grsecurity forums

[Grach]

There is a bug in 2.6.32.6-grsec-201001251756 that causes panic at boot:

Code: Select all

VFS: mounted filesystem with journal data mode
Freeing unused kernel memory: 428k freed
Kernel panic - not syncing. No init found. Try passing init= option to kernel.
Pid: 1, comm: swapper Not tainted 2.6.32.6-grsec-201001251756 #12
Call trace:
 [<005816d8>] ? printk+0x18/0x1a
 [<00581613>] panic+0x43/0xf0
 [<00002289>] per_cpu__core_domains+0x9/0x58
 [<00a0539f>] 0xa0539f
 [<00a05215>] ? 0xa05215
 [<000285f7>] kernel_thread_helper+0x7/0x10


To trigger the bug it's enough to enable CONFIG_PAX_MEMORY_UDEREF. My config is:

Code: Select all

# cat /boot/config-2.6.32.6-grsec-201001251756 | gzip -9c | base64
H4sIAGghX0sCA4w8XXPbtrLv/RUa987cex5aW7KtOJ3xAwiCEiqCoAFQlvKCcRwl0RzHyrHlnuTf
3wVISgAJUOlMk3B38bVY7BcW+v2330fobb/79rDfPj48Pf0cfdk8b14e9ptPo28P/96MHnfPn7df
/hp92j3/7360+bTdQ4t8+/z2Y/Tvzcvz5mn0z+bldbt7/ms0+XP65yX8AQTqbTP6++F5NJmOxjd/
Xbz/a3w1mlyML377HZCYFxmd6elVQtVo+zp63u1Hr5v9bw18dTPVl5Pbn0dKA5lehUmBrvnglSor
pTMuGFK3Z5unz5eTP7aXN9OzlgIJPNcpyerP27OHl8ev5z9upuf1Il/PDbX+tPlcfx/azUhBBMVa
UUaO47VQzLjUVZki5SBxzvFC8kpgou+RwvOUzwJNDRVZkkLJQaROBEcpRlIdyQw2JaWWVVly4SCk
QnihBIKRe7g5WhKdw0wLvFY80Jix6vjxgRdEpwz150YliiA4Q2UfnFSB1c/vCZ3NncHt/jC0rqdZ
Yp2l2JUDcS8JOzSXJS0MEwJyUROu8HyG0lSjfMYFVXPWGWmOpMZlpWmam02iKrAHKKeJAH6B2ORo
7U7GFQq9lGsJtHlgLt5QAnpZBaYBQomqXNmphGaJ8Bz2jcJ2SPqBdPZTElWVuiTCDoEEcfalICQ9
oAhL4CujQiqN51WxiNCVaEY6ZIdl2xGBiCG50Dyz9LDl0YXThIgCKcoLXXIpadJboKxkSYrURR9G
ayXwchIboORlZQRa6oKnRNfSd2iPqpQqSxhr35wAqXkJOwnMTTWIFS1oMevNs6FMCYizZRLsOMcB
wUYipeJOxjEwWa1TruHfgTMk7nQpeBLQNYZRMDO/XSXJ8VCwUs9JDjvpjF5rVIPzYe7ZM9+gNFjJ
jZgd4Qsr30a4kThCD0oUhBKU0tn50/bj+bfdp7enzev5/1QFgjYg6wRJcv5nR5vCX1KJCitu52hN
wswanSezO2/fAdKQkhUsBMYvFMp9zacXIFbEAcKOKU2KJeyVmRSD03w5cVqgfAk8ATG8PfvDWKKL
8eR6/O76aBxcGpAbxTunrB5Qzz7QMoxJADMJo/IPrq70ezrIqtuNK61dAtNZQJrlvat4QR8taYl7
APM3Vg7f4NTRlWZ3FalIGHpscphJIlMjoZhIqRHGKjhdBRoCbJGSQaw9mS7GyoHA1Ui+fXz9+brf
fDvKgRIE5AlX7hwsrIQ/WKkMLjgKwLU1hSEjAbgMFeA2GEnxmtRgED8UW1szoWjndNE4GT+7EMs4
V5iBnVWm5Zxm6nb8zhOfCk4KApUI528Oisl6BI5SEBz0vkUdgRmiIowRqgM/rAYUiKihgZXgYGc1
VHYBtW7sQYs+YQYc/EBEoIMlxa4jVcLsrHt0mK5hoC5p2uDicwa8kU6HBaRxyTCvCuXpyKYJA78B
qDQIvBhEds4bY5rfF3Y9h3nCucmMtQAhxWChUr0Mn2vjFKwDqzBaVJYgX97qK7BARfhMmfMdQdkt
juAMKyOogqgYKskXZrOs4hVpkATjg1U1brn1XUKaq6OS4PAV0C2Yc2/h1ntJgzJa0XQ89XQddKgb
n8xRvPAl18zrtYXpjvfWJyArOOxg9qUMzGDOVZm7kl8KWijnsHrHguTgOHHhKlwsy4XQJbgyJoBx
2oEJ1VnlLiOrFHGcSAIm28FKOitQnjln1Vhw4QJsUOEC5BxE29kA2jV+YIYzfQhUrKpe1NFfuXn5
vHv59vD8uBmRfzbP+9cRev40wru35z0Ehkcd7nfhAp3DeOB642MZtHFvlsy6WgHGL1ndaeBIl5jq
u4qKhQOTeZX0lBRnJVIQY3mOrsxREhJW6MAn40n4VAmeUfClZiFpMTzlNUXXmydZRjE1KwI3KofN
BMUBWgxMbYeQggCBu2sG6kZ4C+s+dhssBFFBhHVvrSWbc77oIMH71kgpIUPwkh6YWftxmC//+Pjw
uvnUZge+v+w+b5+2z1/c0B+Ydq/vuVjEeNO6s2YQzOdEAD88S8bMGXAXYs+JNGJye3EciPG0ykno
wCa+Lc2TFGWei9Oot0TOTqg/RWYQXa57vgzlI/n4dWN8YvccUF4b84Jzx360UCT7sJSg1HfKWwzO
7vxDU0eRKKyxW3TbX4ArLUmkYzPngVbNtG7PHj//5+yoCGsXreCKZtQ7oEcfwDKsfNk9bl5fdy+j
/c/vm9EDqJHPm4f928vGYZ+i4PxDVCjnVuqPlorr+YeQONHZ3BptqwVPpVkqmrtqkXkOOthiAUIG
sVeQvSaCYqWlieITOoNOo2gwMRDgmUi8sQOR9NghFAW1zcXaOH155ZqTWjw4REHAZBOMldwIquee
wEzRkhqvsCIy5EVB5xBXe1xmlzfT4OzZVQxxPYBQEkdxjK3CuGmsQwiOFa0YpSfQw3g2iL0KYxeR
KS3ehfi6uPF4ikUleVhmmLUGhBdh7D0t8By8vukg+jLsnbEZARdrthoPYHUe2QS8FnQVZeWSInyp
J3HkuwiTY/JgnKVId0jx8JYdDnhZRQ9cQxM5ZtDST5Dk4yYVl6zhZNxOr1ykPWA2CRWnwaw0WclI
r3UMOHVxK5SmPvV9aS2n1K6lrsdf5mWn68SPUgyo5CVKe42tp2ESLdp1pNtl5TZ+wLxc+zjjmpXg
UmiYPV7IinXySRL7gGb506sumC99CIOoglXMZhczxGi+vr128dbpAB+fSeGFikYz1jPug63I1jcL
HQxiaYDcZJ2qQPfgKBWSEYWCfVUMB24v0mDMUEJ0Zc2S41oZGGE2pQl+jsO/lFG3V8oZq5pUXzgY
tATgoYUiS5vnlbdO2qO2GJKFDEGNY9gPwluzHnQkWvSS5+CWI7EOtI2cOpuIMxPvCA/lLdBjrSAQ
m6s6wEwEX5BCJ5wrY6ZlZASGSbcXANVyE2/SiInXDBW1q86CSaC2oZoL46/kaXjUvwlWwcjG3m4d
c04c9EOCwpt9s4jqOEEMPzK6qsqwX8goFhyD4oq7NVLEVSTtLcucBXtCwzkFbnwycC6C2AZ3NYv4
coCbXrlxtrmr4Fkmibq9+IEv6v86LToaEHWvIMr5WmrQtEKr+lqyg8/gOJrkDylQ4P7CunxxNMlh
f1tPDQISVzcNIttRGSoq5OVfUyrhX4rOjuggM49T6xP5g/ijNncptp2bVD50Z/K67vk0uwANZ/Lg
wrqtcnBDS2XT9lbtHEziAN/bmx8zn9nt+BC2QZTvpgetA6s4eO7d+JT5Ad4RZtxrIzTecEZXthGK
