linux-sendpage Tainted

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

linux-sendpage Tainted

Postby fed.linuxgossip » Mon Jul 26, 2010 4:53 pm

Hi,

I see following error logs

Message from syslogd@server01 at Mon Jul 26 09:52:56 2010 ...

server01 kernel: general protection fault: 0000 [#19] SMP



Message from syslogd@server01 at Mon Jul 26 09:52:56 2010 ...

server01 kernel: Process linux-sendpage (pid: 29267, ti=f26a6000
task=c85f1700 task.ti=f26a6000)



Message from syslogd@server01 at Mon Jul 26 09:52:56 2010 ...

server01 kernel: Stack: c05a2024 00001000 00000000 c065d300 f26a6e74
c0487458 00001000 f26a6e0c



root@server01 [/var/log]# grep linux-sendpage messages
Jul 26 09:52:56 server01 kernel: Pid: 29267, comm: linux-sendpage Tainted: P D (2.6.25.9-grsec #1)
Jul 26 09:52:56 server01 kernel: Process linux-sendpage (pid: 29267, ti=f26a6000 task=c85f1700 task.ti=f26a6000)
root@server01 [/var/log]#




Server Details
-----------------------------
root@server01 [~]# uname -a
Linux server01.somedomain.tld 2.6.25.9-grsec #1 SMP Fri Aug 15 00:21:16 CDT 2008 i686 i686 i386 GNU/Linux
root@server01 [~]# cat /etc/redhat-release
Red Hat Enterprise Linux ES release 4 (Nahant Update 8)
root@server01 [~]#
Processor model name: Intel(R) Xeon(R) CPU E5430 @ 2.66GHz





Can you please advise, what this error means.
fed.linuxgossip
 
Posts: 21
Joined: Mon Feb 25, 2008 9:46 am

Re: linux-sendpage Tainted

Postby spender » Mon Jul 26, 2010 6:30 pm

Do you have KERNEXEC or UDEREF enabled? Your kernel is horribly outdated and apparently doesn't have mmap_min_addr, so judging by the binary name you're being hit with the sendpage() local root exploit:

http://blog.cr0.org/2009/08/linux-null- ... ue-to.html

The exact exploit likely being used (again, just based on the name) is:
http://downloads.securityfocus.com/vuln ... /36038-6.c

If KERNEXEC and UDEREF are enabled, you're protected against exploitation of the bug for privilege escalation. Nevertheless, you really need to update your kernel and fix whatever vector was used to gain remote access to the system.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity support

cron