grsecurity forums

[nowshining]

1st: the below results mean randomization is working right?

Code: Select all

Anonymous mapping randomisation test     : 18 bits (guessed)
Heap randomisation test (ET_EXEC)        : 13 bits (guessed)
Heap randomisation test (ET_DYN)         : 24 bits (guessed)
Main executable randomisation (ET_EXEC)  : 18 bits (guessed)
Main executable randomisation (ET_DYN)   : 18 bits (guessed)
Shared library randomisation test        : 18 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 24 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 24 bits (guessed)

Below are the vulnerabilities left I see - Would these also have something to do with not enabling mprotect?

Code: Select all

 
Executable anonymous mapping             : Vulnerable
Executable bss                           : Vulnerable
Executable data                          : Vulnerable
Executable heap                          : Vulnerable
Executable stack                         : Vulnerable
Executable shared library bss            : Vulnerable
Writable text segments                   : Vulnerable


Below is the paxtest un-modified - I know about the options that have mprotect so I have no questions regarding those as I know that since I didn't enable mprotect those would be vulnerable.

Code: Select all

 

PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Writing output to paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Mode: blackhat
Linux botnetgodalphamale 2.6.24.7-botnetgodalphamale-grsec #1 Mon Jun 23 14:13:25 PDT 2008 i686 GNU/Linux

Executable anonymous mapping             : Vulnerable
Executable bss                           : Vulnerable
Executable data                          : Vulnerable
Executable heap                          : Vulnerable
Executable stack                         : Vulnerable
Executable anonymous mapping (mprotect)  : Vulnerable
Executable bss (mprotect)                : Vulnerable
Executable data (mprotect)               : Vulnerable
Executable heap (mprotect)               : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Executable stack (mprotect)              : Vulnerable
Anonymous mapping randomisation test     : 18 bits (guessed)
Heap randomisation test (ET_EXEC)        : 13 bits (guessed)
Heap randomisation test (ET_DYN)         : 24 bits (guessed)
Main executable randomisation (ET_EXEC)  : 18 bits (guessed)
Main executable randomisation (ET_DYN)   : 18 bits (guessed)
Shared library randomisation test        : 18 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 24 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 24 bits (guessed)
Return to function (strcpy)              : Libsafe version 2.0.16
Detected an attempt to write across stack boundary.
Terminating /home/nowshining/Desktop/paxtest-0.9.7-pre4/rettofunc1.
    uid=1000  euid=1000  pid=17397
Call stack:
    0xa8f81871   /lib/libsafe.so.2.0.16
    0xa8f8197a   /lib/libsafe.so.2.0.16
    0x8048805   /home/nowshining/Desktop/paxtest-0.9.7-pre4/rettofunc1
    0x80489d1   /home/nowshining/Desktop/paxtest-0.9.7-pre4/rettofunc1
    0xa8e3704b   /lib/libc-2.6.1.so
Overflow caused by strcpy()
Killed
Return to function (strcpy, RANDEXEC)    : Libsafe version 2.0.16
Detected an attempt to write across stack boundary.
Terminating /home/nowshining/Desktop/paxtest-0.9.7-pre4/rettofunc1x.
    uid=1000  euid=1000  pid=17400
Call stack:
    0xa4775871   /lib/libsafe.so.2.0.16
    0xa477597a   /lib/libsafe.so.2.0.16
    0x80489c5   /home/nowshining/Desktop/paxtest-0.9.7-pre4/rettofunc1x
    0x8048971   /home/nowshining/Desktop/paxtest-0.9.7-pre4/rettofunc1x
    0xa462b04b   /lib/libc-2.6.1.so
Overflow caused by strcpy()
Killed
Return to function (memcpy)              : Libsafe version 2.0.16
Detected an attempt to write across stack boundary.
Terminating /home/nowshining/Desktop/paxtest-0.9.7-pre4/rettofunc2.
    uid=1000  euid=1000  pid=17403
Call stack:
    0xae444871   /lib/libsafe.so.2.0.16
    0xae444c5d   /lib/libsafe.so.2.0.16
    0x804876c   /home/nowshining/Desktop/paxtest-0.9.7-pre4/rettofunc2
    0x8048911   /home/nowshining/Desktop/paxtest-0.9.7-pre4/rettofunc2
    0xae2fa04b   /lib/libc-2.6.1.so
Overflow caused by memcpy()
Killed
Return to function (memcpy, RANDEXEC)    : Libsafe version 2.0.16
Detected an attempt to write across stack boundary.
Terminating /home/nowshining/Desktop/paxtest-0.9.7-pre4/rettofunc2x.
    uid=1000  euid=1000  pid=17406
Call stack:
    0xb1018871   /lib/libsafe.so.2.0.16
    0xb1018c5d   /lib/libsafe.so.2.0.16
    0x804892c   /home/nowshining/Desktop/paxtest-0.9.7-pre4/rettofunc2x
    0x80488e1   /home/nowshining/Desktop/paxtest-0.9.7-pre4/rettofunc2x
    0xb0ece04b   /lib/libc-2.6.1.so
Overflow caused by memcpy()
Killed
Executable shared library bss            : Vulnerable
Executable shared library data           : Killed
Writable text segments                   : Vulnerable



[PaX Team]

1st: the below results mean randomization is working right?

yes.

