Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Hardened
pthread_create problems on hardened x86
michael at orlitzky
Jul 31, 2012, 7:12 PM
Post #1 of 7 (2912 views)
Permalink
I've got an old problem with clamd, which creates a bunch of threads.
Every so often the logs will show e.g.,

Jul 31 06:01:41 mx1 clamd[24070]: pthread_create failed
Jul 31 06:01:41 mx1 clamd[24070]: pthread_create failed
Jul 31 06:01:41 mx1 clamd[24070]: pthread_create failed
Jul 31 06:01:41 mx1 clamd[24070]: pthread_create failed

It doesn't cause any noticeable problems, so I've sort of left it alone
but tonight I dug in a little. The problem seems (somehow) related to
that box's hardening.

I'm using a test program that creates a bunch of threads and then just
kills them. On the box in question,

# uname -a
Linux mx1 3.4.2-hardened #1 SMP Wed Jul 11 13:41:57 EDT 2012 i686
Intel(R) Xeon(TM) CPU 3.06GHz GenuineIntel GNU/Linux
# ./pthread_test 25
Creating 25 threads
Created thread #0...
Created thread #1...
Created thread #2...
Created thread #3...
pthread_create failed: Resource temporarily unavailable

Disabling all paxctl protections helps, but doesn't allow me to get all
the way to 25. I tried doing the protections one-at-a-time; it doesn't
really help:

# paxctl -pemrxs pthread_test
# ./pthread_test 25
Creating 25 threads
Created thread #0...
Created thread #1...
Created thread #2...
Created thread #3...
Created thread #4...
Created thread #5...
Created thread #6...
Created thread #7...
Created thread #8...
Created thread #9...
pthread_create failed: Resource temporarily unavailable

I get nothing in my dmesg, which otherwise records most limit-based denials.

Is there some way I can troubleshoot this? It works on amd64 with the
same kernel hardening options.
Re: pthread_create problems on hardened x86 [ In reply to ]
pageexec at freemail
Aug 1, 2012, 3:56 AM
Post #2 of 7 (2784 views)
Permalink
On 31 Jul 2012 at 22:12, Michael Orlitzky wrote:

> I get nothing in my dmesg, which otherwise records most limit-based denials.
>
> Is there some way I can troubleshoot this? It works on amd64 with the
> same kernel hardening options.

an strace -f may help to see what exactly fails.
Re: pthread_create problems on hardened x86 [ In reply to ]
michael at orlitzky
Aug 1, 2012, 5:41 AM
Post #3 of 7 (2785 views)
Permalink
On 08/01/2012 06:56 AM, PaX Team wrote:
> On 31 Jul 2012 at 22:12, Michael Orlitzky wrote:
>
>> I get nothing in my dmesg, which otherwise records most limit-based denials.
>>
>> Is there some way I can troubleshoot this? It works on amd64 with the
>> same kernel hardening options.
>
> an strace -f may help to see what exactly fails.
>
>

Thanks, here are strace -f logs from both the hardened box (where it
fails) and a vanilla gentoo x86 VM (where it works).

Attached Files:

Re: pthread_create problems on hardened x86 [ In reply to ]
pageexec at freemail
Aug 1, 2012, 6:08 AM
Post #4 of 7 (2788 views)
Permalink
On 1 Aug 2012 at 8:41, Michael Orlitzky wrote:

> Thanks, here are strace -f logs from both the hardened box (where it
> fails) and a vanilla gentoo x86 VM (where it works).

mmap2(NULL, 307200000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = -1 ENOMEM (Cannot allocate memory)

this can fail for several reasons, not enough RAM (depends on how overcommit is set),
not enough address space (hardened/PIE and ASLR together change how big the holes in
the address space end up, SEGMEXEC halves the address space), etc.
Re: pthread_create problems on hardened x86 [ In reply to ]
michael at orlitzky
Aug 1, 2012, 6:56 AM
Post #5 of 7 (2795 views)
Permalink
On 08/01/12 09:08, PaX Team wrote:
> On 1 Aug 2012 at 8:41, Michael Orlitzky wrote:
>
>> Thanks, here are strace -f logs from both the hardened box (where it
>> fails) and a vanilla gentoo x86 VM (where it works).
>
> mmap2(NULL, 307200000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = -1 ENOMEM (Cannot allocate memory)
>
> this can fail for several reasons, not enough RAM (depends on how overcommit is set),
> not enough address space (hardened/PIE and ASLR together change how big the holes in
> the address space end up, SEGMEXEC halves the address space), etc.
>
>

Hmm.. I think this indirectly solves the problem. I've got,

# cat /etc/security/limits.d/50-clamd.conf
#<domain> <type> <item> <value>
clamav - stack 512000

But it isn't taking effect:

# cat /proc/25394/limits | grep stack
Max stack size 307200000 307200000 bytes

So, clamd is likely running out of stack just like the test program. I
can probably figure that one out.

But, I'd ruled out the stack size limitation because resource oversteps
are supposed to be reported:

# cat /proc/config.gz | gunzip | grep GRKERNSEC_RESLOG
CONFIG_GRKERNSEC_RESLOG=y

I've got nothing logged, even after the failures.
Re: pthread_create problems on hardened x86 [ In reply to ]
pageexec at freemail
Aug 1, 2012, 2:29 PM
Post #6 of 7 (2796 views)
Permalink
On 1 Aug 2012 at 9:56, Michael Orlitzky wrote:

> But, I'd ruled out the stack size limitation because resource oversteps
> are supposed to be reported:

it's not a resource overstep but simply not enough virtual address space
(either because it's too fragmented to fit such a big allocation or the
free space is not enough itself).
Re: pthread_create problems on hardened x86 [ In reply to ]
michael at orlitzky
Aug 1, 2012, 2:55 PM
Post #7 of 7 (2795 views)
Permalink
On 08/01/2012 05:29 PM, PaX Team wrote:
> On 1 Aug 2012 at 9:56, Michael Orlitzky wrote:
>
>> But, I'd ruled out the stack size limitation because resource oversteps
>> are supposed to be reported:
>
> it's not a resource overstep but simply not enough virtual address space
> (either because it's too fragmented to fit such a big allocation or the
> free space is not enough itself).
>

I don't completely understand, but I believe you =)

Setting `ulimit -s unlimited` in my global rc.conf cleared up the
problem. Thanks again for the help.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal