Gentoo Archives: gentoo-hardened

From: "Max R.D. Parmer" <maxp@××××××××.is>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] systemd-229 segfault triggers bruteforce prevention
Date: Thu, 02 Jun 2016 00:31:15
Message-Id: 1464827467.3073972.625373321.5D92BA87@webmail.messagingengine.com
In Reply to: Re: [gentoo-hardened] systemd-229 segfault triggers bruteforce prevention by "Tóth Attila"
1 On Wed, Jun 1, 2016, at 15:49, Tóth Attila wrote:
2 > I've just had an unsuccessful attempt to upgrade to systemd-230-r1. It
3 > segfaults and slows the system down. The symptoms are better compared to
4 > -229, but still significant.
5 >
6 > https://forums.grsecurity.net/viewtopic.php?f=3&t=4485
7 >
8 > Some relevant log entries:
9 > grsec: denied resource overstep by requesting 8392704 for RLIMIT_STACK
10 > against limit 8388608 for /usr/lib64/systemd/systemd[systemd:2735]
11 > uid/euid:0/0 gid/egid:0/0, parent /usr/lib64/systemd/systemd[systemd:1]
12 > uid/euid:0/0 gid/egid:0/0
13 > systemd[2735]: segfault at 39f8d01cf00 ip 00000368d4caa2e4 sp
14 > 0000039f8d01cf00 error 6 in libc-2.23.so[368d4c62000+19a000]
15 > grsec: Segmentation fault occurred at 0000039f8d01cf00 in
16 > /usr/lib64/systemd/systemd[systemd:2735] uid/euid:0/0 gid/egid:0/0,
17 > parent
18 > /usr/lib64/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
19 > grsec: bruteforce prevention initiated for the next 30 minutes or until
20 > service restarted, stalling each fork 30 seconds. Please investigate the
21 > crash report for /usr/lib64/systemd/systemd[systemd:2735] uid/euid:0/0
22 > gid/egid:0/0, parent /usr/lib64/systemd/systemd[systemd:1] uid/euid:0/0
23 > gid/egid:0/0
24 >
25 > systemd-coredump[2747]: Process 2735 (systemd) of user 0 dumped core.
26 >
27 > Stack trace of thread
28 > 2735:
29 > #0 0x00000368d4caa2e4
30 > _IO_vfprintf
31 > (libc.so.6)
32 > #1 0x00000368d4d5e852
33 > __vsnprintf_chk
34 > (libc.so.6)
35 > #2 0x00000368d4d5e7a4
36 > __snprintf_chk
37 > (libc.so.6)
38 > #3 0x00000000df8db344
39 > n/a (systemd)
40 > #4 0x00000000df8db9aa
41 > n/a (systemd)
42 > #5 0x00000000df8da72f
43 > n/a (systemd)
44 > #6 0x00000000df8db314
45 > n/a (systemd)
46 > #7 0x00000000df8db9aa
47 > n/a (systemd)
48 > #8 0x00000000df8da72f
49 > n/a (systemd)
50 > #9 0x00000000df8db314
51 > n/a (systemd)
52 > #10 0x00000000df8db9aa
53 > n/a (systemd)
54 > #11 0x00000000df8da72f
55 > n/a (systemd)
56 > #12 0x00000000df8db314
57 > n/a (systemd)
58 > #13 0x00000000df8db9aa
59 > n/a (systemd)
60 > #14 0x00000000df8da72f
61 > n/a (systemd)
62 > #15 0x00000000df8db314
63 > n/a (systemd)
64 > #16 0x00000000df8db9aa
65 > n/a (systemd)
66 > #17 0x00000000df8da72f
67 > n/a (systemd)
68 > #18 0x00000000df8db314
69 > n/a (systemd)
70 > #19 0x00000000df8db9aa
71 > n/a (systemd)
72 > #20 0x00000000df8da72f
73 > n/a (systemd)
74 > #21 0x00000000df8db314
75 > n/a (systemd)
76 > #22 0x00000000df8db9aa
77 > n/a (systemd)
78 > #23 0x00000000df8da72f
79 > n/a (systemd)
80 > #24 0x00000000df8db314
81 > n/a (systemd)
82 > #25 0x00000000df8db9aa
83 > n/a (systemd)
84 > #26 0x00000000df8da72f
85 > n/a (systemd)
86 > #27 0x00000000df8db314
87 > n/a (systemd)
88 > #28 0x00000000df8db9aa
89 > n/a (systemd)
