Re: Crashes with Grsecurity kernel

From: Christian Rößner <c_at_roessner-network-solutions.com>
Date: Sat, 10 Jan 2015 16:13:09 +0100

Hi again,

I compared my old 3.15.10 kernel config with the new one 3.17.7:

diff -Naur old new
--- old 2015-01-10 16:04:54.000000000 +0100
+++ new 2015-01-10 16:05:30.000000000 +0100
_at_@ -1,8 +1,4 @@
 #
-# Security options
-#
-
-#
 # Grsecurity
 #
 CONFIG_TASK_SIZE_MAX_SHIFT=47
_at_@ -21,6 +17,7 @@
 # CONFIG_GRKERNSEC_CONFIG_VIRT_VMWARE is not set
 CONFIG_GRKERNSEC_CONFIG_VIRT_KVM=y
 # CONFIG_GRKERNSEC_CONFIG_VIRT_VIRTUALBOX is not set
+# CONFIG_GRKERNSEC_CONFIG_VIRT_HYPERV is not set
 CONFIG_GRKERNSEC_CONFIG_PRIORITY_PERF=y
 # CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY is not set
 #
_at_@ -76,6 +73,7 @@
 #
 CONFIG_GRKERNSEC_KMEM=y
 CONFIG_GRKERNSEC_IO=y
+CONFIG_GRKERNSEC_BPF_HARDEN=y
 CONFIG_GRKERNSEC_PERF_HARDEN=y
 CONFIG_GRKERNSEC_RAND_THREADSTACK=y
 CONFIG_GRKERNSEC_PROC_MEMMAP=y
_at_@ -156,7 +154,6 @@
 #
 # Network Protections
 #
-CONFIG_GRKERNSEC_RANDNET=y
 CONFIG_GRKERNSEC_BLACKHOLE=y
 CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
 # CONFIG_GRKERNSEC_SOCKET is not set

It seems it is the option: CONFIG_GRKERNSEC_BPF_HARDEN

From make menuconfig:

CONFIG_GRKERNSEC_BPF_HARDEN:

Unlike previous versions of grsecurity that hardened both the BPF
interpreted code against corruption at rest as well as the JIT code
against JIT-spray attacks and attacker-controlled immediate values
for ROP, this feature will enforce disabling of the new eBPF JIT engine
and will ensure the interpreted code is read-only at rest. This feature
may be removed at a later time when eBPF stabilizes to entirely revert
back to the more secure pre-3.16 BPF interpreter/JIT.

If you're using KERNEXEC, it's recommended that you enable this option
to supplement the hardening of the kernel.

Symbol: GRKERNSEC_BPF_HARDEN [=y]
Type : boolean
Prompt: Harden BPF interpreter
  Location:
    -> Security options
      -> Grsecurity
        -> Grsecurity (GRKERNSEC [=y])
          -> Customize Configuration
            -> Memory Protections
  Defined at grsecurity/Kconfig:63
  Depends on: GRKERNSEC [=y]

Maybe it gives you a hint where the problem is.

