Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Hardened
Problem with (?) hardened-sources-3.15.x on kvm-vm
marcin at mejor
Aug 26, 2014, 3:23 AM
Post #1 of 14 (6507 views)
Permalink
Hello!
I suspect that I've got problem with hardened-sources in KVM VM. I'm not
sure if I should fill a bug for this. I'd like to post it here before
using b.g.o.
I've got VM (it's KVM with qemu-2.0.0-r1), with
hardened-sources-3.15.{5-r2,8}. I'm observing a kind of memory
corruption. After a couple of hours of uptime I'm starting seeing random
segfaults, general protection traps especially when process uses a lot
of CPU and do many I/O operations (masscheck scripts written in perl for
spamassasin rules).
In log I've got e.g.:

2014-08-25T13:05:23.243062+02:00 mohikanin kernel: [45571.239703] PAX:
From 88.198.102.195: execution attempt in: (null), 00000000-00000000
00000000
2014-08-25T13:05:23.243088+02:00 mohikanin kernel: [45571.239707] PAX:
terminating task: /usr/libexec/dovecot/pop3-login(pop3-login):2507,
uid/euid: 105/105, PC: (nil), SP: 000003a8574e4c00
2014-08-25T13:05:23.243093+02:00 mohikanin kernel: [45571.239709] PAX:
bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
2014-08-25T13:05:23.243095+02:00 mohikanin kernel: [45571.239735] PAX:
bytes at SP-8: 0000000000000000 0000000000000000 00000059c6deceb0
0000000000000000 00000316027bc540 0000000000000001 000003160271dbb5
0000000000000000 0000000000000000 0000000000000000 0000000000000000
2014-08-25T13:24:42.943001+02:00 mohikanin kernel: [46730.931353] traps:
spamd child[19681] general protection ip:2c572b6e163 sp:3ca7d000be0
error:0 in libc-2.19.so[2c572aee000+19e000]
2014-08-25T13:24:42.943007+02:00 mohikanin kernel: [46730.931371] grsec:
Segmentation fault occurred at (nil) in /usr/sbin/spamd[spamd
child:19681] uid/euid:999/999 gid/egid:100/100, parent
/usr/sbin/spamd[/usr/sbin/spamd:1255] uid/euid:0/0 gid/egid:0/0
2014-08-25T13:55:22.383032+02:00 mohikanin kernel: [48570.375917] traps:
freshclam[6594] general protection ip:344cceb368d sp:3d5f5ced520 error:0
in libclamav.so.6.1.23[344ccdf1000+9d1000]
2014-08-25T13:55:22.383050+02:00 mohikanin kernel: [48570.375968] grsec:
Segmentation fault occurred at (nil) in
/usr/bin/freshclam[freshclam:6594] uid/euid:104/104 gid/egid:115/115,
parent /usr/bin/freshclam[freshclam:1159] uid/euid:104/104 gid/egid:115/115

Yesterday I switched kernel to gentoo-sources-3.14.14 and I don't see
any unwanted behavior. This is why I suspect hardened-sources. Should I
fill a bug? What should I do help find out the root of problem?
(gcc is: gcc version 4.7.3 (Gentoo Hardened 4.7.3-r1 p1.4, pie-0.5.5) ,
with ld.gold)

Marcin

# grep -P "(GRK|PAX)" /boot/config-3.15.8-hardened
CONFIG_PAX_KERNEXEC_PLUGIN=y
CONFIG_PAX_PER_CPU_PGD=y
CONFIG_PAX_USERCOPY_SLABS=y
CONFIG_GRKERNSEC=y
CONFIG_GRKERNSEC_CONFIG_AUTO=y
# CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set
CONFIG_GRKERNSEC_CONFIG_SERVER=y
# CONFIG_GRKERNSEC_CONFIG_DESKTOP is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_NONE is not set
CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_HOST is not set
CONFIG_GRKERNSEC_CONFIG_VIRT_EPT=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_SOFT is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_XEN is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_VMWARE is not set
CONFIG_GRKERNSEC_CONFIG_VIRT_KVM=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_VIRTUALBOX is not set
CONFIG_GRKERNSEC_CONFIG_PRIORITY_PERF=y
# CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY is not set
CONFIG_GRKERNSEC_PROC_GID=55555
CONFIG_GRKERNSEC_TPE_TRUSTED_GID=55555
CONFIG_GRKERNSEC_SYMLINKOWN_GID=100
CONFIG_PAX=y
# CONFIG_PAX_SOFTMODE is not set
# CONFIG_PAX_PT_PAX_FLAGS is not set
CONFIG_PAX_XATTR_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_MPROTECT_COMPAT is not set
# CONFIG_PAX_ELFRELOCS is not set
CONFIG_PAX_KERNEXEC=y
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="bts"
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
# CONFIG_PAX_MEMORY_SANITIZE is not set
CONFIG_PAX_MEMORY_STACKLEAK=y
CONFIG_PAX_MEMORY_STRUCTLEAK=y
CONFIG_PAX_MEMORY_UDEREF=y
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_CONSTIFY_PLUGIN=y
CONFIG_PAX_USERCOPY=y
# CONFIG_PAX_USERCOPY_DEBUG is not set
CONFIG_PAX_SIZE_OVERFLOW=y
CONFIG_PAX_LATENT_ENTROPY=y
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_JIT_HARDEN=y
CONFIG_GRKERNSEC_PERF_HARDEN=y
CONFIG_GRKERNSEC_RAND_THREADSTACK=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_KSTACKOVERFLOW=y
# CONFIG_GRKERNSEC_BRUTE is not set
CONFIG_GRKERNSEC_MODHARDEN=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_RANDSTRUCT=y
CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE=y
# CONFIG_GRKERNSEC_KERN_LOCKOUT is not set
CONFIG_GRKERNSEC_NO_RBAC=y
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_SYMLINKOWN=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
# CONFIG_GRKERNSEC_ROFS is not set
CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
CONFIG_GRKERNSEC_CHROOT_INITRD=y
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_RWXMAP_LOG=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_READEXEC=y
CONFIG_GRKERNSEC_SETXID=y
CONFIG_GRKERNSEC_HARDEN_IPC=y
CONFIG_GRKERNSEC_TPE=y
CONFIG_GRKERNSEC_TPE_ALL=y
CONFIG_GRKERNSEC_TPE_INVERT=y
CONFIG_GRKERNSEC_TPE_GID=55555
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_BLACKHOLE=y
CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
# CONFIG_GRKERNSEC_SOCKET is not set
CONFIG_GRKERNSEC_SYSCTL=y
# CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set
CONFIG_GRKERNSEC_SYSCTL_ON=y
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=6
Re: Problem with (?) hardened-sources-3.15.x on kvm-vm [ In reply to ]
alex_y_xu at yahoo
Aug 26, 2014, 4:02 AM
Post #2 of 14 (6450 views)
Permalink
On 26/08/14 06:23 AM, Marcin Mirosław wrote:
> Hello!
> I suspect that I've got problem with hardened-sources in KVM VM. I'm not
> sure if I should fill a bug for this. I'd like to post it here before
> using b.g.o.
> I've got VM (it's KVM with qemu-2.0.0-r1), with
> hardened-sources-3.15.{5-r2,8}. I'm observing a kind of memory
> corruption. After a couple of hours of uptime I'm starting seeing random
> segfaults, general protection traps especially when process uses a lot
> of CPU and do many I/O operations (masscheck scripts written in perl for
> spamassasin rules).
> In log I've got e.g.:
>
> 2014-08-25T13:05:23.243062+02:00 mohikanin kernel: [45571.239703] PAX:
> From 88.198.102.195: execution attempt in: (null), 00000000-00000000
> 00000000
> 2014-08-25T13:05:23.243088+02:00 mohikanin kernel: [45571.239707] PAX:
> terminating task: /usr/libexec/dovecot/pop3-login(pop3-login):2507,
> uid/euid: 105/105, PC: (nil), SP: 000003a8574e4c00
> 2014-08-25T13:05:23.243093+02:00 mohikanin kernel: [45571.239709] PAX:
> bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
> 2014-08-25T13:05:23.243095+02:00 mohikanin kernel: [45571.239735] PAX:
> bytes at SP-8: 0000000000000000 0000000000000000 00000059c6deceb0
> 0000000000000000 00000316027bc540 0000000000000001 000003160271dbb5
> 0000000000000000 0000000000000000 0000000000000000 0000000000000000
> 2014-08-25T13:24:42.943001+02:00 mohikanin kernel: [46730.931353] traps:
> spamd child[19681] general protection ip:2c572b6e163 sp:3ca7d000be0
> error:0 in libc-2.19.so[2c572aee000+19e000]
> 2014-08-25T13:24:42.943007+02:00 mohikanin kernel: [46730.931371] grsec:
> Segmentation fault occurred at (nil) in /usr/sbin/spamd[spamd
> child:19681] uid/euid:999/999 gid/egid:100/100, parent
> /usr/sbin/spamd[/usr/sbin/spamd:1255] uid/euid:0/0 gid/egid:0/0
> 2014-08-25T13:55:22.383032+02:00 mohikanin kernel: [48570.375917] traps:
> freshclam[6594] general protection ip:344cceb368d sp:3d5f5ced520 error:0
> in libclamav.so.6.1.23[344ccdf1000+9d1000]
> 2014-08-25T13:55:22.383050+02:00 mohikanin kernel: [48570.375968] grsec:
> Segmentation fault occurred at (nil) in
> /usr/bin/freshclam[freshclam:6594] uid/euid:104/104 gid/egid:115/115,
> parent /usr/bin/freshclam[freshclam:1159] uid/euid:104/104 gid/egid:115/115
>
> Yesterday I switched kernel to gentoo-sources-3.14.14 and I don't see
> any unwanted behavior. This is why I suspect hardened-sources. Should I
> fill a bug? What should I do help find out the root of problem?
> (gcc is: gcc version 4.7.3 (Gentoo Hardened 4.7.3-r1 p1.4, pie-0.5.5) ,
> with ld.gold)