90 > #29 0x00000000df8da72f
91 > n/a (systemd)
92 > #30 0x00000000df8db314
93 > n/a (systemd)
94 > #31 0x00000000df8db9aa
95 > n/a (systemd)
96 > #32 0x00000000df8da72f
97 > n/a (systemd)
98 > #33 0x00000000df8db314
99 > n/a (systemd)
100 > #34 0x00000000df8db9aa
101 > n/a (systemd)
102 > #35 0x00000000df8da72f
103 > n/a (systemd)
104 > #36 0x00000000df8db314
105 > n/a (systemd)
106 > #37 0x00000000df8db9aa
107 > n/a (systemd)
108 > #38 0x00000000df8da72f
109 > n/a (systemd)
110 > #39 0x00000000df8db314
111 > n/a (systemd)
112 > #40 0x00000000df8db9aa
113 > n/a (systemd)
114 > #41 0x00000000df8da72f
115 > n/a (systemd)
116 > #42 0x00000000df8db314
117 > n/a (systemd)
118 > #43 0x00000000df8db9aa
119 > n/a (systemd)
120 > #44 0x00000000df8da72f
121 > n/a (systemd)
122 > #45 0x00000000df8db314
123 > n/a (systemd)
124 > #46 0x00000000df8db9aa
125 > n/a (systemd)
126 > #47 0x00000000df8da72f
127 > n/a (systemd)
128 > #48 0x00000000df8db314
129 > n/a (systemd)
130 > #49 0x00000000df8db9aa
131 > n/a (systemd)
132 > #50 0x00000000df8da72f
133 > n/a (systemd)
134 > #51 0x00000000df8db314
135 > n/a (systemd)
136 > #52 0x00000000df8db9aa
137 > n/a (systemd)
138 > #53 0x00000000df8da72f
139 > n/a (systemd)
140 > #54 0x00000000df8db314
141 > n/a (systemd)
142 > #55 0x00000000df8db9aa
143 > n/a (systemd)
144 > #56 0x00000000df8da72f
145 > n/a (systemd)
146 > #57 0x00000000df8db314
147 > n/a (systemd)
148 > #58 0x00000000df8db9aa
149 > n/a (systemd)
150 > #59 0x00000000df8da72f
151 > n/a (systemd)
152 > #60 0x00000000df8db314
153 > n/a (systemd)
154 > #61 0x00000000df8db9aa
155 > n/a (systemd)
156 > #62 0x00000000df8da72f
157 > n/a (systemd)
158 > #63 0x00000000df8db314
159 > n/a (systemd)
160 > systemd-logind[897]: Failed to abandon session scope: Connection timed
161 > out
162 >
163 >
164 > Any of you have problems with the latest versions of systemd as well? Any
165 > ideas?
166 >
167 > Thanks:
168 > Dw.
169 > --
170 > dr Tóth Attila, Radiológus, 06-20-825-8057
171 > Attila Toth MD, Radiologist, +36-20-825-8057
172 >
173 > 2016.Március 10.(Cs) 01:53 időpontban "Tóth Attila" ezt írta:
174 > > After upgrading to systemd-229 it segfaults early during boot triggering
175 > > bruteforce prevention, which renders the system annoyingly slow.
176 > >
177 > > grsec: Segmentation fault occurred at 000003e45975efd0 in
178 > > /usr/lib64/systemd/systemd[systemd:1135]
179 > > grsec: bruteforce prevention initiated for the next 30 minutes or until
180 > > service restarted, stalling each fork 30 seconds. Please investigate the
181 > > crash report for /usr/lib64/systemd/systemd[systemd:1135]
182 > >
183 > > Avoid it or be aware that might happen: Dw.
184 > > --
185 > > dr Tóth Attila, Radiológus, 06-20-825-8057
186 > > Attila Toth MD, Radiologist, +36-20-825-8057
187
188 Not necessarily the ideal solution, but have you tried twiddling with
189 the stack size in limits.conf?
190
191 If I read this right, grsec limits the size of the stack, which causes
192 the process to segfault.
193
194 --
195 0x7D964D3361142ACF

Replies

Subject Author
Re: [gentoo-hardened] systemd-229 segfault triggers bruteforce prevention "Tóth Attila" <atoth@××××××××××.hu>