kzCSzLvzsFEOM0E3GCg78dvp9fXlNHxP1HPOHbfOxUTPQaniR9JaXFgDlyaTJKrSXLFFDiloHyLM
xS9E3dMrL8sB7tO8sTfh9kwJhyHmS0tUUEW95K0Pbw5Cy7HbiwiZkSdzT2QNUks89o9q9yiCyyF1
OdMgBshPSUuCTSbHMcm4vgs3CRJirpu8e8wPenxxEWb9Bz25jqIu/VZedxeOvH24HTuKqDahc2HC
V//SZ0XCPi8WSM51WrFQxG0ODjVmEhYojOIbN3rPTSqDHbW3B0Ptrd8Xat8kNKPeM2Y2h2BsbfTW
uxGDRtqPKdI62t/9d/My+vbw/PBl823zvLfxPsLgr+y+77e7Zzd1yDzvgQ0Yl+YyOXKkDnfRIZYw
LcBV8Uo8zHS862T4ttcPWeRS64gHP/s+4pnVVAYNrFEkZFotSX1/YAmDk6gTn/EhEI7jEqRg5HVs
6KRSihc+I8ytWG8eabgA4zBHIiUPz95iNJrN4PxDDBflgpoTwXzzZ+G4khD5gWedqugqcjj95oJa
rwkSt5OLi3F3+lFBqueJqclVxjxVEJnWfe/MDYwzgtMxsP8yCYuQzGgvk2jOYPay+c/b5vnx5+j1
8aHJpzqhRybInR+MGIhWqFNQccD0Vt4lMCY+0KMBQ2NYXi4D6NZIzvjSZu9NMVaBY1NwaI2US7DR
YWUTamJCUns99utNOHgmMJ/011uYYgWwnaA0lmSIW/31BinaVUbwhyVF8O38I2h3sq2aBQIjOiYP
3yRXP71s/6kz0n4oYwUXqKG3qNdhF1CAGxFJePk072Ln5kBx0w0dZiurwsETjvYPCp6kUpE6RBe0
4L9ASv0KoAiVZDS+rKs6VTw0tYZ9ugA5wJGEVR3iFjMwNoP4OchgPFF8FCXRUxevXx9eNp8cMxpZ
bU6TiEj7ZWiHGjkjYzl4vceUffL22o4z+j/QlqPN/vHPfzmWG3v20+jTGTdOa/jKzKIZqz8HSFIq
SKQyoybgeRlK6tVIVKz9S0IzIR9SD+DD2nl1KDkDTe/fXTIkwoMTExjUoYo7YYIilsLi4DScLF5j
knYmK3uMz8HO4nWUaTGDYG2gspeerR+lmvozrz3ly1AdTF0oajI3XvZKokiiNwyX+Mck4q1Htnpx
o4vEnyNGkTqF1tc1Atw9TOTH5vFt//DxaTP6vDV/mMvu/evofES+vT09dDzVhBYZU+Z+37N4HMIc
48kfTIspAJgTBCdJxq5AkSlMci8k664NOHwhWeMZlTjaJThM/Rrdgqj2OBeb/X93L/8G7yLghIMv
RdwjYb9tNOyUIhbUqUxYZW4lg/myFs7T+QYoq0SbusOIdFoaRmemDjdOYFMSEuKrYNbPUNDSjw9N
ccuCeJnJBhQa7VBnSLxtoaWG6BmGRVJFinI0SpfGKUi1zVSGdAMQZTQxtb7zTudlEYr/zDxpSTuL
oeXMzzMgUabBgpsCZJIvqHuBbham0bwDILLsQLpctEDLX1UVnZJMk98OAesdNTkmm0z3S9C7FMMd
JKSzHwadCx7ZOtDsaNadIi47YAOBf84OOxdAJW7+6wDFVRh+T6S65zzU0Rz+FQLLCHwNYU0AvgT1
LgNwW7rrpSUPqLwM9lPwABgiqHkATPMcHDAqQ9UCSfBi7VBi0HCq18zwY7B+wa50kKLl9iCRIAUf
mF+7xNuzx7eP28czJxEPGJZey4iLQsvlNFZMZ27uTKIKPIRF+FhnNO/c0x+AURN9pOjLayJoOiNe
z7VHuHvZGH0PRm2/eYFPU6P99mIN2lHpH3uGf8FOey8GOijdqSHuE+TuG5jCFH4VhSk7WvhQpf2q
TZdSG85FUIfisiPrbG8m/8d1inFQkzokHe3poiRWp1pXqUl0k8jkkInbUASZqTKCmV9OLiMoKnAE
A/y2iWG37NYjKEtVdld6QEoUvNHzaWhswqq3FjUkO6YgbbUOYVY2dyHDKK2QmIHqxjmSkmbrE1Qw
u47cBKhSicthink+jD89RpH5ZyBIEj1HDhHvnpsAkfFgiPtkLEQ0tAEHGuGlJIIkuGRSnqThpZIQ
ssf4zMxLOdjUSir3diFEA2GiVxMYpCmKugjjFFX9XuQU1cD2HomG9qWmMopomECeIPCcsgDeuJGn
l1TXDgyT5INoWoL3NiODNDkpZmo+THJyqgzhE/gTO2NddN/NDFC1FfxxijpKGSaZr2VKlsM0C6XW
5TDj7iqu0CDF8PluaAjK2QkKXB+kgMPRIapvHepy6ZiH020ZM5wBSu4HmCES5T2yjVDYKPAElfDe
9wVIBhVaQ+LdFQUIKrdAKCRvMutEe0vZLyMu//oFPy0zfqtA1vu8ijkMNSps9U9tLUwO6K1pCsev
gKVl12bX8Hq15rrcl3oPOw/DCS7CCOU+GakRBw/Xg7bWkPztpfQ8pGeVPUzVdVoLpLrf9vWs63R7
PTAkgW0CpSRCAJLhJVE60+7mIpsxZcFKU/VOcQ/lerMhTMhTNdiu62ZgXS/TwFSIMODg2hHLAG3P
q7ULomV/p4tZHmNb4ybQGOcCktM6In3REei+C0IiIs6ACEsaII5TPibmmggs0ySpO4wdsG6I4uK6
evR40Z+G+wN7F7n/VaF8snS3qZ5yNzGWRpK2yxwV+uZiMr6LxNu4CL7Sy3Mv/ofPSWT1q8hCUB4p
e5tcB+E5KsOPdQj8TcKK7x4W18/bHdPK82hLSggxbLm+imTw2jeVVs/fvW3eNtvnL+fNoxHvireh
1ji581N+BjhXSQCYSdyHlsJ92tVCrXcU6Fi4Oq0FyixAqchdHoAmWR84C/aayp4PZ+HwN2EBciH6
QDDpon4mVWc4nh5eX7eft4/9nAboDt+0G0BPmTZghWmRug/uWoSViqsIvA/O7vswz0NoAPYeuQ/t
88eOJZdlGDoNzCDngTnUj1t9OLE2NgSrS6qct/UOCrNgN9pGYUFM10Nq4aa8OohQZKX6S0C4A0Qm
K2N8ddKHzzzqGaoTOEmfkFHRk1UDBzenD/TdgnYKYLwDYEm7jLLQRdInN6ujReDAZDTjXvYUJz3X
sbnOGe03r/vOCzzTDUQhMxK+hJ4jBg4LDd+sYxRuREUaNhBJpEgJzO5KRKzUPTW/HyFlBMlQ2CaI
bEEjD3nNkt+XPSalm3+2j5tReqiKOP4gxfaxAY949zasqh+d1jG0KVOc356dv37cPp9/3e2/P719
OXMN4FKxMpNBq2ucppy7j/tKUfedUcHuTYFk51Vadg/uKkpd9+NASoveD2PUz5Zbituzs+4j21TQ
ZcS4NQRkKSJOi1xLPQefXiyp5OE+TIhhqy/DF74qdEFVgiflBesNQJe484LNQiV4gZEK6GNDe2JO
0cjK/ODIMNks8kipxaPVzc2799P4svR4cuOYjbIovY+G6wyEH82IdF5H7nePuyf3SrYomwpF/1Fq
D6CztMM3Gqn2Nw1weadjJ7lBYyrlEI0ZM0X4/fRikKSKvQJoCTC/t6m+YMVmS5R7L2kPTcW6VLzB
9TouknRwYLm6GZ55MjAhgVh/PgCs36jfjqchnP1hp6uL99P+YCsaSqHgVHBmlDhOl25FmAs2Py2S
mWevN86B9AjubRl1zL/WfGnKudV8kBnzyANDKnHzex7RKgfqRcXpoWytfNo8vG6AHDTz7vHNFAhb
N+58+2lj/v9z/2NvajFGXzdP38+3z593o93zyEi1LW9z31unRK8yU2vLO2OZBfplKYdH3YCUgA1l
OgA1S/1+ZqnpykvlHKDB91fOODjti4oFa+B8wiXRRAju/ziCQwcDkOH36SmxRdVBg22u183veFGO
VR4lsamhLJCZAm4/ft1+B8Do9e37993L/vzj25fP2x8br+rMMqP/0LI31dCj575GYOn06uLUksNV
Ew6BqUmSWXYQN0zd5by263Eqe5zO/aK2GmKKh5JKai7SiDFte/gVVpifTZlOxoM04oMp2j+9zM50