I've also been having similar issues with
sys-kernel/hardened-sources-3.15.{5-r[12],10-r1}, manifesting typically
as malloc/free errors in python, bash, or gcc, but particularly in g++.
No MAC, just PaX.

$ grep 'GRK|PAX' /boot/config
CONFIG_PAX_KERNEXEC_PLUGIN=y
CONFIG_PAX_PER_CPU_PGD=y
CONFIG_PAX_USERCOPY_SLABS=y
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_CONFIG_AUTO is not set
CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
CONFIG_PAX=y
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_XATTR_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_MPROTECT_COMPAT is not set
# CONFIG_PAX_ELFRELOCS is not set
CONFIG_PAX_KERNEXEC=y
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="bts"
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
# CONFIG_PAX_MEMORY_SANITIZE is not set
# CONFIG_PAX_MEMORY_STACKLEAK is not set
CONFIG_PAX_MEMORY_STRUCTLEAK=y
CONFIG_PAX_MEMORY_UDEREF=y
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_CONSTIFY_PLUGIN=y
CONFIG_PAX_USERCOPY=y
# CONFIG_PAX_USERCOPY_DEBUG is not set
CONFIG_PAX_SIZE_OVERFLOW=y
# CONFIG_PAX_LATENT_ENTROPY is not set
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_PERF_HARDEN=y
CONFIG_GRKERNSEC_RAND_THREADSTACK=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
# CONFIG_GRKERNSEC_KSTACKOVERFLOW is not set
# CONFIG_GRKERNSEC_BRUTE is not set
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_RANDSTRUCT=y
CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE=y
CONFIG_GRKERNSEC_KERN_LOCKOUT=y
CONFIG_GRKERNSEC_NO_RBAC=y
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
# CONFIG_GRKERNSEC_SYMLINKOWN is not set
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
CONFIG_GRKERNSEC_ROFS=y
CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
# CONFIG_GRKERNSEC_RESLOG is not set
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
# CONFIG_GRKERNSEC_SIGNAL is not set
# CONFIG_GRKERNSEC_FORKFAIL is not set
# CONFIG_GRKERNSEC_TIME is not set
# CONFIG_GRKERNSEC_PROC_IPADDR is not set
CONFIG_GRKERNSEC_RWXMAP_LOG=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_READEXEC=y
CONFIG_GRKERNSEC_SETXID=y
CONFIG_GRKERNSEC_HARDEN_IPC=y
# CONFIG_GRKERNSEC_TPE is not set
CONFIG_GRKERNSEC_RANDNET=y
# CONFIG_GRKERNSEC_BLACKHOLE is not set
CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
# CONFIG_GRKERNSEC_SOCKET is not set
CONFIG_GRKERNSEC_SYSCTL=y
# CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set
CONFIG_GRKERNSEC_SYSCTL_ON=y
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=6

Attached Files:

Re: Problem with (?) hardened-sources-3.15.x on kvm-vm [ In reply to ]
prometheanfire at gentoo
Aug 26, 2014, 8:13 AM
Post #3 of 14 (6450 views)
Permalink
On 08/26/2014 05:23 AM, Marcin Mirosław wrote:
> Hello!
> I suspect that I've got problem with hardened-sources in KVM VM. I'm not
> sure if I should fill a bug for this. I'd like to post it here before
> using b.g.o.
> I've got VM (it's KVM with qemu-2.0.0-r1), with
> hardened-sources-3.15.{5-r2,8}. I'm observing a kind of memory
> corruption. After a couple of hours of uptime I'm starting seeing random
> segfaults, general protection traps especially when process uses a lot
> of CPU and do many I/O operations (masscheck scripts written in perl for
> spamassasin rules).
> In log I've got e.g.:
>
> 2014-08-25T13:05:23.243062+02:00 mohikanin kernel: [45571.239703] PAX:
> From 88.198.102.195: execution attempt in: (null), 00000000-00000000
> 00000000
> 2014-08-25T13:05:23.243088+02:00 mohikanin kernel: [45571.239707] PAX:
> terminating task: /usr/libexec/dovecot/pop3-login(pop3-login):2507,
> uid/euid: 105/105, PC: (nil), SP: 000003a8574e4c00
> 2014-08-25T13:05:23.243093+02:00 mohikanin kernel: [45571.239709] PAX:
> bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
> 2014-08-25T13:05:23.243095+02:00 mohikanin kernel: [45571.239735] PAX:
> bytes at SP-8: 0000000000000000 0000000000000000 00000059c6deceb0
> 0000000000000000 00000316027bc540 0000000000000001 000003160271dbb5
> 0000000000000000 0000000000000000 0000000000000000 0000000000000000
> 2014-08-25T13:24:42.943001+02:00 mohikanin kernel: [46730.931353] traps:
> spamd child[19681] general protection ip:2c572b6e163 sp:3ca7d000be0
> error:0 in libc-2.19.so[2c572aee000+19e000]
> 2014-08-25T13:24:42.943007+02:00 mohikanin kernel: [46730.931371] grsec:
> Segmentation fault occurred at (nil) in /usr/sbin/spamd[spamd
> child:19681] uid/euid:999/999 gid/egid:100/100, parent
> /usr/sbin/spamd[/usr/sbin/spamd:1255] uid/euid:0/0 gid/egid:0/0
> 2014-08-25T13:55:22.383032+02:00 mohikanin kernel: [48570.375917] traps:
> freshclam[6594] general protection ip:344cceb368d sp:3d5f5ced520 error:0
> in libclamav.so.6.1.23[344ccdf1000+9d1000]
> 2014-08-25T13:55:22.383050+02:00 mohikanin kernel: [48570.375968] grsec:
> Segmentation fault occurred at (nil) in
> /usr/bin/freshclam[freshclam:6594] uid/euid:104/104 gid/egid:115/115,
> parent /usr/bin/freshclam[freshclam:1159] uid/euid:104/104 gid/egid:115/115
>
> Yesterday I switched kernel to gentoo-sources-3.14.14 and I don't see
> any unwanted behavior. This is why I suspect hardened-sources. Should I
> fill a bug? What should I do help find out the root of problem?
> (gcc is: gcc version 4.7.3 (Gentoo Hardened 4.7.3-r1 p1.4, pie-0.5.5) ,
> with ld.gold)
>
> Marcin
>

I'll test a 3.15.10-r1 kernel today sometime, anything I can do to
reproduce specifically?


