xen + pax + 2.6.27

Discuss and suggest new grsecurity features

Re: xen + pax + 2.6.27

Postby gaima » Fri Feb 12, 2010 5:39 pm

[quote="cormander"]For what it's worth, CONFIG_GRKERNSEC_HIGH set CONFIG_PAX_KERNEXEC, which causes the xen domU to not even boot. When I set it to custom, CONFIG_PAX_KERNEXEC got correctly removed (via !XEN in its kconfig), and was able to boot.[/quote]

Ahh, so it does. I hadn't noticed that.
It didn't occur to me that changing from HIGH to CUSTOM would actually change any other settings.
MPROTECT was the first thing I explicitally disabled after changing from HIGH to CUSTOM, and naturally presumed that was what fixed it.
Re-enabling MPROTECT does not prevent the kernel from booting, so there is no bug there.

Linux prca-backup 2.6.32-hardened-r4 #24 SMP Fri Feb 12 21:29:03 GMT 2010 x86_64 Quad-Core AMD Opteron(tm) Processor 2352 AuthenticAMD GNU/Linux


Mike
gaima
 
Posts: 27
Joined: Fri Feb 12, 2010 12:17 pm

Re: xen + pax + 2.6.27

Postby spender » Sat Feb 13, 2010 11:12 pm

I've fixed the autoconfiguration for the 'high' setting in the latest patch.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: xen + pax + 2.6.27

Postby sfaerber » Mon Mar 08, 2010 4:48 pm

PaX Team wrote:
cormander wrote:Output simply ends when it should show booting. This produces in the following in "xm dmesg":
thanks, it seems that the per-cpu segment register is incorrectly set up, i'll take a look.


any news on 32bit support for 2.6.32?
I just tried 2.6.32.9 with grsecurity-2.1.14-2.6.32.9-201003071225.patch

I see the following in "xm dmesg", the domU crashed almost instantly:
Code: Select all
(XEN) traps.c:405:d11 Unhandled general protection fault fault/trap [#13] in domain 11 on VCPU 0 [ec=0000]
(XEN) domain_crash_sync called from entry.S
(XEN) Domain 11 (vcpu#0) crashed on cpu#15:
(XEN) ----[ Xen-3.1.2-164.11.1.el5  x86_64  debug=n  Not tainted ]----
(XEN) CPU:    15
(XEN) RIP:    e019:[<00000000c1006643>]
(XEN) RFLAGS: 0000000000000292   CONTEXT: guest
(XEN) rax: 000000000000000c   rbx: 00000000c1c03000   rcx: 00000000c16a0020
(XEN) rdx: 00000000c1626000   rsi: 00000000c1c00000   rdi: 00000000c1576160
(XEN) rbp: 00000000c15adfd4   rsp: 00000000c15adfc4   r8:  0000000000000000
(XEN) r9:  0000000000000000   r10: 0000000000000000   r11: 0000000000000000
(XEN) r12: 0000000000000000   r13: 0000000000000000   r14: 0000000000000000
(XEN) r15: 0000000000000000   cr0: 000000008005003b   cr4: 00000000000026b0
(XEN) cr3: 00000006128c1000   cr2: 0000000000000000
(XEN) ds: e021   es: e021   fs: 00d8   gs: 0000   ss: e021   cs: e019
(XEN) Guest stack trace from esp=c15adfc4:
(XEN)   00000000 c1006643 0001e019 00010092 c15adffc c1006596 c16a0020 c16305d2
(XEN)   00000000 00000000 00000000 00000000 00000000 00000000 00000000 c1a00000
(XEN)   c1a01000 c1a02000 c1a03000 c1a04000 c1a05000 c1a06000 c1a07000 c1a08000
(XEN)   c1a09000 c1a0a000 c1a0b000 c1a0c000 c1a0d000 c1a0e000 c1a0f000 c1a10000
(XEN)   c1a11000 c1a12000 c1a13000 c1a14000 c1a15000 c1a16000 c1a17000 c1a18000
(XEN)   c1a19000 c1a1a000 c1a1b000 c1a1c000 c1a1d000 c1a1e000 c1a1f000 c1a20000
(XEN)   c1a21000 c1a22000 c1a23000 c1a24000 c1a25000 c1a26000 c1a27000 c1a28000
(XEN)   c1a29000 c1a2a000 c1a2b000 c1a2c000 c1a2d000 c1a2e000 c1a2f000 c1a30000
(XEN)   c1a31000 c1a32000 c1a33000 c1a34000 c1a35000 c1a36000 c1a37000 c1a38000
(XEN)   c1a39000 c1a3a000 c1a3b000 c1a3c000 c1a3d000 c1a3e000 c1a3f000 c1a40000
(XEN)   c1a41000 c1a42000 c1a43000 c1a44000 c1a45000 c1a46000 c1a47000 c1a48000
(XEN)   c1a49000 c1a4a000 c1a4b000 c1a4c000 c1a4d000 c1a4e000 c1a4f000 c1a50000
(XEN)   c1a51000 c1a52000 c1a53000 c1a54000 c1a55000 c1a56000 c1a57000 c1a58000
(XEN)   c1a59000 c1a5a000 c1a5b000 c1a5c000 c1a5d000 c1a5e000 c1a5f000 c1a60000
(XEN)   c1a61000 c1a62000 c1a63000 c1a64000 c1a65000 c1a66000 c1a67000 c1a68000
(XEN)   c1a69000 c1a6a000 c1a6b000 c1a6c000 c1a6d000 c1a6e000 c1a6f000 c1a70000
(XEN)   c1a71000 c1a72000 c1a73000 c1a74000 c1a75000 c1a76000 c1a77000 c1a78000
(XEN)   c1a79000 c1a7a000 c1a7b000 c1a7c000 c1a7d000 c1a7e000 c1a7f000 c1a80000
(XEN)   c1a81000 c1a82000 c1a83000 c1a84000 c1a85000 c1a86000 c1a87000 c1a88000
(XEN)   c1a89000 c1a8a000 c1a8b000 c1a8c000 c1a8d000 c1a8e000 c1a8f000 c1a90000