WywieDpZrQaHQDkdX68uh2lY+u7K76dLoShdBbWw3czhKShBs5wM02B5fT25OEly+Qsk16dJpsO6
sFSX02GSv+2Du2LY/uBxrODtcFyAq8PnQN2M301OkUzGl6dJhgcq5M27q/Ew68oUTy5A3jTP018j
LMj9MIuW94vhnyaSFOKEGTlBA3t6ggUyx+8vyIldVYJN3g/v2JKimwlenTh06v8Zu7bltnEk+iuq
fZqp2tmIpERRuzUP4E1CxFsI6JYXlmIrG9c4dsp2ajN/v2iQkgASDfrBmVH3AQgCINAAug+iwI+m
U2f0y74MXixidHLfLmNu49ZtSURo3DK4GEN7Vc9R+NXxeiqul0LGVxzxyxTK7ngfB2ATiCx4V+KW
8+O3+4fXv/45eTv9OP9zEsV/CEvl9+EYzDRrNlrXrdRcxIu6ZEaSi2uetWmAYjX4Q8XG6JTrc1fG
0hgpJ2V1yO22JtsWg2qW1Iik4FhLwTnFqj250hMysSZvCDsWkbmS+cvp6RWqWZuY26QQKdTvHTok
jcYQVP47AmKEgc85IzZMXY1lk5X7TKyQMxwRr3FdyWJJWUaxmCPdkAMbuGhbJe65DysIzVTrJ++b
X5fSgK5SN4KkhKz16VoKGc3cGWqjCzvGFLhpMCxVWR5LlkthQmqnS0IMcX0q2acQwRgyHUicoWQI
ms21KPbWWRYcojulsehS6TeV5mUu+3en4QhlTdwd9RPV50BIpU/fcVgjca577qM+dkIlV5QqIUPD
ClJ1REQ3IWwb6r1ACIHm0RiwdIN8TupSz2j4Jqq0UbfcNYXO2SNfqscwqCq3eBhhumW9YMnW8E+S
ZOJ4y9nkt/Th5bwXf78rM4/EHJ9/Tu5OT5Pzk/Sdf34Sfy+TL89v3yaXNF0k0uT17XT31+u/LimZ
WPO9fTvLld3k7fxLWOOw0PsODouw0AP/e7ES/NdtXkhpncB+obYhJiVN2X5OJnGfBu6qZGGlEXhc
FbaDHlkdRqVbIsQ1ES2A06HbgGPmQ6Ju/awtOFLT5kO8zXO1g5eSKViP9Y7gqM58APZpK4z9z0bn
dK7PVDtsO0BuTYf9RYnijB5hFVitj+ZgJLnzDxGgheoZklOqU1JX1TFPMA6EbbFCdpkicB4sKPoy
7dTfeBHCMCRKVprXcTH2pq1LfEbNZ7nrCotJp2EOBjEcg0TNZ4zjSkPVq3fBOFmPg+Cf2TisKOUZ
UxPxOhtH5yRroqxuKHwI4LjzziRyPxDmWqTDDILOhNAzr4PE4jVwHAfd4SIxqcT8KMPsYRgwG+4z
c9XIIMAYyzrBmjoVPbkwLxEKwlmSYx3W3fQjmDpVIAYn1aUQfvOyHAjEktIgFJ9/0vA91X0yL9rA
cZdqbYMc1nhNfZC8E+ZGrf0psokj1mNLpGKSikZYpbGcRcsZsgkghoAY3OLNfhLYkLhhQTBzUdXc
aXIj4b9Y5TX1WuNrvIqaPKelbr0v3annoGNFJZ3iENMvc9E548JGoQSdJwWy6RRn7gbtolNckyDe
Gmgqugox+S41VwELvABp1TURI8La/DEck0yMQyk1HRvUgeNrXVZ0OQdZubMNsn3ANkdz14Cm3gH3
Ro8SVPHLWZUFst9QHMyZRljTfcqIh+0niP7hoIoE1Zgf9DFPsD566W1ThCnd0AT7TKeSgN9w7gne
MuYy7y8+Rs4wQrO1MPcPcCb82zCE8ffJ27M8SACjskXd64e9WxZez8rJ/enHWy88XuiFrcAjhFk7
bDZkjw3zoK4gYGnLUH3Ns8BBGGdAL/4s3knmSSSOKUKCUiGnAVVmPGaqKm3rVvxsVxr9LR9F3/eO
A5lcvOkiuZzj6qoMpDEQSanuIiAMWaxHHcpiVJUOK5NeScvMRbzmmPllWbaO+m5vaYT1fNiuKTP0
wwBebsvAnmWSJ6QW/4OcGOzyA5gu5jGTxQXukDZcsj39+Pk23CS8hkFW214UpbxKKQXuHtQLowXB
i4ghYPDE7ev55RE4fR6ACPzr6U47lJNJ81Isidvz6l6mF01TMbI9GGM5NRiL6iQpmsOfztSd2THH
Pxd+0H/ex/LYewdNneyMpUx2vb0CpaoHbiVayk1yDEtSxzoVVCsTRmc1nweBKaj9CuGbUEv8ibsO
cth+TZRtNsip9xUiBseFN1/aQcIa58jxxRVTVkkBuzzMDmO83JM9sjdxQ22L0ZIfeA8y7ATKArKU
zKXMNYgakqn3WtzkWbmi4r9VZVKKsUysFGhkTklT4GDcmHTS+16yM2tL9as+EROfWIGYJxfl+QmQ
VyJWgvK0chutN5RbYBZnmhYgVttZIjOygMIony8XMwtix4ThQoitJJc6bagbWUYg8fFCxMcGbX3p
da3VbyuRk6swjCMSIzfY3FBUrAM3Y6iVmBLGMBtwAjftstwgeyImu+FwI+u8HcUstdEngJBj0vr0
cv+/08t5Qj+Uk8s5wJU3T3MKlj8bGkxnbl8o/u3csm7zqFREPHCjhYPY0BJSkRr7hjtABF+XaU6W
6oyG7ffaS1YT8ynhiuSSbWVIpvXt9HK6g1iadjZUamKnEl61c3tLUNCyIyrf9o5fAAotyl6R3eZw
riiApCPuXQmhugluMH+o9qPETiIUatXPZT7kMGHnl4fTo2L16rkG7nyqN3UnHL5jSg9NQursKH43
Gm2omqxS91w1herqpiqKutmSmivUoKq24+W7QvrVIkEX4tGhF+zz0x+AEBJZDfK0cWACdVnpt7Io
QlPbduqPzBRQAVQoy6Cp+JGpHKK7Cuh65FZ9Bv6a0J69/d2WqEemNDIrD5j8s6oxmKJXM7hvu1Q5
FYvnIsbMTtFfRaePkU3PYlcTs6b2lj5ySiWmDIrtorKyOCJLknyPMcJVUbDw/F/NqkK8NQsW4crW
1QPXi0HF4BarUHRr289VR4Nj9HErVi1T64AokEfirzJXiZjKI+RqS+hBOl2KG2k/GmkP0SItdXEb
26d1BJDCjYS65avpOwdnOCkcGrpiViaP/31+eXj79l01cUU6uHOzJdjVsgNxFaXo41o9MT7qOocB
6VjvtKmKJiwH+bfn1ze4s/bt5fnx8Wwku2ufQx3M2eeq9z27/mDR5/Fi7tvUsO2M6sXsa1EyxPIC
JTgFzVCtjZcO9NIZZjm36X3Ei6pTL/0Dqt5RYtNV9bCLybNzpA1ZZJjqoKO0twdOvoju0CWd/PZd
9IvHvyfn71/O9/fn+8mHDvWHmBzA6e/3fu4lvnppXzXnSWRgCxOGxZOYZATmQ9sjT+2GEvYWnU84
3qCdz3gGV+WiKE5KJpajOQ6gxRFsy0GJVy+nH98e7m7lhJLHcTS5+3Z6gguckHLvyjIuS2+QX/n2
rcukfX2lFQavHhG7z2fL+iYs9GGx84fXu/Pj4+np/CweAK0eiVY0uT/FzPEDF7GqxKRZs4azzJ3P
8X7dOuRDhxiBwPA1Agm3bOw5a+R0kFXD/l5VzPTSVcUwzsC9WE9K/9KyELYLTIHCtNYuNm5F5u1G
k1daS2UMXISZfs2DIrcw7VYxsZAld0TFohndBRZNoECQlr5Awk/u4tfUnk1ODs6idzx1tYxylRVZ
/hRDl7YT0wrNTdnao6c38TmYPopLfyRi5tyutvXW2muvKM8OixczZzYOCUYguTNFHJJ1zPwdGP8d
mOU4xhstz9LFjhmvGL6Y+e44ZvGOfBbeOzBz4xK3RWwCnvTuHLuklY4V9uz5obJXCAyFI21I50BV
FVox6cIJpvN0FBO46WoENPcWc2bHCGsnj62QlRgYiB2RzZ2A5WMYdzqCgSkAWsjShJQHC1MDZrlv
7x1ZvpiPARZjgGAEEEzHAGOFDMYKGYwVcjlWhqU7BhgpJI9mrjMfx8zG3mU5d2f27wUmC99ZjmF8
f25/63Y9O46ZuYsRTBrMl/Yy26z861CRJ87Csz8LfC5mi9x5F2ikUVtY6C0XI0MoE1O8vZfzdR6N
1DbPq9nUGYWMjJVizeIHvn3k2XEHO9K+QQJ3ZCbbB94icOJRzPI9GPcdGG8Mki2COWfvQPnFagzl
u4t1+g5QMoJax6SyF0keXbA8evc68za3bqaOMzJwUeZlu6lrOoW6XWKhC64WpXKgz6N1XJpckBm4
EpSM0ZbNtd3afX6CxRt7eHy4e36ahKe7v37Aqkh7CcOyL//5+Pbw9efTHbhIXM6FDRWQpzG+8AEl
y+fIl7TmsHplNDJ3Jr7PZlNvas+d51gwNhBZx2Q59Q5o4n0ezBCbqVN7jjW1N5+iR08AEYPtfOp7
5vcjoScsNvz16mQFty5hcfFJTMmF3x1ftA+2sclKMx/FT9irMq0FQcPpAJzHGBhi9frwwZV5mrYQ
SyNkzwfUYh7CdfKOS1S9s2RrujL1chizImIRrFB9xCpBufjRbHI2IEYEOed6oACI4tTce0BZO67p
AF+qSJzo3zxI8xVBM8MqCnRYTch0ZIeFv4makGR6Rv9FUb6m3HI4Tew8VJQToNBAOyE6q0pQETZx
HGm/5Y2Mu4Rdu7SmjcRfSrNM5znrFHDrqHgGGShkbF+Y6ZvMna6W8ZGHRLKnyJtYzV5SoWSwuDzb
hrkUw4a5lggDpWIwoKuiSQrxXRTWIpXIVAZ60XjYBo1Q5ySCUHc0eSgvRertJirJgVW9/QRYr2Y5
zeTr8d4RphyT0pfT9/Pky8+vX88vk2+XvXrDlAJNROt6ixawyl1MFR3DpHYxX0MBIHWEqhjNRK2j
jUNzxlGlqHLHN1cYdOteRRUzxOYTuvUK70NO7KDunJAtPp5Cn6c7VJclYsWOrA5llxEf+cH8etfh
qi/qTp60IrQKYw8z4PA9QWgufnTcwKJFa9FDNfh4CFqK9sgdXutFUoqvnqK9bnOsS0znYTMIPFLu
r6O9SCwafBd9UQ78LnhP75HP698emmlE6pwWaPXJ+8LxCqw5dkkp9L9E9L+izNH0eRigZAUwpNWl
WBmuE8RJ9tofmyyKUaMqfngVpvPflkjqmLIqI0c0h+j56fX5UQx6l5y6+La+kQZmiMlVZEXArYKV
KVB8gV8oFBwL9TI4Z9QkT1rCF1P2BnXTRn+CT0FOjLcBmhLVJZf+MMqTy5Z4X/nZBL+CgcTRQkGl
0P+FDZWgXfxyZri2AlcUeBAOETVaF3YI3DXezH75OIJtCyi7FeC4v1wXRzjTX8gOe1auTNdQsHJb
aOcKUgBR7IMlxQWg0sSJH/2rxUFURbkuWO/jpNJFNdnnYp7RhSz5tE2KSHdh6BRtfzSvjQUiF3ZY
DQVHEaJUVv314X2U+iK14XWhcJ3ier+sBoiPBYGVpOgDPY4dmbz9zmU4E0FcVAB3Cf+23Ayqw8Sy
aYPCsAhkmUVO9DAsmQC4bFbiIzW2I1RC/8XKKvPAow50aDkEaDYKYiHZJ32Eok/yrTPdOF0hFAWJ
losGLh2P+oXDw2HbvkL7CUjsBMESLSLJmIcdnbTq2dSqp/PZ3MH1kt1mRC2t6hwHbYPAmVrVrl3t
WdR7F9d95p6H7acKfciDxQHVRmTqTH1cndNePKLevw5HjH5SpmYzN3Bsav9gKRrO93NVz8kWo7iU
GH5I8dLHYuohlkZZ0cKmFmaENXmb/cye/Wwke1yflwWxDNi4LonWpbdC1eDeuipH1HQMEH8czeEw
msXBPiL1B5FOjOebFMzxFtMRPd5hE+YsvcCq9nF1mmMuYXLyi4llK65FsMqqxAenNU0p4pwh6ztK
nIXj2vWWrijLHRymowC8hJuyXjmupQzZwZ/5swSfmnOSMLEE8WxGDEG8tEBd5O7ct9g3hzVegTWt
OEbHKfV54rk27dK3a+d4arHmXUwdfO5kZUGjHQ0tVWdba0qTBUivLCN1px+ZIeUCsmT4yLE7uC7+
nsc8tU1FPce4XhVEiNsy2OOwckqM948L86a96fUaeBkPNz/X6r6p+NFeQ3ANSlVDyVTyYRZ2KZWw
TlEWatq778CtE3h7ZvTjfAeO8EI6jAmAjMgMIo70osujM10UJtmGFrosWid1fezLqPjVFx6rjqxd
EYr3X5VFTVmib49fpI2R6QhSJp/bmzwV0ebYK+/qWPfWrSDle1qsSU+4EaM5LVa8D4YYsK5u1AWc
lPUKp+nrbR5mSUViF38FyQoIi3/9kWKqFhZ//+Xg4uuVLqpIAaeKWVn3yH6vYvzZVcJJdiwOve5K
cmBP6QkHTSkwVdbv6isIUyKMalujVyFeErgHgH8sj12OCsHDTY6n5mXFkiTutfC63jJ+XTndTiAV
OZ4l0DL1C3ORmVPBFzf40mUQWd1eztWsVdZXTaPzFWmqpK9SSwRIbOEocykKMV5FiaRSuXEKGXxp
YdwxXB3ePgDSpXggewtob+XDQdqaG60/ViX6BgiIS75C882RmFQZUYeN8BdlE4UkHcYwi1RriCiI
bhEFg4hemdpfHKbTrl21zA/ANCXkyHsmnVpvcymt4cxsvQ0bzvuZSj2Hm4P28g4R9NXKw9Z1puuq
XwINRFnlOP5hFLPwp6MYz3ctb1ve3lYv5lrewr7qDsZEP2I42UIfnPd8BPpQOLDKkg6t1/MWKQ/L
AsexvmsdEN+fizneBtob2l4DrPekr7/2uy6AXN5iMpym28jVXH8dQ2iYLEacoyXgBmeYouTJvyey
HnhZw4nJ/fnH+en+FSi2JZ3kF2GV3Mg4J99Pf18CcU6Pr8+TL+fJ0/l8f77/j+TdUHNaA6mbRuem
v1OHGzRIK7acGGkowklKwlFcKqYjLCpNxVEWY2S8Kkz8P8JhpaJYHNfT5btg8/ko7OM2lwyEo0CS
kS1C2K/C4DIjNLRbBW5InY9n11l5QFMZ4e2RAXN273joZgN/P/0X2Fxu0br6qB9HgaVtpFHVi9y+
Zi0jQQ0n1C3nClu4ljYfRMlfc9WnUyT7JKeI13mnRXzk5Xcfb/n2YCnajiX4R1LTcm6psCxZlRyN
xpAIy4AWgvUvgwqRc9b2EXgGlw4THRcR4jDdwqQDHT4VxZJCANWnPKaSWgGvZFjvdAd+eFVTYaeE
uxX+IWT4q0JkeSQMprBGvcDkq5R7UotGwxF9LtTepAwHn+keBewsiVckXiXDc06wwoDZ5eX8eHo7
A8PL15fT69vLz7u3ny+a62FRVq0VFCXUHGS63ZvHhTxH/O6SfED2oBDr7KF3IX5jkbB5GQ1phlFz
UfFvQUNSmBstiYnpQvuaR00bQqUIpAmsi9YRL9nRLOws5z//8fJ2N1Vu6AHIYM6TFVwDHZXKrKOl
EXZACn5EiK1+hcCJFfJKUt8LHVflzZYmsGuaoU+I692gb16DNKH8hrHxki5mjjddWLMGCMIwokB8
hAH/AgHnfIxw8IKp2TzyRvKhLHPcaWDFHARibkVI931k3NMwgR2Tzxwe2F+KeXNvicTNXDBp7jne
SN0cRGGcMUgvLKzdhqporxd0N7+c3oDkt6fr5RnlJev3zK7F3cAf6xRzxxmFzL0xyGJm7xKMb5wF
J8FISwV8pMAA8eajEIS26QIJP81EM1ghO2+qmzyyQZ6f/oiqLfbBxjkxXPFzG3S3B+skSocx35xO
dtmx+KS5sHOywnhTDoF/DSM2XTfUeic+vHyXDonx8BWS2LRevTq3ihmnvZ5XYWrJsqYOzeGZcRSH
CMN9nFMaI2xukkU/TOHatyI2FP/x3EWsKx9DcuBukzLtrjcQNAeg0B+Kq5LRg5gHM/VlLkqWRNsa
mxmvGRtZ84TW65fDuzhcsIaX7a046r5cl8RQUs9WUg8r6Q0y65dkZn7OzPac2XtqZIbuuH0MlVcV
PxQmJZFvHso7t7ThK6FiRZGyBpmwPw5Ut+yM73DA81qlzMV04L+CKkNuKWFBs2HS66eUJQ3wmWiX
rqesKDlNlc3kuC+giEBS6d+kn7alel2o/Hm5lUQeH9YpiXRuSNgp6YDiIy96Y4uWEa8TLe2nNOfN
