wpa_supplicant general protection fault

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

wpa_supplicant general protection fault

Postby lesnoland » Thu Nov 12, 2009 6:56 pm

description: i have encountered an error with both kernels below using various versions of wpasupplicant. the crash occurs after i plug in my usb wireless adapter controlled by the rt3070sta module and wpasupplicant is trying to configure the network card. i mention that without this package i can configure the interface just fine using WEP, i load, unload the driver, also that i have used grsec low with 2.6.31.5 without pax and everything worked out ok.

i believe that PaX may be(not 100% sure) the one causing wpasupplicant to crash since i ruled out kernel bugs and software bugs, and also grsec.

i have used paxctl to generate a PT_PAX_FLAGS for /sbin/wpa_supplicant and also removed all PaX restrictions.
also after the crash the system becomes very unstable, i can not use sudo,ifconfig,iwconfig and several commands anymore, eventually the system will freeze and i need to power it off manually.
from examining the process list after the wpa_supplicant crash, i could see an "sh -c ifconfig" command that was never ended.

my only solutions now are to use wep or disable pax.

kernel: 2.6.31.6-grsec (latest), grsec low,pax enabled
kernel: 2.6.27.10-grsec(stable),grsec low,pax enabled
PaX config is as follows:
CONFIG_PAX=y
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_SEGMEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_NOELFRELOCS=y
# CONFIG_PAX_KERNEXEC is not set
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_MEMORY_SANITIZE=y
CONFIG_PAX_MEMORY_UDEREF=y
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_USERCOPY=y

software: wpa_supplicant v0.6.9, wpa_supplicant v0.5.11

dmesg output:
[ 132.115070] general protection fault: 0000 [#1] SMP
[ 132.115081] last sysfs file: /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor
[ 132.115086] Modules linked in: binfmt_misc vmnet vmblock vmci vmmon tun snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_pcm_oss snd_mixer_oss snd_pcm snd_seq_dummy snd_seq_oss snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq snd_timer snd_seq_device iptable_filter snd ip_tables nvidia(P) ppdev soundcore lp parport_pc snd_page_alloc agpgart psmouse i2c_nforce2 x_tables k8temp parport rt3070sta serio_raw aes_i586 aes_generic cbc dm_crypt floppy forcedeth
[ 132.115139]
[ 132.115146] Pid: 3046, comm: wpa_supplicant Tainted: P (2.6.31.6-grsec #1) N61PC-M2S
[ 132.115153] EIP: 0060:[<f91323a0>] EFLAGS: 00210297 CPU: 0
[ 132.115194] EIP is at rt_ioctl_siwpmksa+0x30/0x300 [rt3070sta]
[ 132.115199] EAX: ffffffea EBX: f47a3ea4 ECX: bffff8c8 EDX: bffff8c8
[ 132.115204] ESI: 00008b36 EDI: f41bcc40 EBP: f47a3da8 ESP: f47a3d80
[ 132.115209] DS: 0068 ES: 0068 FS: 00d8 GS: 0033 SS: 0068
[ 132.115216] Process wpa_supplicant (pid: 3046, ti=f47a2000 task=f4294c20 task.ti=f47a2000)
[ 132.115220] Stack:
[ 132.115222] 00000000 f4294c20 c0557050 00000040 f9224000 f47a3da8 bffff8c8 f47a3ea4
[ 132.115233] <0> 00008b36 f41bcc40 f47a3e20 c0557119 f41bcc40 c0135df7 00070765 00000000
[ 132.115243] <0> 00000000 bffff8c8 f47a3ea4 00000000 00000000 f41bcc40 00000000 00007da8
[ 132.115255] Call Trace:
[ 132.115267] [<c0557050>] ? ioctl_standard_call+0x1d0/0x650
[ 132.115279] [<c0557119>] ? ioctl_standard_call+0x299/0x650
[ 132.115287] [<c0135df7>] ? try_to_wake_up+0xf7/0x350
[ 132.115297] [<c05d8248>] ? standard_ioctl+0x288/0x2a0
[ 132.115305] [<c0496e75>] ? __dev_get_by_name+0x85/0xb0
[ 132.115311] [<c0496e75>] ? __dev_get_by_name+0x85/0xb0
[ 132.115318] [<c0557646>] ? wext_handle_ioctl+0x176/0x270
[ 132.115352] [<f9132370>] ? rt_ioctl_siwpmksa+0x0/0x300 [rt3070sta]
[ 132.115359] [<c0497d6f>] ? dev_ioctl+0x7bf/0xae0
[ 132.115367] [<c01b27f3>] ? filemap_fault+0xb3/0x400
[ 132.115376] [<c015cdf3>] ? __hrtimer_start_range_ns+0x153/0x3a0
[ 132.115384] [<c01b0cb1>] ? unlock_page+0x41/0x50
[ 132.115390] [<c05d2d00>] ? socket_file_ops+0x0/0x68
[ 132.115398] [<c048713e>] ? sock_ioctl+0x7e/0x240
[ 132.115405] [<c04870c0>] ? sock_ioctl+0x0/0x240
[ 132.115411] [<c05d2d00>] ? socket_file_ops+0x0/0x68
[ 132.115418] [<c01f3ffc>] ? vfs_ioctl+0x1c/0x90
[ 132.115425] [<c01f42ba>] ? do_vfs_ioctl+0x6a/0x750
[ 132.115431] [<c01c9fa6>] ? handle_mm_fault+0x266/0xdd0
[ 132.115441] [<c0574e8f>] ? do_page_fault+0x1af/0x630
[ 132.115447] [<c01f49ff>] ? sys_ioctl+0x5f/0x80
[ 132.115457] [<c0103665>] ? syscall_call+0x7/0xb
[ 132.115461] Code: 53 83 ec 1c 8b 80 44 02 00 00 89 45 e8 8b 09 b8 ea ff ff ff 85 c9 89 4d f0 74 34 83 3d 00 a1 0e f9 02 0f 87 a5 02 00 00 8b 55 f0 <8b> 02 83 f8 02 0f 84 35 01 00 00 83 f8 03 74 20 83 f8 01 74 4b
[ 132.115518] EIP: [<f91323a0>] rt_ioctl_siwpmksa+0x30/0x300 [rt3070sta] SS:ESP 0068:f47a3d80
[ 132.115557] ---[ end trace 75d15ad1426f241e ]---
lesnoland
 