Thanks

Christian

> Am 10.01.2015 um 11:27 schrieb Christian Rößner <c_at_roessner-network-solutions.com>:
>
> Hi,
>
> one additional note:
>
> I rememver I had posted about crashes some months ago. And I remember that the gdb output was normal. So I fear the code below also only shows standard behavior. So in fact I can not provide gdb output for this issue, but the bug exists :-(
>
> I only hope you can find the problems in the code yourself.
>
> It seems the milter runs for some time and doing its job and suddenly it crashes. So for me it feels like some memory allocation is not clean. Maybe writing over the end of a buffer or whatever. Sorry that I can not provide further information
>
> Christian
>
>> Am 10.01.2015 um 11:14 schrieb Christian Rößner <c_at_roessner-network-solutions.com>:
>>
>> Hi,
>>
>> unfortunately OpenDKIM 2.9.3 and 2.10.0 fail all over the time with a grsecurity hardened kernel 3.17.7. It seems opendkim is doing something evil, which leads the kernel to trigger a bruteforce attack and kill the process.
>>
>> It is really hard to debug this. Here is the little of the gdb output I could gather:
>>
>> Reading symbols from /usr/lib64/libcrypto.so.1.0.0...(no debugging symbols found)...done.
>> Loaded symbols for /usr/lib64/libcrypto.so.1.0.0
>> Reading symbols from /usr/lib64/liblber-2.4.so.2...Reading symbols from /usr/lib64/debug//usr/lib64/liblber-2.4.so.2.10.1.debug...done.
>> done.
>> Loaded symbols for /usr/lib64/liblber-2.4.so.2
>> Reading symbols from /usr/lib64/libunbound.so.2...(no debugging symbols found)...done.
>> Loaded symbols for /usr/lib64/libunbound.so.2
>> Reading symbols from /usr/lib64/libvbr.so.2...Reading symbols from /usr/lib64/debug//usr/lib64/libvbr.so.2.0.0.debug...done.
>> done.
>> Loaded symbols for /usr/lib64/libvbr.so.2
>> Reading symbols from /usr/lib64/librbl.so.1...Reading symbols from /usr/lib64/debug//usr/lib64/librbl.so.1.0.0.debug...done.
>> done.
>> Loaded symbols for /usr/lib64/librbl.so.1
>> Reading symbols from /lib64/libresolv.so.2...(no debugging symbols found)...done.
>> Loaded symbols for /lib64/libresolv.so.2
>> Reading symbols from /usr/lib64/libbsd.so.0...(no debugging symbols found)...done.
>> Loaded symbols for /usr/lib64/libbsd.so.0
>> Reading symbols from /lib64/libpthread.so.0...(no debugging symbols found)...done.
>> [New LWP 10263]
>> [New LWP 10031]
>> [New LWP 10030]
>> [Thread debugging using libthread_db enabled]
>> Using host libthread_db library "/lib64/libthread_db.so.1".
>> Loaded symbols for /lib64/libpthread.so.0
>> Reading symbols from /lib64/libc.so.6...(no debugging symbols found)...done.
>> Loaded symbols for /lib64/libc.so.6
>> Reading symbols from /lib64/libdl.so.2...(no debugging symbols found)...done.
>> Loaded symbols for /lib64/libdl.so.2
>> Reading symbols from /usr/lib/gcc/x86_64-pc-linux-gnu/4.8.3/libstdc++.so.6...(no debugging symbols found)...done.
>> Loaded symbols for /usr/lib/gcc/x86_64-pc-linux-gnu/4.8.3/libstdc++.so.6
>> Reading symbols from /usr/lib/gcc/x86_64-pc-linux-gnu/4.8.3/libgcc_s.so.1...(no debugging symbols found)...done.
>> Loaded symbols for /usr/lib/gcc/x86_64-pc-linux-gnu/4.8.3/libgcc_s.so.1
>> Reading symbols from /usr/lib64/libsasl2.so.3...Reading symbols from /usr/lib64/debug//usr/lib64/libsasl2.so.3.0.0.debug...done.
>> done.
>> Loaded symbols for /usr/lib64/libsasl2.so.3
>> Reading symbols from /lib64/libz.so.1...(no debugging symbols found)...done.
>> Loaded symbols for /lib64/libz.so.1
>> Reading symbols from /usr/lib64/libevent-2.0.so.5...(no debugging symbols found)...done.
>> Loaded symbols for /usr/lib64/libevent-2.0.so.5
>> Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done.
>> Loaded symbols for /lib64/ld-linux-x86-64.so.2
>> 0x000076ae9cfc5a73 in select () from /lib64/libc.so.6
>> (gdb) cont
>> Continuing.
>> Reading symbols from /usr/lib64/libevent-2.0.so.5...(no debugging symbols found)...done.
>> Loaded symbols for /usr/lib64/libevent-2.0.so.5
>> Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done.
>> Loaded symbols for /lib64/ld-linux-x86-64.so.2