--
-- Matthew Thode (prometheanfire)
Re: Problem with (?) hardened-sources-3.15.x on kvm-vm [ In reply to ]
alex_y_xu at yahoo
Aug 26, 2014, 9:44 AM
Post #4 of 14 (6434 views)
Permalink
On 26/08/14 11:13 AM, Matthew Thode wrote:
> On 08/26/2014 05:23 AM, Marcin Mirosław wrote:
>> Hello!
>> I suspect that I've got problem with hardened-sources in KVM VM. I'm not
>> sure if I should fill a bug for this. I'd like to post it here before
>> using b.g.o.
>> I've got VM (it's KVM with qemu-2.0.0-r1), with
>> hardened-sources-3.15.{5-r2,8}. I'm observing a kind of memory
>> corruption. After a couple of hours of uptime I'm starting seeing random
>> segfaults, general protection traps especially when process uses a lot
>> of CPU and do many I/O operations (masscheck scripts written in perl for
>> spamassasin rules).
>> In log I've got e.g.:
>>
>> 2014-08-25T13:05:23.243062+02:00 mohikanin kernel: [45571.239703] PAX:
>> From 88.198.102.195: execution attempt in: (null), 00000000-00000000
>> 00000000
>> 2014-08-25T13:05:23.243088+02:00 mohikanin kernel: [45571.239707] PAX:
>> terminating task: /usr/libexec/dovecot/pop3-login(pop3-login):2507,
>> uid/euid: 105/105, PC: (nil), SP: 000003a8574e4c00
>> 2014-08-25T13:05:23.243093+02:00 mohikanin kernel: [45571.239709] PAX:
>> bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
>> 2014-08-25T13:05:23.243095+02:00 mohikanin kernel: [45571.239735] PAX:
>> bytes at SP-8: 0000000000000000 0000000000000000 00000059c6deceb0
>> 0000000000000000 00000316027bc540 0000000000000001 000003160271dbb5
>> 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>> 2014-08-25T13:24:42.943001+02:00 mohikanin kernel: [46730.931353] traps:
>> spamd child[19681] general protection ip:2c572b6e163 sp:3ca7d000be0
>> error:0 in libc-2.19.so[2c572aee000+19e000]
>> 2014-08-25T13:24:42.943007+02:00 mohikanin kernel: [46730.931371] grsec:
>> Segmentation fault occurred at (nil) in /usr/sbin/spamd[spamd
>> child:19681] uid/euid:999/999 gid/egid:100/100, parent
>> /usr/sbin/spamd[/usr/sbin/spamd:1255] uid/euid:0/0 gid/egid:0/0
>> 2014-08-25T13:55:22.383032+02:00 mohikanin kernel: [48570.375917] traps:
>> freshclam[6594] general protection ip:344cceb368d sp:3d5f5ced520 error:0
>> in libclamav.so.6.1.23[344ccdf1000+9d1000]
>> 2014-08-25T13:55:22.383050+02:00 mohikanin kernel: [48570.375968] grsec:
>> Segmentation fault occurred at (nil) in
>> /usr/bin/freshclam[freshclam:6594] uid/euid:104/104 gid/egid:115/115,
>> parent /usr/bin/freshclam[freshclam:1159] uid/euid:104/104 gid/egid:115/115
>>
>> Yesterday I switched kernel to gentoo-sources-3.14.14 and I don't see
>> any unwanted behavior. This is why I suspect hardened-sources. Should I
>> fill a bug? What should I do help find out the root of problem?
>> (gcc is: gcc version 4.7.3 (Gentoo Hardened 4.7.3-r1 p1.4, pie-0.5.5) ,
>> with ld.gold)
>>
>> Marcin
>>
>
> I'll test a 3.15.10-r1 kernel today sometime, anything I can do to
> reproduce specifically?
>
>

Run emerge boost. My setup is with PORTAGE_TMPDIR to hard drive, maybe
that affects repro.

Attached Files:

Re: Problem with (?) hardened-sources-3.15.x on kvm-vm [ In reply to ]
andre.aparicio at rnl
Aug 27, 2014, 9:34 AM
Post #5 of 14 (6437 views)
Permalink
I encountered the same problem with qemu/kvm but can't even login, I
get random segfaults and even failed malloc assertions
in /sbin/init, /sbin/rc or /bin/login (never past this).

But it works fine with CONFIG_PAX_MEMORY_UDEREF disabled.

Config that reproduces the problem.

$ grep -P "(GRK|PAX)" linux-3.15.8-hardened/.config
CONFIG_PAX_KERNEXEC_PLUGIN=y
CONFIG_PAX_PER_CPU_PGD=y
CONFIG_PAX_USERCOPY_SLABS=y
CONFIG_GRKERNSEC=y
CONFIG_GRKERNSEC_CONFIG_AUTO=y
# CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set
CONFIG_GRKERNSEC_CONFIG_SERVER=y
# CONFIG_GRKERNSEC_CONFIG_DESKTOP is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_NONE is not set
CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_HOST is not set
CONFIG_GRKERNSEC_CONFIG_VIRT_EPT=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_SOFT is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_XEN is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_VMWARE is not set
CONFIG_GRKERNSEC_CONFIG_VIRT_KVM=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_VIRTUALBOX is not set
# CONFIG_GRKERNSEC_CONFIG_PRIORITY_PERF is not set
CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY=y
CONFIG_GRKERNSEC_PROC_GID=10
CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=100
CONFIG_GRKERNSEC_SYMLINKOWN_GID=100
CONFIG_PAX=y
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_XATTR_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_MPROTECT_COMPAT is not set
# CONFIG_PAX_ELFRELOCS is not set
CONFIG_PAX_KERNEXEC=y
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="bts"
CONFIG_PAX_ASLR=y
# CONFIG_PAX_RANDKSTACK is not set
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_MEMORY_SANITIZE=y
CONFIG_PAX_MEMORY_STACKLEAK=y
CONFIG_PAX_MEMORY_STRUCTLEAK=y
CONFIG_PAX_MEMORY_UDEREF=y
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_CONSTIFY_PLUGIN=y
CONFIG_PAX_USERCOPY=y
# CONFIG_PAX_USERCOPY_DEBUG is not set
CONFIG_PAX_SIZE_OVERFLOW=y
CONFIG_PAX_LATENT_ENTROPY=y
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_PERF_HARDEN=y
CONFIG_GRKERNSEC_RAND_THREADSTACK=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_KSTACKOVERFLOW=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_RANDSTRUCT=y
# CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE is not set
# CONFIG_GRKERNSEC_KERN_LOCKOUT is not set
CONFIG_GRKERNSEC_NO_RBAC=y
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_SYMLINKOWN=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
# CONFIG_GRKERNSEC_ROFS is not set
CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
CONFIG_GRKERNSEC_SIGNAL=y
# CONFIG_GRKERNSEC_FORKFAIL is not set
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_RWXMAP_LOG=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_READEXEC=y
CONFIG_GRKERNSEC_SETXID=y
CONFIG_GRKERNSEC_HARDEN_IPC=y
CONFIG_GRKERNSEC_TPE=y
# CONFIG_GRKERNSEC_TPE_ALL is not set
# CONFIG_GRKERNSEC_TPE_INVERT is not set
CONFIG_GRKERNSEC_TPE_GID=100
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_BLACKHOLE=y
CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
# CONFIG_GRKERNSEC_SOCKET is not set
# CONFIG_GRKERNSEC_SYSCTL is not set
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=6

On Tue, 26 Aug 2014 11:24:26 +0100
Marcin Mirosław <marcin@mejor.pl> wrote:

