| 1 |
Hello, |
| 2 |
|
| 3 |
I'm using the gentoo hardened sources (specifically, 2.6.14-hardened-r7) |
| 4 |
and I'm getting a reproducable kernel panic everytime I disable the acl |
| 5 |
system. I've had this iss on 2.6.14-hardened-r5 before, however, it |
| 6 |
hasn't been an issue up till now (as now I want to use the acl interface |
| 7 |
properly) |
| 8 |
|
| 9 |
dmesg gives the following: |
| 10 |
|
| 11 |
<6>grsec: (admin:S:/) exec of /sbin/gradm (/sbin/gradm -D ) by |
| 12 |
bin/bash[bash: |
| 13 |
20173] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:18492] |
| 14 |
uid/euid:0/0 gid/ |
| 15 |
egid:0/0 |
| 16 |
<1>grsec: shutdown auth success for /sbin/gradm[gradm:20173] |
| 17 |
uid/euid:0/0 gid/ |
| 18 |
egid:0/0, parent /bin/bash[bash:18492] uid/euid:0/0 gid/egid:0/0 |
| 19 |
<1>Unable to handle kernel paging request at virtual address 6b6b6c37 |
| 20 |
<1> printing eip: |
| 21 |
<4>000f01c0 |
| 22 |
<1>*pgd = 0 |
| 23 |
<1>*pmd = 0 |
| 24 |
<1>Oops: 0000 [#1] |
| 25 |
<4>Modules linked in: |
| 26 |
<4>CPU: 0 |
| 27 |
<4>EIP: 0060:[<000f01c0>] Not tainted VLI |
| 28 |
<4>EFLAGS: 00010202 (2.6.14-hardened-r7-y0) |
| 29 |
<4>EIP is at free_variables+0x24e/0x2b8 |
| 30 |
<4>eax: cba8c2fc ebx: cf1c9b00 ecx: 00000007 edx: 00000007 |
| 31 |
<4>esi: 00000000 edi: 6b6b6b6b ebp: cb6f5f2c esp: cb6f5f10 |
| 32 |
<4>ds: 007b es: 007b ss: 0068 |
| 33 |
<4>Process gradm (pid: 20173, threadinfo=cb6f4000 task=cfcfb570) |
| 34 |
<4>Stack: 7e9143b5 8c875d91 72b80524 00000007 0000000c 00000000 |
| 35 |
00000000 cb6f5 |
| 36 |
f6c |
| 37 |
<4> 000f32ac 00000002 c069b034 00000007 cb648d00 ce981000 |
| 38 |
17509d50 17509 |
| 39 |
d50 |
| 40 |
<4> 1751ca38 00000218 0000011c 00000001 c0c0ef00 cb648d00 |
| 41 |
1751cb58 cb6f5 |
| 42 |
f8c |
| 43 |
<4>Call Trace: |
| 44 |
<4> [<000033a7>] show_stack+0x7a/0x90 |
| 45 |
<4> [<0000352d>] show_registers+0x157/0x1d9 |
| 46 |
<4> [<00003706>] die+0xc6/0x152 |
| 47 |
<4> [<0026b7ea>] do_page_fault+0x580/0x860 |
| 48 |
<4> [<0000305f>] error_code+0x4f/0x60 |
| 49 |
<4> [<000f32ac>] write_grsec_handler+0x74c/0x7d6 |
| 50 |
<4> [<0004d2a9>] vfs_write+0x165/0x16a |
| 51 |
<4> [<0004d34f>] sys_write+0x3d/0x64 |
| 52 |
<4> [<00002d89>] syscall_call+0x7/0xb |
| 53 |
<4>Code: 3d 00 10 00 00 77 57 8b 43 30 e8 63 95 f4 ff 83 45 f0 01 8b 15 b4 a7 |
| 54 |
cb c0 3b 55 f0 e9 7b fe ff ff 8b 43 30 8b 3c b0 85 ff 74 60 |
| 55 |
<8b> 8f cc 00 00 00 |
| 56 |
85 c9 2e 0f 84 73 ff ff ff 8b 87 d0 00 00 00 |
| 57 |
<4> |
| 58 |
|
| 59 |
Disassembling the free_variables gives: |
| 60 |
|
| 61 |
0x000f01c0 <free_variables+590>: mov 0xcc(%edi),%ecx |
| 62 |
|
| 63 |
and edi is 6b6b6b6b (ascii 'k', which is #define POISON_FREE 0x6b |
| 64 |
/* for use-after-free poisoning */)) |
| 65 |
|
| 66 |
The gcc version is 3.4.5 (gentoo hardened 3.4.5-r1, ssp-3.4.5-1.0, |
| 67 |
pie-8.7.9). |
| 68 |
|
| 69 |
To reproduce this issue, I generally do: |
| 70 |
|
| 71 |
gradm -E -L blah3 |
| 72 |
su - andrewg |
| 73 |
/sbin/gradm -a admin |
| 74 |
su - |
| 75 |
/sbin/gradm -D |
| 76 |
(which then prompts me for the password, then goes b00m): |
| 77 |
|
| 78 |
I've been talking to a guy about debugging this, who recommended I |
| 79 |
enable slab debugging (i also enabled other debugging stuff such as ebp |
| 80 |
/ extra info). When slab debugging is turned off, it dies inside the |
| 81 |
a kernel thread, to quote "that thread is used to free unused slab pages back |
| 82 |
to the main buddy allocator". After turning on slab debugging, it dies |
| 83 |
in free_variables. |
| 84 |
|
| 85 |
The vmlinux image, system.map, .config and acl rules I'm using can be |
| 86 |
downloaded from http://felinemenace.org/~andrewg/acl-crash.tgz, or |
| 87 |
alternatively individually from |
| 88 |
http://felinemenace.org/~andrewg/acl-crash/ |
| 89 |
|
| 90 |
I'm using kdb on the kernel, and can use that to further debug if need |
| 91 |
be. |
| 92 |
|
| 93 |
Not sure which list this message is best suited towards, so I've cross |
| 94 |
posted, though I suspect a lot of people will be reading the message |
| 95 |
twice, so sorry about that. |
| 96 |
|
| 97 |
Thanks, |
| 98 |
Andrew Griffiths |
| 99 |
-- |
| 100 |
gentoo-hardened@g.o mailing list |
Archives