Mailing List Archive

Problems migrating from uclibc to uclibc-ng
I am trying to migrate from uclibc to uclibc-ng.

First, I found 2 typos in the wiki at
https://wiki.gentoo.org/wiki/Project:Hardened_uClibc#Migration_to_uClibc-ng

cp -a /var/tmp/portage/sys-libs/uclibc-ng/image/lib /lib.new should be
cp -a /var/tmp/portage/sys-libs/uclibc-ng-1.0.17/image/lib /lib.new

ls -al /lib/ld-uClibc.so.0 should be
ls -al /lib/ld*-uClibc.so.0 to take in account 64-bit systems


But now, I have several PAX errors, cannot start X or use GNU
coreutils (that static busybox comes handy),as you can see below:

This is pedro.O (Linux x86_64 4.4.8-hardened-r1) 21:57:56

pedro login: drener
[19640.729329] grsec: denied marking stack executable as requested by
PT_GNU_STACK
marking in /lib/libuClibc-0.1.0.19.so by /bin/login[login:13309] uid/euid:0/0
gid/egid:0/0, parent /ginit[init:1] uid/euid:0/0 gid/egid:0/0
Password:
[19643.202924] grsec: denied marking stack executable as requested by
PT_GNU_STACK
marking in /lib/libuClibc-0.1.0.19.so by /usr/bin/id[id:13310]
uid/euid:1000/1000
gid/egid:1000/1000, parent /ginit[ash:13309] uid/euid:1000/1000
gid/egid:1000/1000
[19643.215949] grsec: denied marking stack executable as requested by
PT_GNU_STACK
marking in /lib/libuClibc-0.1.0.19.so by /usr/bin/id[id:13317]
uid/euid:1000/1000
gid/egid:1000/1000, parent /ginit[ash:13309] uid/euid:1000/1000
gid/egid:1000/1000
[19643.220535] grsec: denied marking stack executable as requested by
PT_GNU_STACK
marking in /lib/libuClibc-0.1.0.19.so by /usr/bin/dircolors[dircolors:13318]
uid/euid:1000/1000 gid/egid:1000/1000, parent /ginit[ash:13309]
uid/euid:1000/1000
gid/egid:1000/1000
[19643.227779] grsec: denied marking stack executable as requested by
PT_GNU_STACK
marking in /lib/libuClibc-0.1.0.19.so by /usr/bin/dircolors[dircolors:13319]
uid/euid:1000/1000 gid/egid:1000/1000, parent /ginit[ash:13309]
uid/euid:1000/1000
gid/egid:1000/1000
-ash: /home/drener/.bashrc: line 72: syntax error: bad function name

drener@l.pedro 2 ~
$ startx
[19645.530064] grsec: denied marking stack executable as requested by
PT_GNU_STACK
marking in /lib/libuClibc-0.1.0.19.so by /usr/bin/startx[startx:13320]
uid/euid:1000/1000 gid/egid:1000/1000, parent /ginit[ash:13309]
uid/euid:1000/1000
gid/egid:1000/1000

/bin/dash: symbol 'sigsetmask': can't resolve symbol

drener@l.pedro 255 ~
$

I used the configuration file at
https://gitweb.gentoo.org/proj/releng.git/tree/tools-uclibc/portage.amd64.hardened/savedconfig/sys-libs/uclibc-ng
. And my kernel is configured to obey PaX flags from XATTR only. What
is going on here?