> Hello!
> I suspect that I've got problem with hardened-sources in KVM VM. I'm
> not sure if I should fill a bug for this. I'd like to post it here
> before using b.g.o.
> I've got VM (it's KVM with qemu-2.0.0-r1), with
> hardened-sources-3.15.{5-r2,8}. I'm observing a kind of memory
> corruption. After a couple of hours of uptime I'm starting seeing
> random segfaults, general protection traps especially when process
> uses a lot of CPU and do many I/O operations (masscheck scripts
> written in perl for spamassasin rules).
> In log I've got e.g.:
>
> 2014-08-25T13:05:23.243062+02:00 mohikanin kernel: [45571.239703] PAX:
> >From 88.198.102.195: execution attempt in: (null), 00000000-00000000
> 00000000
> 2014-08-25T13:05:23.243088+02:00 mohikanin kernel: [45571.239707] PAX:
> terminating task: /usr/libexec/dovecot/pop3-login(pop3-login):2507,
> uid/euid: 105/105, PC: (nil), SP: 000003a8574e4c00
> 2014-08-25T13:05:23.243093+02:00 mohikanin kernel: [45571.239709] PAX:
> bytes at
> PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
> 2014-08-25T13:05:23.243095+02:00 mohikanin kernel: [45571.239735]
> PAX: bytes at SP-8: 0000000000000000 0000000000000000
> 00000059c6deceb0 0000000000000000 00000316027bc540 0000000000000001
> 000003160271dbb5 0000000000000000 0000000000000000 0000000000000000
> 0000000000000000 2014-08-25T13:24:42.943001+02:00 mohikanin kernel:
> [46730.931353] traps: spamd child[19681] general protection
> ip:2c572b6e163 sp:3ca7d000be0 error:0 in
> libc-2.19.so[2c572aee000+19e000] 2014-08-25T13:24:42.943007+02:00
> mohikanin kernel: [46730.931371] grsec: Segmentation fault occurred
> at (nil) in /usr/sbin/spamd[spamd child:19681]
> uid/euid:999/999 gid/egid:100/100,
> parent /usr/sbin/spamd[/usr/sbin/spamd:1255] uid/euid:0/0
> gid/egid:0/0 2014-08-25T13:55:22.383032+02:00 mohikanin kernel:
> [48570.375917] traps: freshclam[6594] general protection
> ip:344cceb368d sp:3d5f5ced520 error:0 in
> libclamav.so.6.1.23[344ccdf1000+9d1000]
> 2014-08-25T13:55:22.383050+02:00 mohikanin kernel: [48570.375968]
> grsec: Segmentation fault occurred at (nil)
> in /usr/bin/freshclam[freshclam:6594] uid/euid:104/104
> gid/egid:115/115, parent /usr/bin/freshclam[freshclam:1159]
> uid/euid:104/104 gid/egid:115/115
>
> Yesterday I switched kernel to gentoo-sources-3.14.14 and I don't see
> any unwanted behavior. This is why I suspect hardened-sources. Should
> I fill a bug? What should I do help find out the root of problem?
> (gcc is: gcc version 4.7.3 (Gentoo Hardened 4.7.3-r1 p1.4,
> pie-0.5.5) , with ld.gold)
>
> Marcin
>
> # grep -P "(GRK|PAX)" /boot/config-3.15.8-hardened
> CONFIG_PAX_KERNEXEC_PLUGIN=y
> CONFIG_PAX_PER_CPU_PGD=y
> CONFIG_PAX_USERCOPY_SLABS=y
> CONFIG_GRKERNSEC=y
> CONFIG_GRKERNSEC_CONFIG_AUTO=y
> # CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set
> CONFIG_GRKERNSEC_CONFIG_SERVER=y
> # CONFIG_GRKERNSEC_CONFIG_DESKTOP is not set
> # CONFIG_GRKERNSEC_CONFIG_VIRT_NONE is not set
> CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST=y
> # CONFIG_GRKERNSEC_CONFIG_VIRT_HOST is not set
> CONFIG_GRKERNSEC_CONFIG_VIRT_EPT=y
> # CONFIG_GRKERNSEC_CONFIG_VIRT_SOFT is not set
> # CONFIG_GRKERNSEC_CONFIG_VIRT_XEN is not set
> # CONFIG_GRKERNSEC_CONFIG_VIRT_VMWARE is not set
> CONFIG_GRKERNSEC_CONFIG_VIRT_KVM=y
> # CONFIG_GRKERNSEC_CONFIG_VIRT_VIRTUALBOX is not set
> CONFIG_GRKERNSEC_CONFIG_PRIORITY_PERF=y
> # CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY is not set
> CONFIG_GRKERNSEC_PROC_GID=55555
> CONFIG_GRKERNSEC_TPE_TRUSTED_GID=55555
> CONFIG_GRKERNSEC_SYMLINKOWN_GID=100
> CONFIG_PAX=y
> # CONFIG_PAX_SOFTMODE is not set
> # CONFIG_PAX_PT_PAX_FLAGS is not set
> CONFIG_PAX_XATTR_PAX_FLAGS=y
> # CONFIG_PAX_NO_ACL_FLAGS is not set
> CONFIG_PAX_HAVE_ACL_FLAGS=y
> # CONFIG_PAX_HOOK_ACL_FLAGS is not set
> CONFIG_PAX_NOEXEC=y
> CONFIG_PAX_PAGEEXEC=y
> CONFIG_PAX_EMUTRAMP=y
> CONFIG_PAX_MPROTECT=y
> # CONFIG_PAX_MPROTECT_COMPAT is not set
> # CONFIG_PAX_ELFRELOCS is not set
> CONFIG_PAX_KERNEXEC=y
> CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y
> CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="bts"
> CONFIG_PAX_ASLR=y
> CONFIG_PAX_RANDKSTACK=y
> CONFIG_PAX_RANDUSTACK=y
> CONFIG_PAX_RANDMMAP=y
> # CONFIG_PAX_MEMORY_SANITIZE is not set
> CONFIG_PAX_MEMORY_STACKLEAK=y
> CONFIG_PAX_MEMORY_STRUCTLEAK=y
> CONFIG_PAX_MEMORY_UDEREF=y
> CONFIG_PAX_REFCOUNT=y
> CONFIG_PAX_CONSTIFY_PLUGIN=y
> CONFIG_PAX_USERCOPY=y
> # CONFIG_PAX_USERCOPY_DEBUG is not set
> CONFIG_PAX_SIZE_OVERFLOW=y
> CONFIG_PAX_LATENT_ENTROPY=y
> CONFIG_GRKERNSEC_KMEM=y
> CONFIG_GRKERNSEC_IO=y
> CONFIG_GRKERNSEC_JIT_HARDEN=y
> CONFIG_GRKERNSEC_PERF_HARDEN=y
> CONFIG_GRKERNSEC_RAND_THREADSTACK=y
> CONFIG_GRKERNSEC_PROC_MEMMAP=y
> CONFIG_GRKERNSEC_KSTACKOVERFLOW=y
> # CONFIG_GRKERNSEC_BRUTE is not set
> CONFIG_GRKERNSEC_MODHARDEN=y
> CONFIG_GRKERNSEC_HIDESYM=y
> CONFIG_GRKERNSEC_RANDSTRUCT=y
> CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE=y
> # CONFIG_GRKERNSEC_KERN_LOCKOUT is not set
> CONFIG_GRKERNSEC_NO_RBAC=y
> # CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
> CONFIG_GRKERNSEC_ACL_MAXTRIES=3
> CONFIG_GRKERNSEC_ACL_TIMEOUT=30
> CONFIG_GRKERNSEC_PROC=y
> CONFIG_GRKERNSEC_PROC_USER=y
> CONFIG_GRKERNSEC_PROC_ADD=y
> CONFIG_GRKERNSEC_LINK=y
> CONFIG_GRKERNSEC_SYMLINKOWN=y
> CONFIG_GRKERNSEC_FIFO=y
> CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
> # CONFIG_GRKERNSEC_ROFS is not set
> CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
> CONFIG_GRKERNSEC_CHROOT=y
> CONFIG_GRKERNSEC_CHROOT_MOUNT=y
> CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
> CONFIG_GRKERNSEC_CHROOT_PIVOT=y
> CONFIG_GRKERNSEC_CHROOT_CHDIR=y
> CONFIG_GRKERNSEC_CHROOT_CHMOD=y
> CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
> CONFIG_GRKERNSEC_CHROOT_MKNOD=y
> CONFIG_GRKERNSEC_CHROOT_SHMAT=y
> CONFIG_GRKERNSEC_CHROOT_UNIX=y
> CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
> CONFIG_GRKERNSEC_CHROOT_NICE=y
> CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
> CONFIG_GRKERNSEC_CHROOT_CAPS=y
> CONFIG_GRKERNSEC_CHROOT_INITRD=y
> # CONFIG_GRKERNSEC_AUDIT_GROUP is not set
> # CONFIG_GRKERNSEC_EXECLOG is not set
> CONFIG_GRKERNSEC_RESLOG=y
> # CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
> # CONFIG_GRKERNSEC_AUDIT_PTRACE is not set
> # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
> CONFIG_GRKERNSEC_AUDIT_MOUNT=y
> CONFIG_GRKERNSEC_SIGNAL=y
> CONFIG_GRKERNSEC_FORKFAIL=y
> CONFIG_GRKERNSEC_TIME=y
> CONFIG_GRKERNSEC_PROC_IPADDR=y
> CONFIG_GRKERNSEC_RWXMAP_LOG=y
> CONFIG_GRKERNSEC_DMESG=y
> CONFIG_GRKERNSEC_HARDEN_PTRACE=y
> CONFIG_GRKERNSEC_PTRACE_READEXEC=y
> CONFIG_GRKERNSEC_SETXID=y
> CONFIG_GRKERNSEC_HARDEN_IPC=y
> CONFIG_GRKERNSEC_TPE=y
> CONFIG_GRKERNSEC_TPE_ALL=y
> CONFIG_GRKERNSEC_TPE_INVERT=y
> CONFIG_GRKERNSEC_TPE_GID=55555
> CONFIG_GRKERNSEC_RANDNET=y
> CONFIG_GRKERNSEC_BLACKHOLE=y
> CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
> # CONFIG_GRKERNSEC_SOCKET is not set
> CONFIG_GRKERNSEC_SYSCTL=y
> # CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set
> CONFIG_GRKERNSEC_SYSCTL_ON=y
> CONFIG_GRKERNSEC_FLOODTIME=10
> CONFIG_GRKERNSEC_FLOODBURST=6
>