zhQI32rcXkkirrUMUKng1dhqZ0g9Aitaqs17UW+Vc2nj9o6prle0g93p7ptuKKZscPdbq5b3rnyI
d7EcdwbDDmXl0ven2nf2scyoStH+WYBU/TZOm/7vIrtuQccl+5AS/qHg5kemcDu5yq3HRApNsutD
4Hc3BEk/owq2lQLfN+lpCUtWJl7gHz/fvgaKAS6MXWa6uqZ6Pf+8f558NRW2u+5GvdFTCIQ1Hqn3
jkvrXAkIgxtCez/Nn/Z6K9ZkWYh0oE7bVJinc/sfbDz5f2NH1924ivsr+QlN2vSmD/OAbRyz8VfB
TtN58clNs7c9O9P2pJmzp/vrF4HtGINwHuZkKskgvoRAQlI5+2C9SvYqedQyZm7kmbcxjku8KG1H
QSQOxT8NcBTFWhdykg17WTzWRCTmiupg8mwTSM2AunSDnibmZJ1Bsla1knQOx9uBR69HDIPb6Q6V
w5mnz0oc95jv7rDG87bQwQFUQcDJmEZN8NwEIKONbWlEMMrWitIFRZWgHMADgXFFcrZtsTbVnk2H
VvBObDhh7ZW6P53f1CvH6vtzaEUvCa8Y2IPlxN7CVUxkxksHx+Gexj1KIp6gIBlbkymainA2QQO5
D5wUhjzsKYxUViICx/VNSgLEP0jPRFEHfh5EkUpGhda3vZQQ+k6pzv560yibKEispzpGSm8umZ8o
pp4aSXWbPUFD4ylmYBbfr7wDlRuJ51PRuyW3G88A021azd2tEVHCwGFv9E0iJLKEQbRC3syPiBbX
EF1V3RWMr+6v4el+fg3RNYwjNy8jortriJbuwR+S3KOjurp/mK7jAclEaRJdM6oPt1d0zsPdFTyt
/sI7R2qEq9XyoVlNFzNfLG+m+k/SzM2lRETImAnq6pyPu7pDLCbZvZ2kuENY7fBLrPL7yaL/mqR4
mKSYT7dgPtWE+dLs103BVg0ft0tBa6SouopXxiVKmll79eZ4gpBzr/sDJHC4bNUQJJs2jD/GKVmL
gXONeaDTUTbdwjuH8MrqrCdFbslpSCrEDNWSZrWoGhW7E3sWpUrTEecHG/WaKV2fI28m5HYFyRAy
SZMh+k4OAesBHxQpcpGkooth+iElEYVgRQjv+uMN5NRKzVstgIuEIay3b8XAQw3Ut7r0USV1vla5
pZHAfgmNPMZ8hYf36QJJoQIPenC8bkkR/EtygjiupnXQkeU4xVQVG5UegWw8JLySM6miO4pZYjRa
GUoQo2s7MCXLxzFhRyS+ijQFFNCQNEV8WuVBddvf1CDOjLIANFeXyansQ0rLCW5kRfC2qhE0jaEP
vN2th9RDkbB1MoqhbeDlv/YV1jAmM2DagLmj8pCImi3S86hVUzxx8Awt6rxCOZLcFvxZpSS1q0+Z
8Hb02oNUN2WMcl+HhpyC7zYjqT9cpBZ3KkuBjgpgiMEWbhw6wHetlcl48kke1k0lBXktjwqoERuI
wrKGSZemrXgpOPrOV28VMJvwItu5oOYo3cE10NZHqILmNk9ynTcQCxmMIc53nvoqKYcpip0QILNN
Hj5XRYkdIMIqVT/QWEuCjxgDPchazL35XovIvkcs13Mil3pc54pZvcNyDLvmpEyuoolL1e3eappM
LQkXYecbGivCcSnG13IL157OQ5Ku5xSlmpfDOzUOKTfXLvVBF43KRBbplKGQ5FM9t4Tl6p4ERoZR
Lhd3ReELxB5ElOzzbIQkg4hVzsjisrlqhW7WkeEKDH/7P5AyR00t46sOiKotoVoobukKdwLd81ZY
+/XgTbHKF9AKA8PMMoA3UbD27RRqIsu9iUN6ySk6Ofexy8923ehVLJU1JMiKuuKoojpz83S3UfW4
hiUqaqk8di+NL/a9IstAhHEq0MEEP1ZkrbJCS9Gmei5pc7Nb3fy4wXA0+jF342r1/x8LNzYvcri7
HONUZUZLegSiP/cUNS75e5p8lKyqH6fuYn7Aomzz5Ra7JJ5lA+GNM/YT8iukLHdFqxHHw5/T2/l7
4OreRtb6ajGX08eag7IszJfKPbDBZuSFAoJ51dkEEaguLktOTxDKA4lKC6Mj1r28nI5fXzPxuT8c
Z+Xp43xUsdwcbKu17eZ9myG+BxcSp3P1Ba1sG72J3EIHvK6ou+5ESlV5yLE9myCERrD/Or7MyOEA
bWy972eF/SzhUlxeNDxwOmhdaEiYqmrhbxe3gM/ITgo7Ki5rwcTD4aOoqx+3NxfTfBtx/jIKX65h
gK5y1aq60LRojpAkilw4sG+64DEzddkLhhdO08BgkiXw7MBVqMZAaqbch9cC0ENQsq23gjCJGPfi
syLy4OOpArJN7i1AJBnxMQi32776WR7BwddDkrPQ10NjS6HdBaTsLaftlQn58/J2Nu5MBrO2jlgl
/y5q5xJt0Sz6cb9c3tzYBPJMGabF2vWt3M8QTMuq51tdLzpaGo1ON8HWOXF2klTXNzFhThwsXnSV
sVKuM+5eOJobebyWW3jqSPsgN42zSkM6IQOgP7ZOFqKMCmc/qQwtudRHTJV40KgSkbASAYd974IH
GpZLzapCilYzA+aFfhvSpkmdaCbkDzJStg92hFSqTknhlhFCpTvGMdAcP7afyHOUKkwZzX2VaIK+
pAVKKGX21i22DYK+pNtW+fj+Opx/2XGhBp+jIqA9Iiobnyos/fhHvY+4bI72ikiLIlJTf36DYIOa
y8PY4qazme6GdtJdV5eEd5uxkW2C7NS1YDaKADZAU9aWM4CVlfpRd7rmi9Ud7Oaw2SocUqQ+0HRE
4wKSoti4i+iTgh0vq/Zz/49pGgYOYK2OOJbnChsq6DproQYLNKvlmnVGiwd0VsLLlLCym07TmEMK
aazl6u5WV+jQBdP998ef84zv318+fr/9b29qhfA9ESk3mwDrVR9qbHiNwFuVz/GEFKI/Ht9hUv77
uIcnAaOube+8BJGnaPCY+HYga3AYjEe10jg09wOAguYE0TlHuVSxSNAen74OGfu/1f5schMm6i0B
w9IEmaf+7mhZcH3zNLiYULmRR6nnNAwO5eXzGCrLGIPKxzGEExbdq1uS7SCrIX8uq6J3CTt9f54/
Zgd4ivdxmr0ef30eT5eh0sSQ1IaUbFxGC17YcEoiJ9AmDdJNyMpkKEHHGPujhIjECbRJ+dDd8AKz
CUszuXQLzUgu1zvH4HYx63i+WGV1aiHyOrWB4LnyWNPa2LxbnPqJnB5Muj/rKqH5RQD8Ob8e389v
B/Uch74fYGDB5eW/b+fXGfn6+ji8KVS0P++tAQ6H70i7pjhggj6yPohE8Ovj8J/Z74+X4eLuCgxC
6+Ow4g6YsGA0DCxYyp8cQ+aoZFf1enGy/3pF2JP6veNTV3lbTdmGh5RbxNluKw9vzTioBsIOyzPq
Z+d0zqI7B2xpw1iYEJrCrz3Rs0jORif4/sYFXizvXeDbhU0tEjJ3AV1FSPBybq+Vas3nDzb4qdTE
Wj69fb4arz96aSIcEkY0y5VdPcnrgDnIeXjnkDrFU8wc4xGSjKYpIw6EqJZOqM1J5OA6Vr8WeJOQ
nw4pKkgqiGs4NNzZfjMcRg/kpaECd4NC7SZWT4WzT1o45JU0kmKN0JqnNjzq70/QUwx9pO+cGGwj
VjE/jZd1nTz42W9hWsuZ5X9+/308zdbH9+OpU3jGC5LkgjVhyRHLZiccnrD72c02G1kbJAScEiDL
lwNDt7KL40HnA1BumaG6hQfDIBi+Bh7M2pzIfo6C1Oh6L6oNVIoIFVVDZvgxpusaM4NBhTrxsg8d
gIUJMWcFLCe8vcO3o2ekb3+f9qfv2Umqo2/vQ0EcMHmMhiCPw0Ng67IO9ydgRhFVoxOIuvA5mO1w
dErGX0tpLPc5VpkgMx4t0FTzm4jFTnktZXlVN2YBt4tRAW6HHTmJ9XbgKBhmOFifzemvoNaikBNf
5XE1IycBNKI2HG4rBIXJ5oI1m6HKM4AHmRMcC2P6C7BpUAs0tjFCJiEy9B1q3+H8H9e9L+p47AAA


