| 1 |
pageexec@××××××××.hu wrote: |
| 2 |
> On 3 Nov 2007 at 19:02, Brian Kroth wrote: |
| 3 |
> |
| 4 |
>>> i'm almost sure it's a bug somewhere in vma mirroring as that's the |
| 5 |
>>> only thing i changed in .22 and on and it does play with page locking |
| 6 |
>>> (the bad page state is triggered because a to-be-freed page is still |
| 7 |
>>> locked, that's means there's a missing unlock somewhere in the code, |
| 8 |
>>> but i couldn't figure it out from the code yet). |
| 9 |
>> Where's the code for this? I'm no kernel guru by any means, but I'd |
| 10 |
>> still be interested to look at it and learn. |
| 11 |
> |
| 12 |
> it's all of mm/memory.c:pax*mirror*pte() . |
| 13 |
> |
| 14 |
>> So far this is only on that single machine, and only for nagios and |
| 15 |
>> cacti. |
| 16 |
> |
| 17 |
> based on the maps files, both cactid and nagios are PIEs. two questions: |
| 18 |
> are they the only PIEs on this system (that regularly run, that is) and |
| 19 |
> do you have PIEs on the other systems that don't show the symptomps? |
| 20 |
|
| 21 |
I'm using the hardened/x86/2.6 profile which enables the pic use flag. |
| 22 |
Here's where my understanding gets hazy. PIC != PIE, but the two are |
| 23 |
related in that PIC creates position independent code, but not for |
| 24 |
executables? Anyways, how would I check? |
| 25 |
|
| 26 |
> |
| 27 |
>> I rebuilt the kernel with the config that's attached. I've |
| 28 |
>> basically turned on a few more debug settings in the kernel and turned |
| 29 |
>> off the randomization features of pax (CONFIG_PAX_ASLR) and the "remove |
| 30 |
>> addresses" feature of grsec (CONFIG_GRKERNSEC_PROC_MEMMAP) like you |
| 31 |
>> asked. Tweaked my sec script to copy the maps files before killing the |
| 32 |
>> offending processes. Everything should be in the tar. Let me know if |
| 33 |
>> you need anything else. |
| 34 |
> |
| 35 |
> ok, three more things please. first, 'echo 0 >| |
| 36 |
> /proc/sys/kernel/randomize_va_space' |
| 37 |
> as well (in fact, you can re-enable ASLR in PaX, the sysctl controls it as |
| 38 |
> well), second, enable CONFIG_FRAME_POINTER (this will change memory.o so |
| 39 |
> i'll need it again), third, add the following patch on top of PaX (i think |
| 40 |
> it'll patch over grsec as well, maybe with offsets). note that it's most |
| 41 |
> likely whitespace damaged, but should be easy to copy/paste by hand: |
| 42 |
> |
| 43 |
> --- linux-2.6.23-pax/mm/memory.c 2007-10-23 00:27:08.000000000 +0200 |
| 44 |
> +++ linux-2.6.23-pax-debug/mm/memory.c 2007-11-04 01:33:04.000000000 +0100 |
| 45 |
> @@ -1960,6 +1960,8 @@ gotten: |
| 46 |
> } |
| 47 |
> if (new_page) |
| 48 |
> page_cache_release(new_page); |
| 49 |
> + if (old_page && (old_page->flags & PG_locked)) |
| 50 |
> + printk("PAX: %u %08lx %08lx-%08lx %08lx\n", current->pid, |
| 51 |
> address, vma->vm_start, vma->vm_end, vma->vm_pgoff); |
| 52 |
> if (old_page) |
| 53 |
> page_cache_release(old_page); |
| 54 |
> unlock: |
| 55 |
|
| 56 |
I added this to the 2.6.22-hardened-r8 kernel, it's building now - do |
| 57 |
you want me to be testing this with 2.6.23? |
| 58 |
|
| 59 |
> |
| 60 |
> i'll again need the logs (there will be more info in it because of the above) |
| 61 |
> and the maps file of the failing process. |
| 62 |
> |
| 63 |
>> PS - would you like me to take this off list? |
| 64 |
> |
| 65 |
> no need unless you don't want to leak any more of your host names |
| 66 |
> in kernel logs ;-). actually, attachments this big you can send me |
| 67 |
> directly and don't bother the list with it, but the discussion may |
| 68 |
> be interesting for others as well. |
| 69 |
> |
Archives