--
André Aparício
andre.aparicio@rnl.tecnico.ulisboa.pt

Administração de Sistemas da Rede das Novas Licenciaturas
Técnico Lisboa

web: http://www.rnl.tecnico.ulisboa.pt
email: rnl@rnl.tecnico.ulisboa.pt
telefone: +351 218 41 77 71

Attached Files:

Re: Problem with (?) hardened-sources-3.15.x on kvm-vm [ In reply to ]
marcin at mejor
Aug 28, 2014, 3:03 AM
Post #6 of 14 (6450 views)
Permalink
W dniu 27.08.2014 o 18:34, André Aparício pisze:
> I encountered the same problem with qemu/kvm but can't even login, I
> get random segfaults and even failed malloc assertions
> in /sbin/init, /sbin/rc or /bin/login (never past this).
>
> But it works fine with CONFIG_PAX_MEMORY_UDEREF disabled.


It looks that disabling CONFIG_PAX_MEMORY_UDEREF solves problem on my
host too.


> Config that reproduces the problem.
>
> $ grep -P "(GRK|PAX)" linux-3.15.8-hardened/.config
> CONFIG_PAX_KERNEXEC_PLUGIN=y
> CONFIG_PAX_PER_CPU_PGD=y
> CONFIG_PAX_USERCOPY_SLABS=y
> CONFIG_GRKERNSEC=y
> CONFIG_GRKERNSEC_CONFIG_AUTO=y
> # CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set
> CONFIG_GRKERNSEC_CONFIG_SERVER=y
> # CONFIG_GRKERNSEC_CONFIG_DESKTOP is not set
> # CONFIG_GRKERNSEC_CONFIG_VIRT_NONE is not set
> CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST=y
> # CONFIG_GRKERNSEC_CONFIG_VIRT_HOST is not set
> CONFIG_GRKERNSEC_CONFIG_VIRT_EPT=y
> # CONFIG_GRKERNSEC_CONFIG_VIRT_SOFT is not set
> # CONFIG_GRKERNSEC_CONFIG_VIRT_XEN is not set
> # CONFIG_GRKERNSEC_CONFIG_VIRT_VMWARE is not set
> CONFIG_GRKERNSEC_CONFIG_VIRT_KVM=y
> # CONFIG_GRKERNSEC_CONFIG_VIRT_VIRTUALBOX is not set
> # CONFIG_GRKERNSEC_CONFIG_PRIORITY_PERF is not set
> CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY=y
> CONFIG_GRKERNSEC_PROC_GID=10
> CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=100
> CONFIG_GRKERNSEC_SYMLINKOWN_GID=100
> CONFIG_PAX=y
> # CONFIG_PAX_SOFTMODE is not set
> CONFIG_PAX_PT_PAX_FLAGS=y
> CONFIG_PAX_XATTR_PAX_FLAGS=y
> # CONFIG_PAX_NO_ACL_FLAGS is not set
> CONFIG_PAX_HAVE_ACL_FLAGS=y
> # CONFIG_PAX_HOOK_ACL_FLAGS is not set
> CONFIG_PAX_NOEXEC=y
> CONFIG_PAX_PAGEEXEC=y
> CONFIG_PAX_EMUTRAMP=y
> CONFIG_PAX_MPROTECT=y
> # CONFIG_PAX_MPROTECT_COMPAT is not set
> # CONFIG_PAX_ELFRELOCS is not set
> CONFIG_PAX_KERNEXEC=y
> CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y
> CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="bts"
> CONFIG_PAX_ASLR=y
> # CONFIG_PAX_RANDKSTACK is not set
> CONFIG_PAX_RANDUSTACK=y
> CONFIG_PAX_RANDMMAP=y
> CONFIG_PAX_MEMORY_SANITIZE=y
> CONFIG_PAX_MEMORY_STACKLEAK=y
> CONFIG_PAX_MEMORY_STRUCTLEAK=y
> CONFIG_PAX_MEMORY_UDEREF=y
> CONFIG_PAX_REFCOUNT=y
> CONFIG_PAX_CONSTIFY_PLUGIN=y
> CONFIG_PAX_USERCOPY=y
> # CONFIG_PAX_USERCOPY_DEBUG is not set
> CONFIG_PAX_SIZE_OVERFLOW=y
> CONFIG_PAX_LATENT_ENTROPY=y
> CONFIG_GRKERNSEC_KMEM=y
> CONFIG_GRKERNSEC_IO=y
> CONFIG_GRKERNSEC_PERF_HARDEN=y
> CONFIG_GRKERNSEC_RAND_THREADSTACK=y
> CONFIG_GRKERNSEC_PROC_MEMMAP=y
> CONFIG_GRKERNSEC_KSTACKOVERFLOW=y
> CONFIG_GRKERNSEC_BRUTE=y
> CONFIG_GRKERNSEC_HIDESYM=y
> CONFIG_GRKERNSEC_RANDSTRUCT=y
> # CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE is not set
> # CONFIG_GRKERNSEC_KERN_LOCKOUT is not set
> CONFIG_GRKERNSEC_NO_RBAC=y
> CONFIG_GRKERNSEC_ACL_HIDEKERN=y
> CONFIG_GRKERNSEC_ACL_MAXTRIES=3
> CONFIG_GRKERNSEC_ACL_TIMEOUT=30
> CONFIG_GRKERNSEC_PROC=y
> # CONFIG_GRKERNSEC_PROC_USER is not set
> CONFIG_GRKERNSEC_PROC_USERGROUP=y
> CONFIG_GRKERNSEC_PROC_ADD=y
> CONFIG_GRKERNSEC_LINK=y
> CONFIG_GRKERNSEC_SYMLINKOWN=y
> CONFIG_GRKERNSEC_FIFO=y
> CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
> # CONFIG_GRKERNSEC_ROFS is not set
> CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
> CONFIG_GRKERNSEC_CHROOT=y
> CONFIG_GRKERNSEC_CHROOT_MOUNT=y
> CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
> CONFIG_GRKERNSEC_CHROOT_PIVOT=y
> CONFIG_GRKERNSEC_CHROOT_CHDIR=y
> CONFIG_GRKERNSEC_CHROOT_CHMOD=y
> CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
> CONFIG_GRKERNSEC_CHROOT_MKNOD=y
> CONFIG_GRKERNSEC_CHROOT_SHMAT=y
> CONFIG_GRKERNSEC_CHROOT_UNIX=y
> CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
> CONFIG_GRKERNSEC_CHROOT_NICE=y
> CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
> CONFIG_GRKERNSEC_CHROOT_CAPS=y
> # CONFIG_GRKERNSEC_AUDIT_GROUP is not set
> CONFIG_GRKERNSEC_EXECLOG=y
> CONFIG_GRKERNSEC_RESLOG=y
> CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
> # CONFIG_GRKERNSEC_AUDIT_PTRACE is not set
> # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
> # CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
> CONFIG_GRKERNSEC_SIGNAL=y
> # CONFIG_GRKERNSEC_FORKFAIL is not set
> CONFIG_GRKERNSEC_TIME=y
> CONFIG_GRKERNSEC_PROC_IPADDR=y
> CONFIG_GRKERNSEC_RWXMAP_LOG=y
> CONFIG_GRKERNSEC_DMESG=y
> CONFIG_GRKERNSEC_HARDEN_PTRACE=y
> CONFIG_GRKERNSEC_PTRACE_READEXEC=y
> CONFIG_GRKERNSEC_SETXID=y
> CONFIG_GRKERNSEC_HARDEN_IPC=y
> CONFIG_GRKERNSEC_TPE=y
> # CONFIG_GRKERNSEC_TPE_ALL is not set
> # CONFIG_GRKERNSEC_TPE_INVERT is not set
> CONFIG_GRKERNSEC_TPE_GID=100
> CONFIG_GRKERNSEC_RANDNET=y
> CONFIG_GRKERNSEC_BLACKHOLE=y
> CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
> # CONFIG_GRKERNSEC_SOCKET is not set
> # CONFIG_GRKERNSEC_SYSCTL is not set
> CONFIG_GRKERNSEC_FLOODTIME=10
> CONFIG_GRKERNSEC_FLOODBURST=6
>
> On Tue, 26 Aug 2014 11:24:26 +0100
> Marcin Mirosław <marcin@mejor.pl> wrote:
>
>> Hello!
>> I suspect that I've got problem with hardened-sources in KVM VM. I'm
>> not sure if I should fill a bug for this. I'd like to post it here
>> before using b.g.o.
>> I've got VM (it's KVM with qemu-2.0.0-r1), with
>> hardened-sources-3.15.{5-r2,8}. I'm observing a kind of memory
>> corruption. After a couple of hours of uptime I'm starting seeing
>> random segfaults, general protection traps especially when process
>> uses a lot of CPU and do many I/O operations (masscheck scripts
>> written in perl for spamassasin rules).
>> In log I've got e.g.:
>>
>> 2014-08-25T13:05:23.243062+02:00 mohikanin kernel: [45571.239703] PAX:
>> >From 88.198.102.195: execution attempt in: (null), 00000000-00000000
>> 00000000
>> 2014-08-25T13:05:23.243088+02:00 mohikanin kernel: [45571.239707] PAX:
>> terminating task: /usr/libexec/dovecot/pop3-login(pop3-login):2507,
>> uid/euid: 105/105, PC: (nil), SP: 000003a8574e4c00
>> 2014-08-25T13:05:23.243093+02:00 mohikanin kernel: [45571.239709] PAX:
