| 1 |
On 3 Nov 2007 at 19:02, Brian Kroth wrote: |
| 2 |
|
| 3 |
> > i'm almost sure it's a bug somewhere in vma mirroring as that's the |
| 4 |
> > only thing i changed in .22 and on and it does play with page locking |
| 5 |
> > (the bad page state is triggered because a to-be-freed page is still |
| 6 |
> > locked, that's means there's a missing unlock somewhere in the code, |
| 7 |
> > but i couldn't figure it out from the code yet). |
| 8 |
> |
| 9 |
> Where's the code for this? I'm no kernel guru by any means, but I'd |
| 10 |
> still be interested to look at it and learn. |
| 11 |
|
| 12 |
it's all of mm/memory.c:pax*mirror*pte() . |
| 13 |
|
| 14 |
> So far this is only on that single machine, and only for nagios and |
| 15 |
> cacti. |
| 16 |
|
| 17 |
based on the maps files, both cactid and nagios are PIEs. two questions: |
| 18 |
are they the only PIEs on this system (that regularly run, that is) and |
| 19 |
do you have PIEs on the other systems that don't show the symptomps? |
| 20 |
|
| 21 |
> I rebuilt the kernel with the config that's attached. I've |
| 22 |
> basically turned on a few more debug settings in the kernel and turned |
| 23 |
> off the randomization features of pax (CONFIG_PAX_ASLR) and the "remove |
| 24 |
> addresses" feature of grsec (CONFIG_GRKERNSEC_PROC_MEMMAP) like you |
| 25 |
> asked. Tweaked my sec script to copy the maps files before killing the |
| 26 |
> offending processes. Everything should be in the tar. Let me know if |
| 27 |
> you need anything else. |
| 28 |
|
| 29 |
ok, three more things please. first, 'echo 0 >| |
| 30 |
/proc/sys/kernel/randomize_va_space' |
| 31 |
as well (in fact, you can re-enable ASLR in PaX, the sysctl controls it as |
| 32 |
well), second, enable CONFIG_FRAME_POINTER (this will change memory.o so |
| 33 |
i'll need it again), third, add the following patch on top of PaX (i think |
| 34 |
it'll patch over grsec as well, maybe with offsets). note that it's most |
| 35 |
likely whitespace damaged, but should be easy to copy/paste by hand: |
| 36 |
|
| 37 |
--- linux-2.6.23-pax/mm/memory.c 2007-10-23 00:27:08.000000000 +0200 |
| 38 |
+++ linux-2.6.23-pax-debug/mm/memory.c 2007-11-04 01:33:04.000000000 +0100 |
| 39 |
@@ -1960,6 +1960,8 @@ gotten: |
| 40 |
} |
| 41 |
if (new_page) |
| 42 |
page_cache_release(new_page); |
| 43 |
+ if (old_page && (old_page->flags & PG_locked)) |
| 44 |
+ printk("PAX: %u %08lx %08lx-%08lx %08lx\n", current->pid, |
| 45 |
address, vma->vm_start, vma->vm_end, vma->vm_pgoff); |
| 46 |
if (old_page) |
| 47 |
page_cache_release(old_page); |
| 48 |
unlock: |
| 49 |
|
| 50 |
i'll again need the logs (there will be more info in it because of the above) |
| 51 |
and the maps file of the failing process. |
| 52 |
|
| 53 |
> PS - would you like me to take this off list? |
| 54 |
|
| 55 |
no need unless you don't want to leak any more of your host names |
| 56 |
in kernel logs ;-). actually, attachments this big you can send me |
| 57 |
directly and don't bother the list with it, but the discussion may |
| 58 |
be interesting for others as well. |
| 59 |
|
| 60 |
-- |
| 61 |
gentoo-hardened@g.o mailing list |
Archives