[PaX Team]

There is a bug in 2.6.32.6-grsec-201001251756 that causes panic at boot:

can you please try to reproduce it with the latest PaX test patch alone and also follow http://en.wikibooks.org/wiki/Grsecurity/Reporting_Bugs when reporting such bugs?

[jdoe]

I'm having the same problem. I've emailed you with more details, unfortunately I couldn't compile with the latest pax test patch.. but hopefully it's still useful.

[PaX Team]

I'm having the same problem. I've emailed you with more details

thanks, got it. can you test it without UDEREF (or any PaX feature if that still fails)?

unfortunately I couldn't compile with the latest pax test patch.

when moving a grsec config to PaX, you must set the ACL hook option accordingly ('none').

[jdoe]

Boots with no obvious issues with UDEREF disabled. Crashes before init with UDEREF enabled, details emailed.

[PaX Team]

Boots with no obvious issues with UDEREF disabled. Crashes before init with UDEREF enabled, details emailed.

thanks, so it seems that for whatever reason init cannot be executed. can i ask you guys to instrument load_elf_binary in fs/binfmt_elf.c and add a printk to every error exit path so we know at which point it fails?

[jdoe]

Unfortunately this is a remote machine I don't have reliable console access to. Hopefully Grach can help with that.

[Grach]

Yes, I'll do it today, a bit later.

[Grach]

Seems like load_elf_binary wasn't called at all. I've got no output even from the first printk:

Code: Select all

static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
{   printk("enter load_elf_binary\n");
   struct file *interpreter = NULL; /* to shut gcc up */
    unsigned long load_addr = 0, load_bias = 0;
   int load_addr_set = 0;
   char * elf_interpreter = NULL;
   unsigned long error = 0;
   struct elf_phdr *elf_ppnt, *elf_phdata;
   unsigned long elf_bss, elf_brk;
   int retval, i;
   unsigned int size;
   unsigned long elf_entry;
   unsigned long interp_load_addr = 0;
   unsigned long start_code, end_code, start_data, end_data;
   unsigned long reloc_func_desc = 0;
   int executable_stack = EXSTACK_DEFAULT;
   struct {
      struct elfhdr elf_ex;
      struct elfhdr interp_elf_ex;
   } *loc;
   unsigned long pax_task_size = TASK_SIZE;

   loc = kmalloc(sizeof(*loc), GFP_KERNEL);
   if (!loc) {
      printk("!783\n");
      retval = -ENOMEM;
      goto out_ret;
   }
   
   /* Get the exec-header */
   loc->elf_ex = *((struct elfhdr *)bprm->buf);

   retval = -ENOEXEC;
   /* First of all, some simple consistency checks */
   if (memcmp(loc->elf_ex.e_ident, ELFMAG, SELFMAG) != 0) {
      printk("!794\n");
      goto out;
   }

   if (loc->elf_ex.e_type != ET_EXEC && loc->elf_ex.e_type != ET_DYN) {
      printk("!799\n");
      goto out;
   }
   if (!elf_check_arch(&loc->elf_ex)) {
      printk("!803\n");
      goto out;
   }
   if (!bprm->file->f_op||!bprm->file->f_op->mmap) {
      printk("!807\n");
      goto out;
   }

   /* Now read in all of the header information */
   if (loc->elf_ex.e_phentsize != sizeof(struct elf_phdr)) {
      printk("!813\n");
      goto out;
   }
   if (loc->elf_ex.e_phnum < 1 ||
       loc->elf_ex.e_phnum > 65536U / sizeof(struct elf_phdr)) {
      printk("!818\n");
      goto out;
   }
   size = loc->elf_ex.e_phnum * sizeof(struct elf_phdr);
   retval = -ENOMEM;
   printk("?823\n");
   elf_phdata = kmalloc(size, GFP_KERNEL);
   if (!elf_phdata) {
      printk("!826\n");
      goto out;
   }

   retval = kernel_read(bprm->file, loc->elf_ex.e_phoff,
              (char *)elf_phdata, size);
   if (retval != size) {
      if (retval >= 0) {
         printk("?834\n");
         retval = -EIO;
      }
      printk("!837\n");
      goto out_free_ph;
   }

   elf_ppnt = elf_phdata;
   elf_bss = 0;
   elf_brk = 0;

   start_code = ~0UL;
   end_code = 0;
   start_data = 0;
   end_data = 0;

   for (i = 0; i < loc->elf_ex.e_phnum; i++) {
      if (elf_ppnt->p_type == PT_INTERP) {
         /* This is the program interpreter used for
          * shared libraries - for now assume that this
          * is an a.out format binary
          */
         retval = -ENOEXEC;
         if (elf_ppnt->p_filesz > PATH_MAX ||
             elf_ppnt->p_filesz < 2) {
            printk("!859\n");
            goto out_free_ph;
         }

         retval = -ENOMEM;
         elf_interpreter = kmalloc(elf_ppnt->p_filesz,
                    GFP_KERNEL);
         if (!elf_interpreter) {
            printk("!867\n");
            goto out_free_ph;
         }

         retval = kernel_read(bprm->file, elf_ppnt->p_offset,
                    elf_interpreter,
                    elf_ppnt->p_filesz);
         if (retval != elf_ppnt->p_filesz) {
            if (retval >= 0) {
               printk("?876\n");
               retval = -EIO;
            }
            printk("!879\n");
            goto out_free_interp;
         }
         /* make sure path is NULL terminated */
         retval = -ENOEXEC;
         if (elf_interpreter[elf_ppnt->p_filesz - 1] != '\0') {
            printk("!885\n");
            goto out_free_interp;
         }

         /*
          * The early SET_PERSONALITY here is so that the lookup
          * for the interpreter happens in the namespace of the
          * to-be-execed image.  SET_PERSONALITY can select an
          * alternate root.
          *
          * However, SET_PERSONALITY is NOT allowed to switch
          * this task into the new images's memory mapping
          * policy - that is, TASK_SIZE must still evaluate to
          * that which is appropriate to the execing application.
          * This is because exit_mmap() needs to have TASK_SIZE
          * evaluate to the size of the old image.
          *
          * So if (say) a 64-bit application is execing a 32-bit
          * application it is the architecture's responsibility
          * to defer changing the value of TASK_SIZE until the
          * switch really is going to happen - do this in
          * flush_thread().   - akpm
          */
         SET_PERSONALITY(loc->elf_ex);

         interpreter = open_exec(elf_interpreter);
         retval = PTR_ERR(interpreter);
         if (IS_ERR(interpreter)) {
            printk("!913\n");
            goto out_free_interp;
         }

         /*
          * If the binary is not readable then enforce
          * mm->dumpable = 0 regardless of the interpreter's
          * permissions.
          */
         if (file_permission(interpreter, MAY_READ) < 0)
            bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP;

         retval = kernel_read(interpreter, 0, bprm->buf,
                    BINPRM_BUF_SIZE);
         if (retval != BINPRM_BUF_SIZE) {
            if (retval >= 0) {
               printk("?929\n");
               retval = -EIO;
            }
            printk("!932\n");
            goto out_free_dentry;
         }

