1 |
Hi! |
2 |
|
3 |
On Thu, Nov 29, 2007 at 11:26:00PM +0200, pageexec@××××××××.hu wrote: |
4 |
> 1. your exact kernel version + .config |
5 |
|
6 |
2.6.20-hardened-r10, .config attached |
7 |
|
8 |
> 2. all PaX logs (if grsec removed address info, disable randomization |
9 |
> and reproduce them that way) |
10 |
|
11 |
If you will not be able to reproduce this issue, notify me which options |
12 |
in kernel config I should disable and I'll try it. Current logs are: |
13 |
|
14 |
2007-11-29_20:07:17.96257 kern.alert: grsec: signal 11 sent to /opt/firefox/firefox-bin[firefox-bin:17670] uid/euid:1000/1000 gid/egid:100/100, parent /usr/libexec/mozilla-launcher[mozilla-launche:17661] uid/euid:1000/1000 gid/egid:100/100 |
15 |
2007-11-29_20:07:17.96634 kern.alert: grsec: signal 11 sent to /opt/firefox/firefox-bin[firefox-bin:17670] uid/euid:1000/1000 gid/egid:100/100, parent /usr/libexec/mozilla-launcher[mozilla-launche:17661] uid/euid:1000/1000 gid/egid:100/100 |
16 |
2007-11-29_20:07:17.96636 kern.err: PAX: execution attempt in: <anonymous mapping>, 49fcb000-49fcc000 49fcb000 |
17 |
2007-11-29_20:07:17.96642 kern.err: PAX: terminating task: /opt/firefox/firefox-bin(firefox-bin):17670, uid/euid: 1000/1000, PC: 49fcb000, SP: 5c96a618 |
18 |
2007-11-29_20:07:17.96655 kern.err: PAX: bytes at PC: 81 fc f4 98 90 5c 0f 82 7d 00 00 00 55 8b ec 81 ec 10 00 00 |
19 |
2007-11-29_20:07:17.96668 kern.err: PAX: bytes at SP-4: 5c96a634 4e0f852d 4cd90330 00000000 5c96a660 4e23912c 00000000 5c96a660 5c96a6b4 4e0f4137 4cd90330 00000000 5c96a660 5c96a660 4cd960d0 00000000 5c96a6b4 4e0f408d 4cbf4c80 4ccc48d0 4ccc62ba |
20 |
2007-11-29_20:07:17.96682 kern.alert: grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /opt/firefox/firefox-bin[firefox-bin:17670] uid/euid:1000/1000 gid/egid:100/100, parent /usr/libexec/mozilla-launcher[mozilla-launche:17661] uid/euid:1000/1000 gid/egid:100/100 |
21 |
|
22 |
2007-11-29_20:11:39.29821 kern.alert: grsec: signal 11 sent to /opt/opera/lib/opera/plugins/operapluginwrapper[operapluginwrap:18269] uid/euid:1000/1000 gid/egid:100/100, parent /opt/opera/lib/opera/9.24-20071015.6/opera[opera:18249] uid/euid:1000/1000 gid/egid:100/100 |
23 |
2007-11-29_20:11:39.29836 kern.alert: grsec: signal 11 sent to /opt/opera/lib/opera/plugins/operapluginwrapper[operapluginwrap:18269] uid/euid:1000/1000 gid/egid:100/100, parent /opt/opera/lib/opera/9.24-20071015.6/opera[opera:18249] uid/euid:1000/1000 gid/egid:100/100 |
24 |
2007-11-29_20:11:39.29850 kern.err: PAX: execution attempt in: <anonymous mapping>, 4d98f000-4d990000 4d98f000 |
25 |
2007-11-29_20:11:39.29851 kern.err: PAX: terminating task: /opt/opera/lib/opera/plugins/operapluginwrapper(operapluginwrap):18269, uid/euid: 1000/1000, PC: 4d98f000, SP: 5e3a51bc |
26 |
2007-11-29_20:11:39.29853 kern.err: PAX: bytes at PC: 81 fc 98 44 34 5e 0f 82 7d 00 00 00 55 8b ec 81 ec 10 00 00 |
27 |
2007-11-29_20:11:39.29854 kern.err: PAX: bytes at SP-4: 5e3a51d8 521ec52d 50580330 00000000 5e3a5200 5232d12c 00000000 5e3a5200 5e3a5258 521e8137 50580330 00000000 5e3a5200 5e3a5200 505860d0 00000000 5e3a5258 521e808d 504b48d0 505860d0 504b62ba |
28 |
2007-11-29_20:11:39.29855 kern.alert: grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /opt/opera/lib/opera/plugins/operapluginwrapper[operapluginwrap:18269] uid/euid:1000/1000 gid/egid:100/100, parent /opt/opera/lib/opera/9.24-20071015.6/opera[opera:18249] uid/euid:1000/1000 gid/egid:100/100 |
29 |
|
30 |