--
René Rhéaume
Re: Problems migrating from uclibc to uclibc-ng [ In reply to ]
On 12/11/16 10:11 PM, René Rhéaume wrote:
> I am trying to migrate from uclibc to uclibc-ng.
>
> First, I found 2 typos in the wiki at
> https://wiki.gentoo.org/wiki/Project:Hardened_uClibc#Migration_to_uClibc-ng
>
> cp -a /var/tmp/portage/sys-libs/uclibc-ng/image/lib /lib.new should be
> cp -a /var/tmp/portage/sys-libs/uclibc-ng-1.0.17/image/lib /lib.new
>
> ls -al /lib/ld-uClibc.so.0 should be
> ls -al /lib/ld*-uClibc.so.0 to take in account 64-bit systems
>
>
> But now, I have several PAX errors, cannot start X or use GNU
> coreutils (that static busybox comes handy),as you can see below:
>
> This is pedro.O (Linux x86_64 4.4.8-hardened-r1) 21:57:56
>
> pedro login: drener
> [19640.729329] grsec: denied marking stack executable as requested by
> PT_GNU_STACK
> marking in /lib/libuClibc-0.1.0.19.so by /bin/login[login:13309] uid/euid:0/0
> gid/egid:0/0, parent /ginit[init:1] uid/euid:0/0 gid/egid:0/0
> Password:
> [19643.202924] grsec: denied marking stack executable as requested by
> PT_GNU_STACK
> marking in /lib/libuClibc-0.1.0.19.so by /usr/bin/id[id:13310]
> uid/euid:1000/1000
> gid/egid:1000/1000, parent /ginit[ash:13309] uid/euid:1000/1000
> gid/egid:1000/1000
> [19643.215949] grsec: denied marking stack executable as requested by
> PT_GNU_STACK
> marking in /lib/libuClibc-0.1.0.19.so by /usr/bin/id[id:13317]
> uid/euid:1000/1000
> gid/egid:1000/1000, parent /ginit[ash:13309] uid/euid:1000/1000
> gid/egid:1000/1000
> [19643.220535] grsec: denied marking stack executable as requested by
> PT_GNU_STACK
> marking in /lib/libuClibc-0.1.0.19.so by /usr/bin/dircolors[dircolors:13318]
> uid/euid:1000/1000 gid/egid:1000/1000, parent /ginit[ash:13309]
> uid/euid:1000/1000
> gid/egid:1000/1000
> [19643.227779] grsec: denied marking stack executable as requested by
> PT_GNU_STACK
> marking in /lib/libuClibc-0.1.0.19.so by /usr/bin/dircolors[dircolors:13319]
> uid/euid:1000/1000 gid/egid:1000/1000, parent /ginit[ash:13309]
> uid/euid:1000/1000
> gid/egid:1000/1000
> -ash: /home/drener/.bashrc: line 72: syntax error: bad function name
>
> drener@l.pedro 2 ~
> $ startx
> [19645.530064] grsec: denied marking stack executable as requested by
> PT_GNU_STACK
> marking in /lib/libuClibc-0.1.0.19.so by /usr/bin/startx[startx:13320]
> uid/euid:1000/1000 gid/egid:1000/1000, parent /ginit[ash:13309]
> uid/euid:1000/1000
> gid/egid:1000/1000
>
> /bin/dash: symbol 'sigsetmask': can't resolve symbol
>
> drener@l.pedro 255 ~
> $
>
> I used the configuration file at
> https://gitweb.gentoo.org/proj/releng.git/tree/tools-uclibc/portage.amd64.hardened/savedconfig/sys-libs/uclibc-ng
> . And my kernel is configured to obey PaX flags from XATTR only. What
> is going on here?
>

It looks like a couple of things.

First, can you run `readelf -l` on libuClibc-0.1.0.19.so and several
binaries that fail.

Second, dash seems broken for other reasons. You may try to rebuild it.
uclibc-ng most certainly provides sigsetmask.

--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
Re: Problems migrating from uclibc to uclibc-ng [ In reply to ]
2016-12-21 7:06 GMT-05:00 Anthony G. Basile <basile@opensource.dyc.edu>:
>
> First, can you run `readelf -l` on libuClibc-0.1.0.19.so and several
> binaries that fail.

drener@l.pedro 0 ~
$ readelf -l /lib/libuClibc-0.1.0.19.so

Elf file type is DYN (Shared object file)
Entry point 0x14bc0
There are 10 program headers, starting at offset 64

Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
PHDR 0x0000000000000040 0x0000000000000040 0x0000000000000040
0x0000000000000230 0x0000000000000230 R E 8
INTERP 0x000000000006b610 0x000000000006b610 0x000000000006b610
0x0000000000000016 0x0000000000000016 R 10
[Requesting program interpreter: /lib/ld64-uClibc.so.0]
LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000081d78 0x0000000000081d78 R E 200000
LOAD 0x0000000000081f20 0x0000000000281f20 0x0000000000281f20
0x00000000000015b4 0x000000000001ab48 RW 200000
DYNAMIC 0x0000000000082760 0x0000000000282760 0x0000000000282760
0x0000000000000190 0x0000000000000190 RW 8
TLS 0x0000000000081f20 0x0000000000281f20 0x0000000000281f20
0x0000000000000008 0x0000000000000018 R 8
GNU_EH_FRAME 0x000000000006b628 0x000000000006b628 0x000000000006b628
0x0000000000003b8c 0x0000000000003b8c R 4
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RWE 10
GNU_RELRO 0x0000000000081f20 0x0000000000281f20 0x0000000000281f20
0x00000000000010e0 0x00000000000010e0 R 1
PAX_FLAGS 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 8

Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .gnu.hash .dynsym .dynstr .rela.dyn .rela.plt .plt .text
__libc_freeres_fn .rodata .interp .eh_frame_hdr .eh_frame
.gcc_except_table
03 .tdata .fini_array .data.rel.ro .dynamic .got .data .bss
04 .dynamic
05 .tdata .tbss
06 .eh_frame_hdr
07
08 .tdata .fini_array .data.rel.ro .dynamic .got
09

drener@l.pedro 0 ~
$ readelf -l /bin/coreutils
readelf: Error: Reading 0x17000300000000 bytes extends past end of
file for string table

Elf file type is DYN (Shared object file)
Entry point 0x12130
There are 9 program headers, starting at offset 64

Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
PHDR 0x0000000000000040 0x0000000000000040 0x0000000000000040
0x00000000000001f8 0x00000000000001f8 R E 8
INTERP 0x0000000000000238 0x0000000000000238 0x0000000000000238
0x0000000000000016 0x0000000000000016 R 1
[Requesting program interpreter: /lib/ld64-uClibc.so.0]
LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x000000000011a2bc 0x000000000011a2bc R E 200000
LOAD 0x000000000011b0f0 0x000000000031b0f0 0x000000000031b0f0
0x000000000000a900 0x000000000001efb0 RW 200000
DYNAMIC 0x0000000000124000 0x0000000000324000 0x0000000000324000
0x0000000000000240 0x0000000000000240 RW 8
readelf: Error: no .dynamic section in the dynamic segment
GNU_EH_FRAME 0x0000000000109b4c 0x0000000000109b4c 0x0000000000109b4c
0x0000000000002d24 0x0000000000002d24 R 4
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RW 8
GNU_RELRO 0x000000000011b0f0 0x000000000031b0f0 0x000000000031b0f0
0x0000000000009f10 0x0000000000009f10 R 1
PAX_FLAGS 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 8

drener@l.pedro 0 ~
$ readelf -l /bin/coreutils
readelf: Error: Reading 0x17000300000000 bytes extends past end of
file for string table

Elf file type is DYN (Shared object file)
Entry point 0x12130
There are 9 program headers, starting at offset 64

Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
PHDR 0x0000000000000040 0x0000000000000040 0x0000000000000040
0x00000000000001f8 0x00000000000001f8 R E 8
INTERP 0x0000000000000238 0x0000000000000238 0x0000000000000238
0x0000000000000016 0x0000000000000016 R 1
[Requesting program interpreter: /lib/ld64-uClibc.so.0]
LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x000000000011a2bc 0x000000000011a2bc R E 200000
LOAD 0x000000000011b0f0 0x000000000031b0f0 0x000000000031b0f0
0x000000000000a900 0x000000000001efb0 RW 200000
DYNAMIC 0x0000000000124000 0x0000000000324000 0x0000000000324000
0x0000000000000240 0x0000000000000240 RW 8
readelf: Error: no .dynamic section in the dynamic segment
GNU_EH_FRAME 0x0000000000109b4c 0x0000000000109b4c 0x0000000000109b4c
0x0000000000002d24 0x0000000000002d24 R 4
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RW 8
GNU_RELRO 0x000000000011b0f0 0x000000000031b0f0 0x000000000031b0f0
0x0000000000009f10 0x0000000000009f10 R 1
PAX_FLAGS 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 8
Re: Problems migrating from uclibc to uclibc-ng [ In reply to ]
On 12/26/16 6:54 PM, René Rhéaume wrote:
> $ readelf -l /lib/libuClibc-0.1.0.19.so
>
> GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
> 0x0000000000000000 0x0000000000000000 RWE 10

I don't know how you got an executable stack on libuClibc-0.1.0.19.so
and this is going to cause *every* executable to trigger a problem with
a pax hardened kernel.

You can try to rebuild this and see if it goes away, or trace it down
otherwise, or you can use a program I wrote to remove the X on the stack:

https://gitweb.gentoo.org/proj/elfix.git/tree/misc/fix-gnustack

--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197