Below are the vulnerabilities left I see - Would these also have something to do with not enabling mprotect?

this shows that non-exec pages aren't enforced at all. what is your PaX .config exactly? what's your CPU type? does it have NX bit support (/proc/cpuinfo)? if it does, did you enable PAE in .config?

[nowshining]

1st: the below results mean randomization is working right?

yes.

Below are the vulnerabilities left I see - Would these also have something to do with not enabling mprotect?

this shows that non-exec pages aren't enforced at all. what is your PaX .config exactly? what's your CPU type? does it have NX bit support (/proc/cpuinfo)? if it does, did you enable PAE in .config?

My CPU is 32-bit - PAE seems to be for 64-bit so what should I eleminate due to having a 32-bit computer? Alas so does the NX bit seem to be only for 64bit computers or newer 32-bits I don't have, most likely only for 64bit + computers 'cause I don't seem to have it so would enabling PAE which is marked as "n" and shown in 64-bit resources make any difference on my cpu/machine?

Code: Select all

 
processor       : 0
vendor_id       : GenuineIntel
cpu family      : 15
model           : 2
model name      : Intel(R) Pentium(R) 4 CPU 2.66GHz
stepping        : 9
cpu MHz         : 2660.118
cache size      : 512 KB
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 2
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe pebs bts sync_rdtsc cid xtpr
bogomips        : 5322.00
clflush size    : 64


as for your question about it not being forced, and ah! however I use xfree86 ie:xorg, wine and java in the browser so I didn't enable it.

So from the above info. before posting the final .config what can be ellimated from the vulnerabilities also being from not enabling mprotect & not having NXBIt, etc..? all or none? and what vunlerability if any is left from the above conclusions.

[PaX Team]

My CPU is 32-bit - PAE seems to be for 64-bit so what should I eleminate due to having a 32-bit computer?

PAE mode was originally created to address more than 4GB RAM, even on otherwise 32 bit CPUs. later this mode was also used to add the NX bit into the page table entry format. in any case, your CPU doesn't support NX, so as far as PaX is concerned, you can only use SEGMEXEC to get non-exec pages.

as for your question about it not being forced, and ah! however I use xfree86 ie:xorg, wine and java in the browser so I didn't enable it.

So from the above info. before posting the final .config what can be ellimated from the vulnerabilities also being from not enabling mprotect & not having NXBIt, etc..? all or none? and what vunlerability if any is left from the above conclusions.

SEGMEXEC is safe to enable, MPROTECT depends on whether you want to bother with manually marking the incompatible applications or not (all of java/wine/xorg/etc work fine if you disable MPROTECT on the respective binaries, for wine you'll also need to disable SEGMEXEC because it doesn't like the reduced address space).

[nowshining]

My CPU is 32-bit - PAE seems to be for 64-bit so what should I eleminate due to having a 32-bit computer?

PAE mode was originally created to address more than 4GB RAM, even on otherwise 32 bit CPUs. later this mode was also used to add the NX bit into the page table entry format. in any case, your CPU doesn't support NX, so as far as PaX is concerned, you can only use SEGMEXEC to get non-exec pages.

as for your question about it not being forced, and ah! however I use xfree86 ie:xorg, wine and java in the browser so I didn't enable it.

So from the above info. before posting the final .config what can be ellimated from the vulnerabilities also being from not enabling mprotect & not having NXBIt, etc..? all or none? and what vunlerability if any is left from the above conclusions.

SEGMEXEC is safe to enable, MPROTECT depends on whether you want to bother with manually marking the incompatible applications or not (all of java/wine/xorg/etc work fine if you disable MPROTECT on the respective binaries, for wine you'll also need to disable SEGMEXEC because it doesn't like the reduced address space).

So according to your answer I need to enable mprotect abd segnexec enable protection for the following:

Code: Select all

 
xecutable anonymous mapping             : Vulnerable
Executable bss                           : Vulnerable
Executable data                          : Vulnerable
Executable heap                          : Vulnerable
Executable stack                         : Vulnerable
Executable shared library bss            : Vulnerable
Writable text segments                   : Vulnerable


If so again I have no need to proceed and my questions have been answered. Thank you. Hopefully this post will help someone in the future.

[PaX Team]

So according to your answer I need to enable mprotect abd segnexec enable protection for the following:

SEGMEXEC is enough to get non-exec page behaviour, MPROTECT is needed to make it a guaranteed enforcement (of the quoted tests, only the last one tests that).