1 |
pageexec@××××××××.hu wrote: |
2 |
> On 3 Nov 2007 at 19:02, Brian Kroth wrote: |
3 |
> |
4 |
>>> i'm almost sure it's a bug somewhere in vma mirroring as that's the |
5 |
>>> only thing i changed in .22 and on and it does play with page locking |
6 |
>>> (the bad page state is triggered because a to-be-freed page is still |
7 |
>>> locked, that's means there's a missing unlock somewhere in the code, |
8 |
>>> but i couldn't figure it out from the code yet). |
9 |
>> Where's the code for this? I'm no kernel guru by any means, but I'd |
10 |
>> still be interested to look at it and learn. |
11 |
> |
12 |
> it's all of mm/memory.c:pax*mirror*pte() . |
13 |
> |
14 |
>> So far this is only on that single machine, and only for nagios and |
15 |
>> cacti. |
16 |
> |
17 |
> based on the maps files, both cactid and nagios are PIEs. two questions: |
18 |
> are they the only PIEs on this system (that regularly run, that is) and |
19 |
> do you have PIEs on the other systems that don't show the symptomps? |
20 |
|
21 |
I'm using the hardened/x86/2.6 profile which enables the pic use flag. |
22 |
Here's where my understanding gets hazy. PIC != PIE, but the two are |
23 |
related in that PIC creates position independent code, but not for |
24 |
executables? Anyways, how would I check? |
25 |
|
26 |
> |
27 |
>> I rebuilt the kernel with the config that's attached. I've |
28 |
>> basically turned on a few more debug settings in the kernel and turned |
29 |
>> off the randomization features of pax (CONFIG_PAX_ASLR) and the "remove |
30 |
>> addresses" feature of grsec (CONFIG_GRKERNSEC_PROC_MEMMAP) like you |
31 |
>> asked. Tweaked my sec script to copy the maps files before killing the |
32 |
>> offending processes. Everything should be in the tar. Let me know if |
33 |
>> you need anything else. |
34 |
> |
35 |
> ok, three more things please. first, 'echo 0 >| |
36 |
> /proc/sys/kernel/randomize_va_space' |
37 |
> as well (in fact, you can re-enable ASLR in PaX, the sysctl controls it as |
38 |
> well), second, enable CONFIG_FRAME_POINTER (this will change memory.o so |
39 |
> i'll need it again), third, add the following patch on top of PaX (i think |
40 |
> it'll patch over grsec as well, maybe with offsets). note that it's most |
41 |
> likely whitespace damaged, but should be easy to copy/paste by hand: |
42 |
> |
43 |
> --- linux-2.6.23-pax/mm/memory.c 2007-10-23 00:27:08.000000000 +0200 |
44 |
> +++ linux-2.6.23-pax-debug/mm/memory.c 2007-11-04 01:33:04.000000000 +0100 |
45 |
> @@ -1960,6 +1960,8 @@ gotten: |
46 |
> } |
47 |
> if (new_page) |
48 |
> page_cache_release(new_page); |
49 |
> + if (old_page && (old_page->flags & PG_locked)) |
50 |
> + printk("PAX: %u %08lx %08lx-%08lx %08lx\n", current->pid, |
51 |
> address, vma->vm_start, vma->vm_end, vma->vm_pgoff); |
52 |
> if (old_page) |
53 |
> page_cache_release(old_page); |
54 |
> unlock: |
55 |
|
56 |
I added this to the 2.6.22-hardened-r8 kernel, it's building now - do |
57 |
you want me to be testing this with 2.6.23? |
58 |
|
59 |
> |
60 |
> i'll again need the logs (there will be more info in it because of the above) |
61 |
> and the maps file of the failing process. |
62 |
> |
63 |
>> PS - would you like me to take this off list? |
64 |
> |
65 |
> no need unless you don't want to leak any more of your host names |
66 |
> in kernel logs ;-). actually, attachments this big you can send me |
67 |
> directly and don't bother the list with it, but the discussion may |
68 |
> be interesting for others as well. |
69 |
> |