEXEC.
but i noticed that kernel have RWE GNU_STACK
readelf -l vmlinux
GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4
vmlinux is not a userland application, what you see in its ELF headers has little to do with reality.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby p1kus » Thu Aug 31, 2006 9:47 am

thanks for help it's working
p1kus
 
Posts: 15
Joined: Tue Jul 04, 2006 7:06 am

same problem

Postby Einon » Fri Mar 02, 2007 9:11 am

Hi!

I run into this problem as well, I tried what's written above, but no use.
My system is:
Code: Select all
Linux junior 2.6.18.2-grsec #1 SMP Mon Nov 13 15:13:22 CET 2006 x86_64 GNU/Linux

config:
Code: Select all
CONFIG_PAX=y
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_NOELFRELOCS=y
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_MEMORY_SANITIZE=y

binaries:
Code: Select all
junior:~# readelf -l /bin/bash
...
GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000  RW     8
...
junior:~# readelf -l /usr/bin/perl
...
GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000  RW     8
...
junior:~# chpax -v /usr/bin/perl

----[ chpax 0.7 : Current flags for /usr/bin/perl (pemrxs) ]----

 * Paging based PAGE_EXEC       : disabled
 * Trampolines                  : not emulated
 * mprotect()                   : not restricted
 * mmap() base                  : not randomized
 * ET_EXEC base                 : not randomized
 * Segmentation based PAGE_EXEC : disabled

junior:~#

GRADM: v.2.1.9

Tested with:
Code: Select all
www-data@junior:/home/terel/www.terel.eu$ perl -MHTML::Entities -e '$a = "Våre norske tegn bør &#230res"; decode_entities($a); print "$a\n";'
Can't load '/usr/lib/perl5/auto/HTML/Parser/Parser.so' for module HTML::Parser: /usr/lib/perl5/auto/HTML/Parser/Parser.so: failed to map segment from shared object: Permission denied at /usr/lib/perl/5.8/XSLoader.pm line 70.
 at /usr/lib/perl5/HTML/Parser.pm line 17
Compilation failed in require at /usr/lib/perl5/HTML/Entities.pm line 147.
Compilation failed in require.
BEGIN failed--compilation aborted.
www-data@junior:/home/terel/www.terel.eu$
Einon
 
Posts: 10
Joined: Tue Mar 22, 2005 6:40 am

Re: same problem

Postby PaX Team » Sat Mar 10, 2007 6:08 am

Einon wrote:I run into this problem as well
no, you didn't. instead you run into this:
Code: Select all
failed to map segment from shared object: Permission denied
which has been discussed several times on this board. reading the .config help about NOELFRELOCS is also useful at times...
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm


Return to grsecurity support