1 |
On 3 Nov 2007 at 19:02, Brian Kroth wrote: |
2 |
|
3 |
> > i'm almost sure it's a bug somewhere in vma mirroring as that's the |
4 |
> > only thing i changed in .22 and on and it does play with page locking |
5 |
> > (the bad page state is triggered because a to-be-freed page is still |
6 |
> > locked, that's means there's a missing unlock somewhere in the code, |
7 |
> > but i couldn't figure it out from the code yet). |
8 |
> |
9 |
> Where's the code for this? I'm no kernel guru by any means, but I'd |
10 |
> still be interested to look at it and learn. |
11 |
|
12 |
it's all of mm/memory.c:pax*mirror*pte() . |
13 |
|
14 |
> So far this is only on that single machine, and only for nagios and |
15 |
> cacti. |
16 |
|
17 |
based on the maps files, both cactid and nagios are PIEs. two questions: |
18 |
are they the only PIEs on this system (that regularly run, that is) and |
19 |
do you have PIEs on the other systems that don't show the symptomps? |
20 |
|
21 |
> I rebuilt the kernel with the config that's attached. I've |
22 |
> basically turned on a few more debug settings in the kernel and turned |
23 |
> off the randomization features of pax (CONFIG_PAX_ASLR) and the "remove |
24 |
> addresses" feature of grsec (CONFIG_GRKERNSEC_PROC_MEMMAP) like you |
25 |
> asked. Tweaked my sec script to copy the maps files before killing the |
26 |
> offending processes. Everything should be in the tar. Let me know if |
27 |
> you need anything else. |
28 |
|
29 |
ok, three more things please. first, 'echo 0 >| |
30 |
/proc/sys/kernel/randomize_va_space' |
31 |
as well (in fact, you can re-enable ASLR in PaX, the sysctl controls it as |
32 |
well), second, enable CONFIG_FRAME_POINTER (this will change memory.o so |
33 |
i'll need it again), third, add the following patch on top of PaX (i think |
34 |
it'll patch over grsec as well, maybe with offsets). note that it's most |
35 |
likely whitespace damaged, but should be easy to copy/paste by hand: |
36 |
|
37 |
--- linux-2.6.23-pax/mm/memory.c 2007-10-23 00:27:08.000000000 +0200 |
38 |
+++ linux-2.6.23-pax-debug/mm/memory.c 2007-11-04 01:33:04.000000000 +0100 |
39 |
@@ -1960,6 +1960,8 @@ gotten: |
40 |
} |
41 |
if (new_page) |
42 |
page_cache_release(new_page); |
43 |
+ if (old_page && (old_page->flags & PG_locked)) |
44 |
+ printk("PAX: %u %08lx %08lx-%08lx %08lx\n", current->pid, |
45 |
address, vma->vm_start, vma->vm_end, vma->vm_pgoff); |
46 |
if (old_page) |
47 |
page_cache_release(old_page); |
48 |
unlock: |
49 |
|
50 |
i'll again need the logs (there will be more info in it because of the above) |
51 |
and the maps file of the failing process. |
52 |
|
53 |
> PS - would you like me to take this off list? |
54 |
|
55 |
no need unless you don't want to leak any more of your host names |
56 |
in kernel logs ;-). actually, attachments this big you can send me |
57 |
directly and don't bother the list with it, but the discussion may |
58 |
be interesting for others as well. |
59 |
|
60 |
-- |
61 |
gentoo-hardened@g.o mailing list |