>> Reading symbols from /usr/lib64/sasl2/libanonymous.so...Reading symbols from /usr/lib64/debug//usr/lib64/sasl2/libanonymous.so.3.0.0.debug...done.
>> done.
>> Loaded symbols for /usr/lib64/sasl2/libanonymous.so
>> Reading symbols from /usr/lib64/sasl2/libsasldb.so...Reading symbols from /usr/lib64/debug//usr/lib64/sasl2/libsasldb.so.3.0.0.debug...done.
>> done.
>> Loaded symbols for /usr/lib64/sasl2/libsasldb.so
>> Reading symbols from /usr/lib64/libgdbm.so.4...(no debugging symbols found)...done.
>> Loaded symbols for /usr/lib64/libgdbm.so.4
>> Reading symbols from /usr/lib64/sasl2/libntlm.so...Reading symbols from /usr/lib64/debug//usr/lib64/sasl2/libntlm.so.3.0.0.debug...done.
>> done.
>> Loaded symbols for /usr/lib64/sasl2/libntlm.so
>> Reading symbols from /usr/lib64/sasl2/libplain.so...Reading symbols from /usr/lib64/debug//usr/lib64/sasl2/libplain.so.3.0.0.debug...done.
>> done.
>> Loaded symbols for /usr/lib64/sasl2/libplain.so
>> Reading symbols from /usr/lib64/sasl2/libldapdb.so...Reading symbols from /usr/lib64/debug//usr/lib64/sasl2/libldapdb.so.3.0.0.debug...done.
>> done.
>> Loaded symbols for /usr/lib64/sasl2/libldapdb.so
>> Reading symbols from /usr/lib64/sasl2/libdigestmd5.so...Reading symbols from /usr/lib64/debug//usr/lib64/sasl2/libdigestmd5.so.3.0.0.debug...done.
>> done.
>> Loaded symbols for /usr/lib64/sasl2/libdigestmd5.so
>> Reading symbols from /usr/lib64/sasl2/libotp.so...Reading symbols from /usr/lib64/debug//usr/lib64/sasl2/libotp.so.3.0.0.debug...done.
>> done.
>> Loaded symbols for /usr/lib64/sasl2/libotp.so
>> Reading symbols from /usr/lib64/sasl2/liblogin.so...Reading symbols from /usr/lib64/debug//usr/lib64/sasl2/liblogin.so.3.0.0.debug...done.
>> done.
>> Loaded symbols for /usr/lib64/sasl2/liblogin.so
>> Reading symbols from /usr/lib64/sasl2/libcrammd5.so...Reading symbols from /usr/lib64/debug//usr/lib64/sasl2/libcrammd5.so.3.0.0.debug...done.
>> done.
>> Loaded symbols for /usr/lib64/sasl2/libcrammd5.so
>> Reading symbols from /usr/lib64/sasl2/libscram.so...Reading symbols from /usr/lib64/debug//usr/lib64/sasl2/libscram.so.3.0.0.debug...done.
>> done.
>> Loaded symbols for /usr/lib64/sasl2/libscram.so
>> 0x000067899d8e2a73 in select () from /lib64/libc.so.6
>> (gdb) cont
>> Continuing.
>> [New Thread 0x67898bf89700 (LWP 12966)]
>>
>> Program received signal SIGABRT, Aborted.
>> [Switching to Thread 0x67898bf89700 (LWP 12966)]
>> 0x000067899d834825 in raise () from /lib64/libc.so.6
>> (gdb) bt
>> #0 0x000067899d834825 in raise () from /lib64/libc.so.6
>> #1 0x000067899d835ca8 in abort () from /lib64/libc.so.6
>> #2 0x000067899d874e22 in ?? () from /lib64/libc.so.6
>> #3 0x000067899d874e4e in __libc_fatal () from /lib64/libc.so.6
>> #4 0x000067899d8808a5 in ?? () from /lib64/libc.so.6
>> #5 0x000067899d88096b in ?? () from /lib64/libc.so.6
>> #6 0x000067899d880d17 in ?? () from /lib64/libc.so.6
>> #7 0x00006789a0086e77 in mi_handle_session () from /usr/lib64/libmilter.so.1.0.2
>> #8 0x00006789a0085969 in ?? () from /usr/lib64/libmilter.so.1.0.2
>> #9 0x000067899dbb21da in start_thread () from /lib64/libpthread.so.0
>> #10 0x000067899d8e9e7d in clone () from /lib64/libc.so.6
>>
>> I use this kernel for about 10 servers with dozens of applications and unfortunately opendkim is the only application that causes trouble. So I fear there must be a problem with the code :-(
>>
>> As a temporary workaround I am running a standard 3.17.7 kernel without grsecurity.
>>
>> Kind regards
>>
>> Christian
>> --
>> Bachelor of Science Informatik
>> Erlenwiese 14, 36304 Alsfeld
>> T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
>> USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com
>>
>
> --
> Bachelor of Science Informatik
> Erlenwiese 14, 36304 Alsfeld
> T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
> USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com
>

--
Bachelor of Science Informatik
Erlenwiese 14, 36304 Alsfeld
T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com



Received on Sat Jan 10 2015 - 15:13:26 PST

This archive was generated by hypermail 2.3.0 : Sat Jan 10 2015 - 15:18:00 PST