Running a 2.6.31.7 kernel with the current stable patch. The behaviour was the same on 2.6.31.6 with the 2.6.31.6 patch (and the same config)
Did I screw it up somewhere, or is this expected behaviour?
Paxtest gives me:
Executable anonymous mapping : Vulnerable
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Vulnerable
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Executable stack (mprotect) : Killed
Anonymous mapping randomisation test : 18 bits (guessed)
Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (ET_DYN) : 24 bits (guessed)
Main executable randomisation (ET_EXEC) : 15 bits (guessed)
Main executable randomisation (ET_DYN) : 14 bits (guessed)
Shared library randomisation test : 15 bits (guessed)
Stack randomisation test (SEGMEXEC) : 24 bits (guessed)
Stack randomisation test (PAGEEXEC) : 24 bits (guessed)
Return to function (strcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : Vulnerable
Return to function (memcpy) : Vulnerable
Return to function (memcpy, RANDEXEC) : Vulnerable
Executable shared library bss : Killed
Executable shared library data : Killed
Writable text segments : Killed
PaX config is:
CONFIG_PAX=y
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
# CONFIG_PAX_SEGMEXEC is not set
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_NOELFRELOCS is not set
CONFIG_PAX_KERNEXEC=y
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
# CONFIG_PAX_MEMORY_SANITIZE is not set
CONFIG_PAX_MEMORY_UDEREF=y
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_USERCOPY=y
System is stable Debian (if it matters) running on an AMD64 chip running as 32bit.
Did I screw up my config somewhere? (2.6.31.7)
9 posts
• Page 1 of 1
Did I screw up my config somewhere? (2.6.31.7)
by a nobody » Tue Dec 08, 2009 11:21 pm
- a nobody
- Posts: 5
- Joined: Tue Dec 08, 2009 10:48 pm
Re: Did I screw up my config somewhere? (2.6.31.7)
by a nobody » Wed Dec 09, 2009 12:49 am
As it turns out, I did screw up my config.
If anyone else is in the same boat, make sure you have CONFIG_X86_PAE enabled (which in turn requires 64GB highmem), or the NX bit won't be enabled. Once I turned that on the anonymous mapping tests got killed.
Still, a question... with NX disabled in segmentation mode PaX still functions (just with a significant performance hit) ... why did the anonymous mapping tests succeed?
If anyone else is in the same boat, make sure you have CONFIG_X86_PAE enabled (which in turn requires 64GB highmem), or the NX bit won't be enabled. Once I turned that on the anonymous mapping tests got killed.
Still, a question... with NX disabled in segmentation mode PaX still functions (just with a significant performance hit) ... why did the anonymous mapping tests succeed?
- a nobody
- Posts: 5
- Joined: Tue Dec 08, 2009 10:48 pm
Re: Did I screw up my config somewhere? (2.6.31.7)
by Grach » Wed Dec 09, 2009 5:23 am
Still, a question... with NX disabled in segmentation mode PaX still functions (just with a significant performance hit) ... why did the anonymous mapping tests succeed?
# CONFIG_PAX_SEGMEXEC is not set
Seems like you had no SEGMEXEC enabled. You could search through the PaX and grsec logs to find the reason why the other test procs were killed.
- Grach
- Posts: 66
- Joined: Thu Feb 05, 2009 11:15 pm
Re: Did I screw up my config somewhere? (2.6.31.7)
by a nobody » Wed Dec 09, 2009 12:23 pm
Yeah I misspoke. What I meant to say was that PAGEEXEC still works without NX, just with a performance hit (and that was enabled) ... so I guess the question is still why did the anonymous mapping tests fail?
- a nobody
- Posts: 5
- Joined: Tue Dec 08, 2009 10:48 pm
Re: Did I screw up my config somewhere? (2.6.31.7)
by PaX Team » Fri Dec 11, 2009 7:01 pm
hmm, there should be nothing special with non-exec anon mappings, i'll try to reproduce it and see what's up.a nobody wrote:Yeah I misspoke. What I meant to say was that PAGEEXEC still works without NX, just with a performance hit (and that was enabled) ... so I guess the question is still why did the anonymous mapping tests fail?
- PaX Team
- Posts: 2310
- Joined: Mon Mar 18, 2002 4:35 pm
Re: Did I screw up my config somewhere? (2.6.31.7)
by a nobody » Fri Dec 11, 2009 10:36 pm
I recompiled with 64GB highmem and NX, the anon mapping tests were killed as expected, so it looks like it's only an issue for those of us dumb enough to run pageexec without NX.
- a nobody
- Posts: 5
- Joined: Tue Dec 08, 2009 10:48 pm
Re: Did I screw up my config somewhere? (2.6.31.7)
by Oscon » Sat Dec 12, 2009 12:57 pm
a nobody wrote:Running a 2.6.31.7 kernel with the current stable patch. The behaviour was the same on 2.6.31.6 with the 2.6.31.6 patch (and the same config)
Did I screw it up somewhere, or is this expected behaviour?
Paxtest gives me:
...
Main executable randomisation (ET_EXEC) : 15 bits (guessed)
...
System is stable Debian (if it matters) running on an AMD64 chip running as 32bit.
Which paxtest did you use ?
- paxtest 0.9.7-pre4 from debian lenny for example ?
-or a newer paxtest 0.9.7-pre6 from spender's home?
I remember there is a "new" getmain1 /for test of ET_EXEC rand./ in the newer paxtest. / static void->void /
The "new" getmain1 ought to return without randomisation (on debian or smiliar x86_32 binary distribution).
- Oscon
- Posts: 44
- Joined: Fri Jun 11, 2004 6:32 pm
Re: Did I screw up my config somewhere? (2.6.31.7)
by a nobody » Sat Dec 12, 2009 5:09 pm
pre4 and pre5. Didn't know about pre6.
- a nobody
- Posts: 5
- Joined: Tue Dec 08, 2009 10:48 pm
Re: Did I screw up my config somewhere? (2.6.31.7)
by Oscon » Sat Dec 12, 2009 5:25 pm
- Oscon
- Posts: 44
- Joined: Fri Jun 11, 2004 6:32 pm
9 posts
• Page 1 of 1