Posts: 7
Joined: Thu May 14, 2009 6:06 am

Re: wpa_supplicant general protection fault

Postby PaX Team » Thu Nov 12, 2009 8:26 pm

lesnoland wrote:description: i have encountered an error with both kernels below using various versions of wpasupplicant. the crash occurs after i plug in my usb wireless adapter controlled by the rt3070sta module and wpasupplicant is trying to configure the network card. i mention that without this package i can configure the interface just fine using WEP, i load, unload the driver, also that i have used grsec low with 2.6.31.5 without pax and everything worked out ok.

i believe that PaX may be(not 100% sure) the one causing wpasupplicant to crash since i ruled out kernel bugs and software bugs, and also grsec.
you can be 100% sure it is PaX, in particular UDEREF and what you're witnessing is catching a potential security bug before it could do any damage. please report the following info upstream: drivers/staging/rt2860/sta_ioctl.c:rt_ioctl_siwpmksa() dereferences wrqu->data.pointer directly, without going through the proper get_user wrapper like other wireless drivers do (possibly there're other places in the driver where this happens, i didn't verify). this is a dangerous and bad programming practice, it can result in all kinds of security problems, from leaking kernel memory to arbitrary code execution in kernel land. as a sidenote, from a casual look it seems the code may be based on some windows driver, that too may be affected by the same programming mistake as well.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: wpa_supplicant general protection fault

Postby lesnoland » Fri Nov 13, 2009 5:54 am

thank you, it seems that was right.

i modified some lines in the driver and now i managed to avoid the crash:

// struct iw_mlme *pMlme = (struct iw_mlme *)wrqu->data.pointer;
struct iw_mlme *pMlme;
// struct iw_pmksa *pPmksa = (struct iw_pmksa *)wrqu->data.pointer;
struct iw_pmksa *pPmksa;

both functions should end up here:
return -EINVAL;

these seem to be the only two functions that cause the problem (quick fix as i am not that good with programming). i lost SIOCSIWPMKSA and SIOCSIWMLME capability on the driver but it seems my wireless still works fine for now even without these functions.

i will file a report and wait for a fix from the developers.
lesnoland
 
Posts: 7
Joined: Thu May 14, 2009 6:06 am


Return to grsecurity support