>> bytes at
>> PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
>> 2014-08-25T13:05:23.243095+02:00 mohikanin kernel: [45571.239735]
>> PAX: bytes at SP-8: 0000000000000000 0000000000000000
>> 00000059c6deceb0 0000000000000000 00000316027bc540 0000000000000001
>> 000003160271dbb5 0000000000000000 0000000000000000 0000000000000000
>> 0000000000000000 2014-08-25T13:24:42.943001+02:00 mohikanin kernel:
>> [46730.931353] traps: spamd child[19681] general protection
>> ip:2c572b6e163 sp:3ca7d000be0 error:0 in
>> libc-2.19.so[2c572aee000+19e000] 2014-08-25T13:24:42.943007+02:00
>> mohikanin kernel: [46730.931371] grsec: Segmentation fault occurred
>> at (nil) in /usr/sbin/spamd[spamd child:19681]
>> uid/euid:999/999 gid/egid:100/100,
>> parent /usr/sbin/spamd[/usr/sbin/spamd:1255] uid/euid:0/0
>> gid/egid:0/0 2014-08-25T13:55:22.383032+02:00 mohikanin kernel:
>> [48570.375917] traps: freshclam[6594] general protection
>> ip:344cceb368d sp:3d5f5ced520 error:0 in
>> libclamav.so.6.1.23[344ccdf1000+9d1000]
>> 2014-08-25T13:55:22.383050+02:00 mohikanin kernel: [48570.375968]
>> grsec: Segmentation fault occurred at (nil)
>> in /usr/bin/freshclam[freshclam:6594] uid/euid:104/104
>> gid/egid:115/115, parent /usr/bin/freshclam[freshclam:1159]
>> uid/euid:104/104 gid/egid:115/115
>>
>> Yesterday I switched kernel to gentoo-sources-3.14.14 and I don't see
>> any unwanted behavior. This is why I suspect hardened-sources. Should
>> I fill a bug? What should I do help find out the root of problem?
>> (gcc is: gcc version 4.7.3 (Gentoo Hardened 4.7.3-r1 p1.4,
>> pie-0.5.5) , with ld.gold)
>>
>> Marcin
>>
>> # grep -P "(GRK|PAX)" /boot/config-3.15.8-hardened
>> CONFIG_PAX_KERNEXEC_PLUGIN=y
>> CONFIG_PAX_PER_CPU_PGD=y
>> CONFIG_PAX_USERCOPY_SLABS=y
>> CONFIG_GRKERNSEC=y
>> CONFIG_GRKERNSEC_CONFIG_AUTO=y
>> # CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set
>> CONFIG_GRKERNSEC_CONFIG_SERVER=y
>> # CONFIG_GRKERNSEC_CONFIG_DESKTOP is not set
>> # CONFIG_GRKERNSEC_CONFIG_VIRT_NONE is not set
>> CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST=y
>> # CONFIG_GRKERNSEC_CONFIG_VIRT_HOST is not set
>> CONFIG_GRKERNSEC_CONFIG_VIRT_EPT=y
>> # CONFIG_GRKERNSEC_CONFIG_VIRT_SOFT is not set
>> # CONFIG_GRKERNSEC_CONFIG_VIRT_XEN is not set
>> # CONFIG_GRKERNSEC_CONFIG_VIRT_VMWARE is not set
>> CONFIG_GRKERNSEC_CONFIG_VIRT_KVM=y
>> # CONFIG_GRKERNSEC_CONFIG_VIRT_VIRTUALBOX is not set
>> CONFIG_GRKERNSEC_CONFIG_PRIORITY_PERF=y
>> # CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY is not set
>> CONFIG_GRKERNSEC_PROC_GID=55555
>> CONFIG_GRKERNSEC_TPE_TRUSTED_GID=55555
>> CONFIG_GRKERNSEC_SYMLINKOWN_GID=100
>> CONFIG_PAX=y
>> # CONFIG_PAX_SOFTMODE is not set
>> # CONFIG_PAX_PT_PAX_FLAGS is not set
>> CONFIG_PAX_XATTR_PAX_FLAGS=y
>> # CONFIG_PAX_NO_ACL_FLAGS is not set
>> CONFIG_PAX_HAVE_ACL_FLAGS=y
>> # CONFIG_PAX_HOOK_ACL_FLAGS is not set
>> CONFIG_PAX_NOEXEC=y
>> CONFIG_PAX_PAGEEXEC=y
>> CONFIG_PAX_EMUTRAMP=y
>> CONFIG_PAX_MPROTECT=y
>> # CONFIG_PAX_MPROTECT_COMPAT is not set
>> # CONFIG_PAX_ELFRELOCS is not set
>> CONFIG_PAX_KERNEXEC=y
>> CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y
>> CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="bts"
>> CONFIG_PAX_ASLR=y
>> CONFIG_PAX_RANDKSTACK=y
>> CONFIG_PAX_RANDUSTACK=y
>> CONFIG_PAX_RANDMMAP=y
>> # CONFIG_PAX_MEMORY_SANITIZE is not set
>> CONFIG_PAX_MEMORY_STACKLEAK=y
>> CONFIG_PAX_MEMORY_STRUCTLEAK=y
>> CONFIG_PAX_MEMORY_UDEREF=y
>> CONFIG_PAX_REFCOUNT=y
>> CONFIG_PAX_CONSTIFY_PLUGIN=y
>> CONFIG_PAX_USERCOPY=y
>> # CONFIG_PAX_USERCOPY_DEBUG is not set
>> CONFIG_PAX_SIZE_OVERFLOW=y
>> CONFIG_PAX_LATENT_ENTROPY=y
>> CONFIG_GRKERNSEC_KMEM=y
>> CONFIG_GRKERNSEC_IO=y
>> CONFIG_GRKERNSEC_JIT_HARDEN=y
>> CONFIG_GRKERNSEC_PERF_HARDEN=y
>> CONFIG_GRKERNSEC_RAND_THREADSTACK=y
>> CONFIG_GRKERNSEC_PROC_MEMMAP=y
>> CONFIG_GRKERNSEC_KSTACKOVERFLOW=y
>> # CONFIG_GRKERNSEC_BRUTE is not set
>> CONFIG_GRKERNSEC_MODHARDEN=y
>> CONFIG_GRKERNSEC_HIDESYM=y
>> CONFIG_GRKERNSEC_RANDSTRUCT=y
>> CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE=y
>> # CONFIG_GRKERNSEC_KERN_LOCKOUT is not set
>> CONFIG_GRKERNSEC_NO_RBAC=y
>> # CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
>> CONFIG_GRKERNSEC_ACL_MAXTRIES=3
>> CONFIG_GRKERNSEC_ACL_TIMEOUT=30
>> CONFIG_GRKERNSEC_PROC=y
>> CONFIG_GRKERNSEC_PROC_USER=y
>> CONFIG_GRKERNSEC_PROC_ADD=y
>> CONFIG_GRKERNSEC_LINK=y
>> CONFIG_GRKERNSEC_SYMLINKOWN=y
>> CONFIG_GRKERNSEC_FIFO=y
>> CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
>> # CONFIG_GRKERNSEC_ROFS is not set
>> CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
>> CONFIG_GRKERNSEC_CHROOT=y
>> CONFIG_GRKERNSEC_CHROOT_MOUNT=y
>> CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
>> CONFIG_GRKERNSEC_CHROOT_PIVOT=y
>> CONFIG_GRKERNSEC_CHROOT_CHDIR=y
>> CONFIG_GRKERNSEC_CHROOT_CHMOD=y
>> CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
>> CONFIG_GRKERNSEC_CHROOT_MKNOD=y
>> CONFIG_GRKERNSEC_CHROOT_SHMAT=y
>> CONFIG_GRKERNSEC_CHROOT_UNIX=y
>> CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
>> CONFIG_GRKERNSEC_CHROOT_NICE=y
>> CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
>> CONFIG_GRKERNSEC_CHROOT_CAPS=y
>> CONFIG_GRKERNSEC_CHROOT_INITRD=y
>> # CONFIG_GRKERNSEC_AUDIT_GROUP is not set
>> # CONFIG_GRKERNSEC_EXECLOG is not set
>> CONFIG_GRKERNSEC_RESLOG=y
>> # CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
>> # CONFIG_GRKERNSEC_AUDIT_PTRACE is not set
>> # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
>> CONFIG_GRKERNSEC_AUDIT_MOUNT=y
>> CONFIG_GRKERNSEC_SIGNAL=y
>> CONFIG_GRKERNSEC_FORKFAIL=y
>> CONFIG_GRKERNSEC_TIME=y
>> CONFIG_GRKERNSEC_PROC_IPADDR=y
>> CONFIG_GRKERNSEC_RWXMAP_LOG=y
>> CONFIG_GRKERNSEC_DMESG=y
>> CONFIG_GRKERNSEC_HARDEN_PTRACE=y
>> CONFIG_GRKERNSEC_PTRACE_READEXEC=y
>> CONFIG_GRKERNSEC_SETXID=y
>> CONFIG_GRKERNSEC_HARDEN_IPC=y
>> CONFIG_GRKERNSEC_TPE=y
>> CONFIG_GRKERNSEC_TPE_ALL=y
>> CONFIG_GRKERNSEC_TPE_INVERT=y
>> CONFIG_GRKERNSEC_TPE_GID=55555
>> CONFIG_GRKERNSEC_RANDNET=y
>> CONFIG_GRKERNSEC_BLACKHOLE=y
>> CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
>> # CONFIG_GRKERNSEC_SOCKET is not set
>> CONFIG_GRKERNSEC_SYSCTL=y
>> # CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set
>> CONFIG_GRKERNSEC_SYSCTL_ON=y
>> CONFIG_GRKERNSEC_FLOODTIME=10
>> CONFIG_GRKERNSEC_FLOODBURST=6
>>
>
>
>