> 3. reliable way to reproduce the PaX kills (if that's what you saw), |
31 |
> preferably some public URL but you can send me a small webpage+swf |
32 |
> if that's easier |
33 |
|
34 |
http://betspider.net/aa2demo.html |
35 |
|
36 |
> > chpax -s /opt/firefox/firefox-bin |
37 |
> |
38 |
> as a sidenote, any reason you're still using chpax? |
39 |
|
40 |
Because: |
41 |
|
42 |
home ~ # paxctl -v /opt/firefox/firefox-bin |
43 |
PaX control v0.5 |
44 |
Copyright 2004,2005,2006,2007 PaX Team <pageexec@××××××××.hu> |
45 |
|
46 |
file /opt/firefox/firefox-bin does not have a PT_PAX_FLAGS program header, try conversion |
47 |
|
48 |
home ~ # paxctl -v /opt/opera/lib/opera/plugins/operapluginwrapper |
49 |
PaX control v0.5 |
50 |
Copyright 2004,2005,2006,2007 PaX Team <pageexec@××××××××.hu> |
51 |
|
52 |
file /opt/opera/lib/opera/plugins/operapluginwrapper does not have a PT_PAX_FLAGS program header, try conversion |
53 |
|
54 |
> > chpax -s /opt/opera/lib/opera/plugins/operapluginwrapper |
55 |
> |
56 |
> is that wrapper a standalone executable? because if it isn't, then |
57 |
> chpax/paxctl/whatever doesn't change anything. |
58 |
|
59 |
home ~ # file /opt/opera/lib/opera/plugins/operapluginwrapper |
60 |
/opt/opera/lib/opera/plugins/operapluginwrapper: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.1, dynamically linked (uses shared libs), stripped |
61 |
|
62 |
|
63 |
P.S. Not sure is it related to this issue, but it's usual for me to see |
64 |
this in kernel log while using opera (opera continue working like nothing |
65 |
is happens, but probably these messages mean some flash banners don't |
66 |
working or so): |
67 |
|
68 |
2007-11-29_23:13:48.19613 kern.alert: grsec: signal 11 sent to /opt/opera/lib/opera/plugins/operapluginwrapper[operapluginwrap:15406] uid/euid:1000/1000 gid/egid:100/100, parent /opt/opera/lib/opera/9.24-20071015.6/opera[opera:21520] uid/euid:1000/1000 gid/egid:100/100 |
69 |
2007-11-29_23:13:48.19634 kern.alert: grsec: signal 11 sent to /opt/opera/lib/opera/plugins/operapluginwrapper[operapluginwrap:15406] uid/euid:1000/1000 gid/egid:100/100, parent /opt/opera/lib/opera/9.24-20071015.6/opera[opera:21520] uid/euid:1000/1000 gid/egid:100/100 |
70 |
2007-11-29_23:13:48.19731 kern.alert: grsec: signal 11 sent to /opt/opera/lib/opera/plugins/operapluginwrapper[operapluginwrap:15406] uid/euid:1000/1000 gid/egid:100/100, parent /opt/opera/lib/opera/9.24-20071015.6/opera[opera:21520] uid/euid:1000/1000 gid/egid:100/100 |
71 |
2007-11-29_23:13:48.50291 kern.alert: grsec: signal 11 sent to /opt/opera/lib/opera/plugins/operapluginwrapper[operapluginwrap:15406] uid/euid:1000/1000 gid/egid:100/100, parent /opt/opera/lib/opera/9.24-20071015.6/opera[opera:21520] uid/euid:1000/1000 gid/egid:100/100 |
72 |
2007-11-29_23:13:48.50406 kern.alert: grsec: signal 11 sent to /opt/opera/lib/opera/plugins/operapluginwrapper[operapluginwrap:15406] uid/euid:1000/1000 gid/egid:100/100, parent /opt/opera/lib/opera/9.24-20071015.6/opera[opera:21520] uid/euid:1000/1000 gid/egid:100/100 |
73 |
2007-11-29_23:13:48.50416 kern.alert: grsec: more alerts, logging disabled for 10 seconds |
74 |
|
75 |
|
76 |
P.P.S. If I remember correctly, initial flags for both opera&ff binaries |
77 |
was "PeMRxS". Now I've tried to enable S again, but looks like chpax |
78 |
disable P when enable S and vice versa. So I unable to restore initial |
79 |
"PeMRxS" flags. If this expected behaviour? |
80 |
|
81 |
-- |
82 |
WBR, Alex. |