         /* Get the exec headers */
         loc->interp_elf_ex = *((struct elfhdr *)bprm->buf);
         break;
      }
      elf_ppnt++;
   }

   elf_ppnt = elf_phdata;
   for (i = 0; i < loc->elf_ex.e_phnum; i++, elf_ppnt++)
      if (elf_ppnt->p_type == PT_GNU_STACK) {
         if (elf_ppnt->p_flags & PF_X)
            executable_stack = EXSTACK_ENABLE_X;
         else
            executable_stack = EXSTACK_DISABLE_X;
         break;
      }

   /* Some simple consistency checks for the interpreter */
   if (elf_interpreter) {
      retval = -ELIBBAD;
      /* Not an ELF interpreter */
      if (memcmp(loc->interp_elf_ex.e_ident, ELFMAG, SELFMAG) != 0) {
         printk("!958\n");
         goto out_free_dentry;
      }
      /* Verify the interpreter has a valid arch */
      if (!elf_check_arch(&loc->interp_elf_ex)) {
         printk("!963\n");
         goto out_free_dentry;
      }
   } else {
      /* Executables without an interpreter also need a personality  */
      SET_PERSONALITY(loc->elf_ex);
   }

   /* Flush all traces of the currently running executable */
   retval = flush_old_exec(bprm);
   if (retval) {
      printk("!974\n");
      goto out_free_dentry;
   }

   /* OK, This is the point of no return */
   current->flags &= ~PF_FORKNOEXEC;

#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
   current->mm->pax_flags = 0UL;
#endif

#ifdef CONFIG_PAX_DLRESOLVE
   current->mm->call_dl_resolve = 0UL;
#endif

#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
   current->mm->call_syscall = 0UL;
#endif

#ifdef CONFIG_PAX_ASLR
   current->mm->delta_mmap = 0UL;
   current->mm->delta_stack = 0UL;
#endif

   current->mm->def_flags = 0;

#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
   if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
      send_sig(SIGKILL, current, 0);
      printk("!1003\n");
      goto out_free_dentry;
   }
#endif

#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
   pax_set_initial_flags(bprm);
#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
   if (pax_set_initial_flags_func)
      (pax_set_initial_flags_func)(bprm);
#endif

#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
   if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !nx_enabled) {
      current->mm->context.user_cs_limit = PAGE_SIZE;
      current->mm->def_flags |= VM_PAGEEXEC;
   }
#endif

#ifdef CONFIG_PAX_SEGMEXEC
   if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
      current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
      current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
      pax_task_size = SEGMEXEC_TASK_SIZE;
   }
#endif

#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
   if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
      set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
      put_cpu();
   }
#endif

#ifdef CONFIG_PAX_ASLR
   if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
      current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
      current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
   }
#endif

   /* Do this immediately, since STACK_TOP as used in setup_arg_pages
      may depend on the personality.  */
   SET_PERSONALITY(loc->elf_ex);

#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
   if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
      executable_stack = EXSTACK_DISABLE_X;
      current->personality &= ~READ_IMPLIES_EXEC;
   } else
#endif

   if (elf_read_implies_exec(loc->elf_ex, executable_stack))
      current->personality |= READ_IMPLIES_EXEC;

   if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
      current->flags |= PF_RANDOMIZE;
   arch_pick_mmap_layout(current->mm);

   /* Do this so that we can load the interpreter, if need be.  We will
      change some of these later */
   current->mm->free_area_cache = current->mm->mmap_base;
   current->mm->cached_hole_size = 0;
   retval = setup_arg_pages(bprm, randomize_stack_top(STACK_TOP),
             executable_stack);
   if (retval < 0) {
      send_sig(SIGKILL, current, 0);
      printk("!1070\n");
      goto out_free_dentry;
   }
   
   current->mm->start_stack = bprm->p;

   /* Now we do a little grungy work by mmaping the ELF image into
      the correct location in memory. */
   for(i = 0, elf_ppnt = elf_phdata;
       i < loc->elf_ex.e_phnum; i++, elf_ppnt++) {
      int elf_prot = 0, elf_flags;
      unsigned long k, vaddr;

      if (elf_ppnt->p_type != PT_LOAD)
         continue;

      if (unlikely (elf_brk > elf_bss)) {
         unsigned long nbyte;
              
         /* There was a PT_LOAD segment with p_memsz > p_filesz
            before this one. Map anonymous pages, if needed,
            and clear the area.  */
         retval = set_brk (elf_bss + load_bias,
                 elf_brk + load_bias);
         if (retval) {
            send_sig(SIGKILL, current, 0);
            printk("!1096\n");
            goto out_free_dentry;
         }
         nbyte = ELF_PAGEOFFSET(elf_bss);
         if (nbyte) {
            nbyte = ELF_MIN_ALIGN - nbyte;
            if (nbyte > elf_brk - elf_bss)
               nbyte = elf_brk - elf_bss;
            if (clear_user((void __user *)elf_bss +
                     load_bias, nbyte)) {
               /*
                * This bss-zeroing can fail if the ELF
                * file specifies odd protections. So
                * we don't check the return value
                */
            }
         }
      }

      if (elf_ppnt->p_flags & PF_R)
         elf_prot |= PROT_READ;
      if (elf_ppnt->p_flags & PF_W)
         elf_prot |= PROT_WRITE;
      if (elf_ppnt->p_flags & PF_X)
         elf_prot |= PROT_EXEC;

      elf_flags = MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE;

      vaddr = elf_ppnt->p_vaddr;
      if (loc->elf_ex.e_type == ET_EXEC || load_addr_set) {
         elf_flags |= MAP_FIXED;
      } else if (loc->elf_ex.e_type == ET_DYN) {
         /* Try and get dynamic programs out of the way of the
          * default mmap base, as well as whatever program they
          * might try to exec.  This is because the brk will
          * follow the loader, and is not movable.  */
#ifdef CONFIG_X86
         load_bias = 0;
#else
         load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
#endif

#ifdef CONFIG_PAX_RANDMMAP
         /* PaX: randomize base address at the default exe base if requested */
         if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
#ifdef CONFIG_SPARC64
            load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
#else
            load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
#endif
            load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
            elf_flags |= MAP_FIXED;
         }
#endif

      }

      error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
            elf_prot, elf_flags, 0);
      if (BAD_ADDR(error)) {
         send_sig(SIGKILL, current, 0);
         retval = IS_ERR((void *)error) ?
            PTR_ERR((void*)error) : -EINVAL;
         printk("!1159\n");
         goto out_free_dentry;
      }

      if (!load_addr_set) {
         load_addr_set = 1;
         load_addr = (elf_ppnt->p_vaddr - elf_ppnt->p_offset);
         if (loc->elf_ex.e_type == ET_DYN) {
            load_bias += error -
                         ELF_PAGESTART(load_bias + vaddr);
            load_addr += load_bias;
            reloc_func_desc = load_bias;
         }
      }
      k = elf_ppnt->p_vaddr;
      if (k < start_code)
         start_code = k;
      if (start_data < k)
         start_data = k;

      /*
       * Check to see if the section's size will overflow the
       * allowed task size. Note that p_filesz must always be
       * <= p_memsz so it is only necessary to check p_memsz.
       */
      if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
          elf_ppnt->p_memsz > pax_task_size ||
          pax_task_size - elf_ppnt->p_memsz < k) {
         /* set_brk can never work. Avoid overflows. */
         send_sig(SIGKILL, current, 0);
         retval = -EINVAL;
         printk("!1190\n");
         goto out_free_dentry;
      }

      k = elf_ppnt->p_vaddr + elf_ppnt->p_filesz;

      if (k > elf_bss)
         elf_bss = k;
      if ((elf_ppnt->p_flags & PF_X) && end_code < k)
         end_code = k;
      if (end_data < k)
         end_data = k;
      k = elf_ppnt->p_vaddr + elf_ppnt->p_memsz;
      if (k > elf_brk)
         elf_brk = k;
   }

   loc->elf_ex.e_entry += load_bias;
   elf_bss += load_bias;
   elf_brk += load_bias;
   start_code += load_bias;
   end_code += load_bias;
   start_data += load_bias;
   end_data += load_bias;

#ifdef CONFIG_PAX_RANDMMAP
   if (current->mm->pax_flags & MF_PAX_RANDMMAP)
      elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
#endif