--
xmpp (jabber): marcin [at] mejor.pl
www: http://blog.mejor.pl/
Re: Problem with (?) hardened-sources-3.15.x on kvm-vm [ In reply to ]
swift at gentoo
Aug 28, 2014, 2:02 PM
Post #7 of 14 (6407 views)
Permalink
On Wed, Aug 27, 2014 at 05:34:20PM +0100, André Aparício wrote:
> I encountered the same problem with qemu/kvm but can't even login, I
> get random segfaults and even failed malloc assertions
> in /sbin/init, /sbin/rc or /bin/login (never past this).
>
> But it works fine with CONFIG_PAX_MEMORY_UDEREF disabled.

I am not able to reproduce this :-(

Host and guest are both on 3.15.5-hardened-r2 and both have UDEREF enabled.

I tried emerging boost on the guest as recommended in another post but this
didn't fail.

Wkr,
Sven Vermeulen
Re: Problem with (?) hardened-sources-3.15.x on kvm-vm [ In reply to ]
alex_y_xu at yahoo
Aug 28, 2014, 4:13 PM
Post #8 of 14 (6409 views)
Permalink
On 28/08/14 05:02 PM, Sven Vermeulen wrote:
> On Wed, Aug 27, 2014 at 05:34:20PM +0100, André Aparício wrote:
>> I encountered the same problem with qemu/kvm but can't even login, I
>> get random segfaults and even failed malloc assertions
>> in /sbin/init, /sbin/rc or /bin/login (never past this).
>>
>> But it works fine with CONFIG_PAX_MEMORY_UDEREF disabled.
>
> I am not able to reproduce this :-(
>
> Host and guest are both on 3.15.5-hardened-r2 and both have UDEREF enabled.
>
> I tried emerging boost on the guest as recommended in another post but this
> didn't fail.
>
> Wkr,
> Sven Vermeulen
>

My VM has 12 CPUs but I use MAKEOPTS=-j3. Maybe this affects
reproducibility.

My host is of unknown kernel, but I'm pretty sure it's not Gentoo, let
alone Hardened.

Also, I am using <cpu mode="host-passthrough"/> in libvirt (equivalent
to -cpu host in qemu opts), so PAX detects PCID and enables strong
UDEREF. I will try with pax_weakuderef as soon as I get a chance to
reboot the VM.

Attached Files:

Re: Problem with (?) hardened-sources-3.15.x on kvm-vm [ In reply to ]
marcin at mejor
Aug 29, 2014, 12:32 AM
Post #9 of 14 (6420 views)
Permalink
W dniu 29.08.2014 o 01:13, Alex Xu pisze:
> On 28/08/14 05:02 PM, Sven Vermeulen wrote:
>> On Wed, Aug 27, 2014 at 05:34:20PM +0100, André Aparício wrote:
>>> I encountered the same problem with qemu/kvm but can't even login, I
>>> get random segfaults and even failed malloc assertions
>>> in /sbin/init, /sbin/rc or /bin/login (never past this).
>>>
>>> But it works fine with CONFIG_PAX_MEMORY_UDEREF disabled.
>>
>> I am not able to reproduce this :-(
>>
>> Host and guest are both on 3.15.5-hardened-r2 and both have UDEREF enabled.
>>
>> I tried emerging boost on the guest as recommended in another post but this
>> didn't fail.
>>
>> Wkr,
>> Sven Vermeulen
>>
>
> My VM has 12 CPUs but I use MAKEOPTS=-j3. Maybe this affects
> reproducibility.
>
> My host is of unknown kernel, but I'm pretty sure it's not Gentoo, let
> alone Hardened.
>
> Also, I am using <cpu mode="host-passthrough"/> in libvirt (equivalent
> to -cpu host in qemu opts), so PAX detects PCID and enables strong
> UDEREF. I will try with pax_weakuderef as soon as I get a chance to
> reboot the VM.