I disabled nearly everything pax related but that didn't help:
Code: Select all
# grep -i pax .config
# PaX
# CONFIG_PAX is not set
CONFIG_PAX_MEMORY_SANITIZE=y
# CONFIG_PAX_REFCOUNT is not set
CONFIG_PAX_USERCOPY=y


Would be great if you could have a look. I'm happy to test patches or supply my vmlinux/.config if neccessary.

-Sebastian
sfaerber
 
Posts: 14
Joined: Thu Sep 03, 2009 5:41 am

Re: xen + pax + 2.6.27

Postby PaX Team » Tue Mar 09, 2010 7:59 am

sfaerber wrote:any news on 32bit support for 2.6.32?
not yet, could you please send me the vmlinux image corresponding to this crash? or just tell me what code is around c1006643.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: xen + pax + 2.6.27

Postby cormander » Tue Mar 09, 2010 10:32 am

I have been having this same problem, with both devel and stable.

Here is the 2.6.33 i686 xen domU crash:

Code: Select all
(XEN) traps.c:405:d428 Unhandled general protection fault fault/trap [#13] in domain 428 on VCPU 0 [ec=0000]
(XEN) domain_crash_sync called from entry.S
(XEN) Domain 428 (vcpu#0) crashed on cpu#0:
(XEN) ----[ Xen-3.1.2-128.1.6.el5  x86_64  debug=n  Not tainted ]----
(XEN) CPU:    0
(XEN) RIP:    e019:[<00000000c1005937>]
(XEN) RFLAGS: 0000000000000246   CONTEXT: guest
(XEN) rax: 000000000000000c   rbx: 00000000c1c23000   rcx: 00000000c181c008
(XEN) rdx: 00000000c179f000   rsi: 00000000c17dd610   rdi: 00000000c1724ed8
(XEN) rbp: 00000000c1709fd0   rsp: 00000000c1709fc0   r8:  0000000000000000
(XEN) r9:  0000000000000000   r10: 0000000000000000   r11: 0000000000000000
(XEN) r12: 0000000000000000   r13: 0000000000000000   r14: 0000000000000000
(XEN) r15: 0000000000000000   cr0: 000000008005003b   cr4: 00000000000006f0
(XEN) cr3: 00000000b46f1000   cr2: 0000000000000000
(XEN) ds: e021   es: e021   fs: 00d8   gs: 0000   ss: e021   cs: e019
(XEN) Guest stack trace from esp=c1709fc0:
(XEN)   00000000 c1005937 0001e019 00010046 c1709ffc c10058ca c181c008 c17a9260
(XEN)   00000000 00000000 00000000 00000000 00000000 c1c20000 00000000 00000000
(XEN)   00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)   00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)   00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)   00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)   00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)   00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)   00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)   00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)   00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)   00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)   00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)   00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)   00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)   00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)   00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)   00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)   00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
(XEN)   00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000


Here are the related files:

http://build.cormander.com/job/linux-2. ... ws/vmlinux
http://build.cormander.com/job/linux-2. ... ap/*view*/
http://build.cormander.com/job/linux-2. ... ig/*view*/


I posted the info for the 2.6.32.9 build but for some reason the build system is throwing errors viewing the workspace. I had to wipe it out and rebuild. When it's done, you'll find the files here:

http://build.cormander.com/job/linux-2. ... ws/vmlinux
http://build.cormander.com/job/linux-2. ... ap/*view*/
http://build.cormander.com/job/linux-2. ... ig/*view*/

Let me know if you need anything else.
Last edited by cormander on Tue Mar 09, 2010 10:50 am, edited 1 time in total.
cormander
 
Posts: 154
Joined: Tue Jan 29, 2008 12:51 pm

Re: xen + pax + 2.6.27

Postby sfaerber » Tue Mar 09, 2010 10:46 am

PaX Team wrote:
sfaerber wrote:any news on 32bit support for 2.6.32?
not yet, could you please send me the vmlinux image corresponding to this crash? or just tell me what code is around c1006643.


Here's the code:
Code: Select all
c1006640 <xen_irq_disable>:
c1006640:       55                      push   %ebp
c1006641:       89 e5                   mov    %esp,%ebp
c1006643:       64 a1 0c 00 00 00       mov    %fs:0xc,%eax
c1006649:       c6 40 01 01             movb   $0x1,0x1(%eax)
c100664d:       5d                      pop    %ebp
c100664e:       c3                      ret
c100664f:       90                      nop

c1006650 <xen_irq_enable>:
c1006650:       55                      push   %ebp
c1006651:       89 e5                   mov    %esp,%ebp
c1006653:       83 ec 0c                sub    $0xc,%esp
c1006656:       89 1c 24                mov    %ebx,(%esp)
c1006659:       89 74 24 04             mov    %esi,0x4(%esp)
c100665d:       89 7c 24 08             mov    %edi,0x8(%esp)
c1006661:       64 a1 0c 00 00 00       mov    %fs:0xc,%eax
c1006667:       c6 40 01 00             movb   $0x0,0x1(%eax)
c100666b:       80 38 00                cmpb   $0x0,(%eax)
c100666e:       75 0f                   jne    c100667f <xen_irq_enable+0x2f>
c1006670:       8b 1c 24                mov    (%esp),%ebx
c1006673:       8b 74 24 04             mov    0x4(%esp),%esi
c1006677:       8b 7c 24 08             mov    0x8(%esp),%edi
c100667b:       89 ec                   mov    %ebp,%esp
c100667d:       5d                      pop    %ebp
c100667e:       c3                      ret
c100667f:       31 db                   xor    %ebx,%ebx
c1006681:       31 c9                   xor    %ecx,%ecx
c1006683:       e8 98 bb ff ff          call   c1002220 <hypercall_page+0x220>
c1006688:       eb e6                   jmp    c1006670 <xen_irq_enable+0x20>
c100668a:       8d b6 00 00 00 00       lea    0x0(%esi),%esi


Thanks for your help!

-Sebastian
sfaerber
 
Posts: 14
Joined: Thu Sep 03, 2009 5:41 am

Re: xen + pax + 2.6.27

Postby spender » Sun May 02, 2010 8:42 am

32bit Xen domU should now be compatible with grsec/PaX as of the patches uploaded last night. Let us know if you still experience any problems.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: xen + pax + 2.6.27

Postby sfaerber » Mon May 03, 2010 2:22 pm

spender wrote:32bit Xen domU should now be compatible with grsec/PaX as of the patches uploaded last night. Let us know if you still experience any problems.

-Brad


Thanks for the effort, unfortunatly i still can't boot the 32bit Kernel as a Xen domU
See http://forums.grsecurity.net/viewtopic.php?f=1&t=1913&start=30#p9805 for details

-Sebastian
sfaerber
 
Posts: 14
Joined: Thu Sep 03, 2009 5:41 am

Previous

Return to grsecurity development