   /* Calling set_brk effectively mmaps the pages that we need
    * for the bss and break sections.  We must do this before
    * mapping in the interpreter, to make sure it doesn't wind
    * up getting placed where the bss needs to go.
    */
   retval = set_brk(elf_bss, elf_brk);
   if (retval) {
      send_sig(SIGKILL, current, 0);
      printk("!1228\n");
      goto out_free_dentry;
   }
   if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
      /*
       * This bss-zeroing can fail if the ELF
       * file specifies odd protections. So
       * we don't check the return value
       */
   }

   if (elf_interpreter) {
      unsigned long uninitialized_var(interp_map_addr);

      elf_entry = load_elf_interp(&loc->interp_elf_ex,
                   interpreter,
                   &interp_map_addr,
                   load_bias);
      if (!IS_ERR((void *)elf_entry)) {
         /*
          * load_elf_interp() returns relocation
          * adjustment
          */
         interp_load_addr = elf_entry;
         elf_entry += loc->interp_elf_ex.e_entry;
      }
      if (BAD_ADDR(elf_entry)) {
         force_sig(SIGSEGV, current);
         retval = IS_ERR((void *)elf_entry) ?
               (int)elf_entry : -EINVAL;
         printk("!1258\n");
         goto out_free_dentry;
      }
      reloc_func_desc = interp_load_addr;

      allow_write_access(interpreter);
      fput(interpreter);
      kfree(elf_interpreter);
   } else {
      elf_entry = loc->elf_ex.e_entry;
      if (BAD_ADDR(elf_entry)) {
         force_sig(SIGSEGV, current);
         retval = -EINVAL;
         printk("!1271\n");
         goto out_free_dentry;
      }
   }

   kfree(elf_phdata);

   set_binfmt(&elf_format);

#ifdef ARCH_HAS_SETUP_ADDITIONAL_PAGES
   retval = arch_setup_additional_pages(bprm, !!elf_interpreter);
   if (retval < 0) {
      send_sig(SIGKILL, current, 0);
      printk("!1284\n");
      goto out;
   }
#endif /* ARCH_HAS_SETUP_ADDITIONAL_PAGES */

   install_exec_creds(bprm);
   current->flags &= ~PF_FORKNOEXEC;
   retval = create_elf_tables(bprm, &loc->elf_ex,
           load_addr, interp_load_addr);
   if (retval < 0) {
      send_sig(SIGKILL, current, 0);
      printk("!1295\n");
      goto out;
   }
   /* N.B. passed_fileno might not be initialized? */
   current->mm->end_code = end_code;
   current->mm->start_code = start_code;
   current->mm->start_data = start_data;
   current->mm->end_data = end_data;
   current->mm->start_stack = bprm->p;

#ifdef arch_randomize_brk
   if ((current->flags & PF_RANDOMIZE) && (randomize_va_space > 1))
      current->mm->brk = current->mm->start_brk =
         arch_randomize_brk(current->mm);
#endif

   if (current->personality & MMAP_PAGE_ZERO) {
      /* Why this, you ask???  Well SVr4 maps page 0 as read-only,
         and some applications "depend" upon this behavior.
         Since we do not have the power to recompile these, we
         emulate the SVr4 behavior. Sigh. */
      down_write(&current->mm->mmap_sem);
      error = do_mmap(NULL, 0, PAGE_SIZE, PROT_READ | PROT_EXEC,
            MAP_FIXED | MAP_PRIVATE, 0);
      up_write(&current->mm->mmap_sem);
   }

#ifdef ELF_PLAT_INIT
   /*
    * The ABI may specify that certain registers be set up in special
    * ways (on i386 %edx is the address of a DT_FINI function, for
    * example.  In addition, it may also specify (eg, PowerPC64 ELF)
    * that the e_entry field is the address of the function descriptor
    * for the startup routine, rather than the address of the startup
    * routine itself.  This macro performs whatever initialization to
    * the regs structure is required as well as any relocations to the
    * function descriptor entries when executing dynamically links apps.
    */
   ELF_PLAT_INIT(regs, reloc_func_desc);
#endif

   start_thread(regs, elf_entry, bprm->p);
   retval = 0;
out:
   kfree(loc);
out_ret:
   return retval;

   /* error cleanup */
out_free_dentry:
   allow_write_access(interpreter);
   if (interpreter)
      fput(interpreter);
out_free_interp:
   kfree(elf_interpreter);
out_free_ph:
   kfree(elf_phdata);
   printk("?1352\n");
   goto out;
}

[PaX Team]

Seems like load_elf_binary wasn't called at all. I've got no output even from the first printk:

ok, then it's an earlier problem, so let's move up and instrument do_execve() in fs/exec.c please and if you find the failing function, instrument that as well until it's down to a single call to something (probably some copying code from userland).

[ncopa]

[quote="PaX Team"][quote="Grach"]Seems like load_elf_binary wasn't called at all. I've got no output even from the first printk:[/quote]ok, then it's an earlier problem, so let's move up and instrument do_execve() in fs/exec.c please and if you find the failing function, instrument that as well until it's down to a single call to something (probably some copying code from userland).[/quote]

Having same issue.

I injected a whole bunch of printk("do_exec: ...") in do_exec():
[code]
...
printk("do_execve: 4\n");
retval = check_unsafe_exec(bprm);
if (retval < 0)
goto out_free;
clear_in_exec = retval;
current->in_execve = 1;

printk("do_execve: 5\n");
file = open_exec(filename);
retval = PTR_ERR(file);
if (IS_ERR(file))
goto out_unmark;
printk("do_execve: 6\n");

sched_exec();

printk("do_execve: 7\n");
bprm->file = file;
bprm->filename = filename;
bprm->interp = filename;

gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);

printk("do_execve: 8\n");
if (gr_handle_nproc()) {
retval = -EAGAIN;
goto out_file;
}

printk("do_execve: 9\n");
if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
retval = -EACCES;
goto out_file;
}

printk("do_execve: 10\n");
retval = bprm_mm_init(bprm);
if (retval)
goto out_file;

printk("do_execve: 11\n");
bprm->argc = count(argv, MAX_ARG_STRINGS);
if ((retval = bprm->argc) < 0)
goto out;

printk("do_execve: 12\n");
bprm->envc = count(envp, MAX_ARG_STRINGS);
if ((retval = bprm->envc) < 0)
goto out;

printk("do_execve: 13\n");
retval = prepare_binprm(bprm);
if (retval < 0)
goto out;

printk("do_execve: 14\n");
retval = copy_strings_kernel(1, &bprm->filename, bprm);
if (retval < 0)
goto out;

printk("do_execve: 15\n");
bprm->exec = bprm->p;
retval = copy_strings(bprm->envc, envp, bprm);
if (retval < 0)
goto out;

printk("do_execve: 16\n");
retval = copy_strings(bprm->argc, argv, bprm);
if (retval < 0)
goto out;

printk("do_execve: 17\n");
if (!gr_tpe_allow(file)) {
retval = -EACCES;
goto out;
}

printk("do_execve: 18\n");
if (gr_check_crash_exec(file)) {
retval = -EACCES;
goto out;
...
out_fail:
printk("do_execve: 27\n");
#ifdef CONFIG_GRKERNSEC
current->acl = old_acl;
memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
fput(current->exec_file);
current->exec_file = old_exec_file;
#endif

out:
printk("do_execve: 28\n");
if (bprm->mm)
mmput (bprm->mm);

out_file:
printk("do_execve: 29\n");
if (bprm->file) {
allow_write_access(bprm->file);
fput(bprm->file);
}

out_unmark:
printk("do_execve: 30\n");
if (clear_in_exec)
current->fs->in_exec = 0;
current->in_execve = 0;

out_free:
printk("do_execve: 31\n");
free_bprm(bprm);

out_files:
printk("do_execve: 32\n");
if (displaced)
reset_files_struct(displaced);
out_ret:
printk("do_execve: 33\n");
return retval;
}
...
[/code]

It prints 1-14 where it jumps to "out" and continue print 28-33.

So it looks like its this one that fails:
[code]
...
retval = copy_strings_kernel(1, &bprm->filename, bprm);
if (retval < 0)
goto out;
...
[/code]

[PaX Team]

It prints 1-14 where it jumps to "out" and continue print 28-33.

So it looks like its this one that fails:

Code: Select all

...
        retval = copy_strings_kernel(1, &bprm->filename, bprm);
        if (retval < 0)
                goto out;
...


excellent, can you please now instrument copy_strings fs/exec.c and see where it returns an error?

[ncopa]

(how do i enable bbcode?)

Here's my modificated code:
[code]
...
static int copy_strings(int argc, char __user * __user * argv,
struct linux_binprm *bprm)
{
struct page *kmapped_page = NULL;
char *kaddr = NULL;
unsigned long kpos = 0;
int ret;

while (argc-- > 0) {
char __user *str;
int len = -1;
unsigned long pos;

printk("copy_strings(1): argc=%i\n", argc);
if (get_user(str, argv+argc) ||
!(len = strnlen_user(str, MAX_ARG_STRLEN))) {
printk("copy_strings(2): len=%i\n", len);
ret = -EFAULT;
goto out;
}

if (!valid_arg_len(bprm, len)) {
ret = -E2BIG;
printk("copy_strings(3): E2BIG\n");
goto out;
}
...
[/code]

It prints:
copy_string(1): argc=0
compy_string(2): len=0

Note that i modified len to initialize to -1 which means that it is the

strnlen_user(str, MAX_ARG_STRLEN)

that returns zero that triggers this.
Do you want me look in strnlen_user() as well?

[PaX Team]

ok, 32.7-test11 should have the fix, can you guys try it?

[Grach]

grsecurity-2.1.14-2.6.32.7-201001291848.patch works for me. Thanks!