Fabulous "me too", I've got <cpu mode='host-model'> and guest have PCID
available:
dmesg |grep PCID
[ 0.020000] PAX: PCID detected
[ 0.020000] PAX: PCID detected
[ 0.020000] PAX: PCID detected


Snip from cpuinfo of guest:
processor : 2
vendor_id : GenuineIntel
cpu family : 6
model : 42
model name : Intel Xeon E312xx (Sandy Bridge)
stepping : 1
microcode : 0x1
cpu MHz : 3292.514
cache size : 4096 KB
physical id : 2
siblings : 1
core id : 0
cpu cores : 1
apicid : 2
initial apicid : 2
fpu : yes
fpu_exception : yes
cpuid level : 13
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge
mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx rdtscp lm
constant_tsc arch_perfmon rep_good nopl eagerfpu pni pclmulqdq ssse3
cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx
f16c rdrand hypervisor lahf_lm xsaveopt fsgsbase smep erms
bogomips : 6585.02
clflush size : 64
cache_alignment : 64
address sizes : 40 bits physical, 48 bits virtual
power management:
Re: Problem with (?) hardened-sources-3.15.x on kvm-vm [ In reply to ]
basile at opensource
Aug 29, 2014, 4:31 AM
Post #10 of 14 (6420 views)
Permalink
On 08/29/14 03:32, Marcin Mirosław wrote:
> W dniu 29.08.2014 o 01:13, Alex Xu pisze:
>> On 28/08/14 05:02 PM, Sven Vermeulen wrote:
>>> On Wed, Aug 27, 2014 at 05:34:20PM +0100, André Aparício wrote:
>>>> I encountered the same problem with qemu/kvm but can't even login, I
>>>> get random segfaults and even failed malloc assertions
>>>> in /sbin/init, /sbin/rc or /bin/login (never past this).
>>>>
>>>> But it works fine with CONFIG_PAX_MEMORY_UDEREF disabled.
>>>
>>> I am not able to reproduce this :-(
>>>
>>> Host and guest are both on 3.15.5-hardened-r2 and both have UDEREF enabled.
>>>
>>> I tried emerging boost on the guest as recommended in another post but this
>>> didn't fail.
>>>
>>> Wkr,
>>> Sven Vermeulen
>>>
>>
>> My VM has 12 CPUs but I use MAKEOPTS=-j3. Maybe this affects
>> reproducibility.
>>
>> My host is of unknown kernel, but I'm pretty sure it's not Gentoo, let
>> alone Hardened.
>>
>> Also, I am using <cpu mode="host-passthrough"/> in libvirt (equivalent
>> to -cpu host in qemu opts), so PAX detects PCID and enables strong
>> UDEREF. I will try with pax_weakuderef as soon as I get a chance to
>> reboot the VM.
>
> Fabulous "me too", I've got <cpu mode='host-model'> and guest have PCID
> available:
> dmesg |grep PCID
> [ 0.020000] PAX: PCID detected
> [ 0.020000] PAX: PCID detected
> [ 0.020000] PAX: PCID detected
>
>
> Snip from cpuinfo of guest:
> processor : 2
> vendor_id : GenuineIntel
> cpu family : 6
> model : 42
> model name : Intel Xeon E312xx (Sandy Bridge)
> stepping : 1
> microcode : 0x1
> cpu MHz : 3292.514
> cache size : 4096 KB
> physical id : 2
> siblings : 1
> core id : 0
> cpu cores : 1
> apicid : 2
> initial apicid : 2
> fpu : yes
> fpu_exception : yes
> cpuid level : 13
> wp : yes
> flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge
> mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx rdtscp lm
> constant_tsc arch_perfmon rep_good nopl eagerfpu pni pclmulqdq ssse3
> cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx
> f16c rdrand hypervisor lahf_lm xsaveopt fsgsbase smep erms
> bogomips : 6585.02
> clflush size : 64
> cache_alignment : 64
> address sizes : 40 bits physical, 48 bits virtual
> power management:
>
>

We should be doing this in a bug report. I'll cc-pipacs.

--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
Re: Problem with (?) hardened-sources-3.15.x on kvm-vm [ In reply to ]
pageexec at freemail
Aug 29, 2014, 5:23 AM
Post #11 of 14 (6392 views)
Permalink
On 29 Aug 2014 at 7:31, Anthony G. Basile wrote:

> On 08/29/14 03:32, Marcin Mirosław wrote:
> > W dniu 29.08.2014 o 01:13, Alex Xu pisze:
> >> On 28/08/14 05:02 PM, Sven Vermeulen wrote:
> >>> On Wed, Aug 27, 2014 at 05:34:20PM +0100, André Aparício wrote:
> >>>> I encountered the same problem with qemu/kvm but can't even login, I
> >>>> get random segfaults and even failed malloc assertions
> >>>> in /sbin/init, /sbin/rc or /bin/login (never past this).
> >>>>
> >>>> But it works fine with CONFIG_PAX_MEMORY_UDEREF disabled.

> We should be doing this in a bug report. I'll cc-pipacs.

thanks for the heads up, it's been a known issue for some time but i just
didn't have the time to deal with it yet. also i was supposed to be on g-h
already, not sure how i got unubscribed (seems to have happened at the end
of july) but i'm on the list again now.
Re: Problem with (?) hardened-sources-3.15.x on kvm-vm [ In reply to ]
basile at opensource
Aug 30, 2014, 12:45 PM
Post #12 of 14 (6392 views)
Permalink
On 08/29/14 08:23, PaX Team wrote:
> On 29 Aug 2014 at 7:31, Anthony G. Basile wrote:
>
>> On 08/29/14 03:32, Marcin Mirosław wrote:
>>> W dniu 29.08.2014 o 01:13, Alex Xu pisze:
>>>> On 28/08/14 05:02 PM, Sven Vermeulen wrote:
>>>>> On Wed, Aug 27, 2014 at 05:34:20PM +0100, André Aparício wrote:
>>>>>> I encountered the same problem with qemu/kvm but can't even login, I
>>>>>> get random segfaults and even failed malloc assertions
>>>>>> in /sbin/init, /sbin/rc or /bin/login (never past this).
>>>>>>
>>>>>> But it works fine with CONFIG_PAX_MEMORY_UDEREF disabled.
>
>> We should be doing this in a bug report. I'll cc-pipacs.
>
> thanks for the heads up, it's been a known issue for some time but i just
> didn't have the time to deal with it yet. also i was supposed to be on g-h
> already, not sure how i got unubscribed (seems to have happened at the end
> of july) but i'm on the list again now.
>

We've had some infra issues.

--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
Re: Problem with (?) hardened-sources-3.15.x on kvm-vm [ In reply to ]
alex_y_xu at yahoo
Sep 5, 2014, 2:40 PM
Post #13 of 14 (6373 views)
Permalink
On 29/08/14 08:23 AM, PaX Team wrote:
> On 29 Aug 2014 at 7:31, Anthony G. Basile wrote:
>
>> On 08/29/14 03:32, Marcin Mirosław wrote:
>>> W dniu 29.08.2014 o 01:13, Alex Xu pisze:
>>>> On 28/08/14 05:02 PM, Sven Vermeulen wrote:
>>>>> On Wed, Aug 27, 2014 at 05:34:20PM +0100, André Aparício wrote:
>>>>>> I encountered the same problem with qemu/kvm but can't even login, I
>>>>>> get random segfaults and even failed malloc assertions
>>>>>> in /sbin/init, /sbin/rc or /bin/login (never past this).
>>>>>>
>>>>>> But it works fine with CONFIG_PAX_MEMORY_UDEREF disabled.
>
>> We should be doing this in a bug report. I'll cc-pipacs.
>
> thanks for the heads up, it's been a known issue for some time but i just
> didn't have the time to deal with it yet. also i was supposed to be on g-h
> already, not sure how i got unubscribed (seems to have happened at the end
> of july) but i'm on the list again now.
>
>

hardened-sources-3.16.1, issue persists.

Attached Files:

Re: Problem with (?) hardened-sources-3.15.x on kvm-vm [ In reply to ]
marcin at mejor
Sep 6, 2014, 3:02 AM
Post #14 of 14 (6365 views)
Permalink
W dniu 2014-09-05 o 23:40, Alex Xu pisze:
> On 29/08/14 08:23 AM, PaX Team wrote:
>> On 29 Aug 2014 at 7:31, Anthony G. Basile wrote:
>>
>>> On 08/29/14 03:32, Marcin Miros³aw wrote:
>>>> W dniu 29.08.2014 o 01:13, Alex Xu pisze:
>>>>> On 28/08/14 05:02 PM, Sven Vermeulen wrote:
>>>>>> On Wed, Aug 27, 2014 at 05:34:20PM +0100, André Aparício
>>>>>> wrote:
>>>>>>> I encountered the same problem with qemu/kvm but can't
>>>>>>> even login, I get random segfaults and even failed
>>>>>>> malloc assertions in /sbin/init, /sbin/rc or /bin/login
>>>>>>> (never past this).
>>>>>>>
>>>>>>> But it works fine with CONFIG_PAX_MEMORY_UDEREF
>>>>>>> disabled.
>>
>>> We should be doing this in a bug report. I'll cc-pipacs.
>>
>> thanks for the heads up, it's been a known issue for some time
>> but i just didn't have the time to deal with it yet. also i was
>> supposed to be on g-h already, not sure how i got unubscribed
>> (seems to have happened at the end of july) but i'm on the list
>> again now.
>>
>>
>
> hardened-sources-3.16.1, issue persists.


I just filled the bug to track issue:
https://bugs.gentoo.org/show_bug.cgi?id=522252

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal