Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Alex Efros <powerman@××××××××××××××××××.com>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] flash player plugin
Date: Thu, 29 Nov 2007 23:23:31
Message-Id: 20071129232125.GD4925@home.power
In Reply to: Re: [gentoo-hardened] flash player plugin by pageexec@freemail.hu
1 Hi!
2
3 On Thu, Nov 29, 2007 at 11:26:00PM +0200, pageexec@××××××××.hu wrote:
4 > 1. your exact kernel version + .config
5
6 2.6.20-hardened-r10, .config attached
7
8 > 2. all PaX logs (if grsec removed address info, disable randomization
9 > and reproduce them that way)
10
11 If you will not be able to reproduce this issue, notify me which options
12 in kernel config I should disable and I'll try it. Current logs are:
13
14 2007-11-29_20:07:17.96257 kern.alert: grsec: signal 11 sent to /opt/firefox/firefox-bin[firefox-bin:17670] uid/euid:1000/1000 gid/egid:100/100, parent /usr/libexec/mozilla-launcher[mozilla-launche:17661] uid/euid:1000/1000 gid/egid:100/100
15 2007-11-29_20:07:17.96634 kern.alert: grsec: signal 11 sent to /opt/firefox/firefox-bin[firefox-bin:17670] uid/euid:1000/1000 gid/egid:100/100, parent /usr/libexec/mozilla-launcher[mozilla-launche:17661] uid/euid:1000/1000 gid/egid:100/100
16 2007-11-29_20:07:17.96636 kern.err: PAX: execution attempt in: <anonymous mapping>, 49fcb000-49fcc000 49fcb000
17 2007-11-29_20:07:17.96642 kern.err: PAX: terminating task: /opt/firefox/firefox-bin(firefox-bin):17670, uid/euid: 1000/1000, PC: 49fcb000, SP: 5c96a618
18 2007-11-29_20:07:17.96655 kern.err: PAX: bytes at PC: 81 fc f4 98 90 5c 0f 82 7d 00 00 00 55 8b ec 81 ec 10 00 00
19 2007-11-29_20:07:17.96668 kern.err: PAX: bytes at SP-4: 5c96a634 4e0f852d 4cd90330 00000000 5c96a660 4e23912c 00000000 5c96a660 5c96a6b4 4e0f4137 4cd90330 00000000 5c96a660 5c96a660 4cd960d0 00000000 5c96a6b4 4e0f408d 4cbf4c80 4ccc48d0 4ccc62ba
20 2007-11-29_20:07:17.96682 kern.alert: grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /opt/firefox/firefox-bin[firefox-bin:17670] uid/euid:1000/1000 gid/egid:100/100, parent /usr/libexec/mozilla-launcher[mozilla-launche:17661] uid/euid:1000/1000 gid/egid:100/100
21
22 2007-11-29_20:11:39.29821 kern.alert: grsec: signal 11 sent to /opt/opera/lib/opera/plugins/operapluginwrapper[operapluginwrap:18269] uid/euid:1000/1000 gid/egid:100/100, parent /opt/opera/lib/opera/9.24-20071015.6/opera[opera:18249] uid/euid:1000/1000 gid/egid:100/100
23 2007-11-29_20:11:39.29836 kern.alert: grsec: signal 11 sent to /opt/opera/lib/opera/plugins/operapluginwrapper[operapluginwrap:18269] uid/euid:1000/1000 gid/egid:100/100, parent /opt/opera/lib/opera/9.24-20071015.6/opera[opera:18249] uid/euid:1000/1000 gid/egid:100/100
24 2007-11-29_20:11:39.29850 kern.err: PAX: execution attempt in: <anonymous mapping>, 4d98f000-4d990000 4d98f000
25 2007-11-29_20:11:39.29851 kern.err: PAX: terminating task: /opt/opera/lib/opera/plugins/operapluginwrapper(operapluginwrap):18269, uid/euid: 1000/1000, PC: 4d98f000, SP: 5e3a51bc
26 2007-11-29_20:11:39.29853 kern.err: PAX: bytes at PC: 81 fc 98 44 34 5e 0f 82 7d 00 00 00 55 8b ec 81 ec 10 00 00
27 2007-11-29_20:11:39.29854 kern.err: PAX: bytes at SP-4: 5e3a51d8 521ec52d 50580330 00000000 5e3a5200 5232d12c 00000000 5e3a5200 5e3a5258 521e8137 50580330 00000000 5e3a5200 5e3a5200 505860d0 00000000 5e3a5258 521e808d 504b48d0 505860d0 504b62ba
28 2007-11-29_20:11:39.29855 kern.alert: grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /opt/opera/lib/opera/plugins/operapluginwrapper[operapluginwrap:18269] uid/euid:1000/1000 gid/egid:100/100, parent /opt/opera/lib/opera/9.24-20071015.6/opera[opera:18249] uid/euid:1000/1000 gid/egid:100/100
29
30 > 3. reliable way to reproduce the PaX kills (if that's what you saw),
31 > preferably some public URL but you can send me a small webpage+swf
32 > if that's easier
33
34 http://betspider.net/aa2demo.html
35
36 > > chpax -s /opt/firefox/firefox-bin
37 >
38 > as a sidenote, any reason you're still using chpax?
39
40 Because:
41
42 home ~ # paxctl -v /opt/firefox/firefox-bin
43 PaX control v0.5
44 Copyright 2004,2005,2006,2007 PaX Team <pageexec@××××××××.hu>
45
46 file /opt/firefox/firefox-bin does not have a PT_PAX_FLAGS program header, try conversion
47
48 home ~ # paxctl -v /opt/opera/lib/opera/plugins/operapluginwrapper
49 PaX control v0.5
50 Copyright 2004,2005,2006,2007 PaX Team <pageexec@××××××××.hu>
51
52 file /opt/opera/lib/opera/plugins/operapluginwrapper does not have a PT_PAX_FLAGS program header, try conversion
53
54 > > chpax -s /opt/opera/lib/opera/plugins/operapluginwrapper
55 >
56 > is that wrapper a standalone executable? because if it isn't, then
57 > chpax/paxctl/whatever doesn't change anything.
58
59 home ~ # file /opt/opera/lib/opera/plugins/operapluginwrapper
60 /opt/opera/lib/opera/plugins/operapluginwrapper: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.1, dynamically linked (uses shared libs), stripped
61
62
63 P.S. Not sure is it related to this issue, but it's usual for me to see
64 this in kernel log while using opera (opera continue working like nothing
65 is happens, but probably these messages mean some flash banners don't
66 working or so):
67
68 2007-11-29_23:13:48.19613 kern.alert: grsec: signal 11 sent to /opt/opera/lib/opera/plugins/operapluginwrapper[operapluginwrap:15406] uid/euid:1000/1000 gid/egid:100/100, parent /opt/opera/lib/opera/9.24-20071015.6/opera[opera:21520] uid/euid:1000/1000 gid/egid:100/100
69 2007-11-29_23:13:48.19634 kern.alert: grsec: signal 11 sent to /opt/opera/lib/opera/plugins/operapluginwrapper[operapluginwrap:15406] uid/euid:1000/1000 gid/egid:100/100, parent /opt/opera/lib/opera/9.24-20071015.6/opera[opera:21520] uid/euid:1000/1000 gid/egid:100/100
70 2007-11-29_23:13:48.19731 kern.alert: grsec: signal 11 sent to /opt/opera/lib/opera/plugins/operapluginwrapper[operapluginwrap:15406] uid/euid:1000/1000 gid/egid:100/100, parent /opt/opera/lib/opera/9.24-20071015.6/opera[opera:21520] uid/euid:1000/1000 gid/egid:100/100
71 2007-11-29_23:13:48.50291 kern.alert: grsec: signal 11 sent to /opt/opera/lib/opera/plugins/operapluginwrapper[operapluginwrap:15406] uid/euid:1000/1000 gid/egid:100/100, parent /opt/opera/lib/opera/9.24-20071015.6/opera[opera:21520] uid/euid:1000/1000 gid/egid:100/100
72 2007-11-29_23:13:48.50406 kern.alert: grsec: signal 11 sent to /opt/opera/lib/opera/plugins/operapluginwrapper[operapluginwrap:15406] uid/euid:1000/1000 gid/egid:100/100, parent /opt/opera/lib/opera/9.24-20071015.6/opera[opera:21520] uid/euid:1000/1000 gid/egid:100/100
73 2007-11-29_23:13:48.50416 kern.alert: grsec: more alerts, logging disabled for 10 seconds
74
75
76 P.P.S. If I remember correctly, initial flags for both opera&ff binaries
77 was "PeMRxS". Now I've tried to enable S again, but looks like chpax
78 disable P when enable S and vice versa. So I unable to restore initial
79 "PeMRxS" flags. If this expected behaviour?
80
81 --
82 WBR, Alex.

Attachments

File name MIME type
.config text/plain

Replies

Subject Author
Re: [gentoo-hardened] flash player plugin pageexec@××××××××.hu
Report Message
Find on MARC Find on Google Groups