grsecurity forums

Hi there. i have a problem (quite obvious ehh?) anyways.

I've instlaled a virus scanner/filter for qmail called qscan which uses a tool called sweep(the actuall scanner) and when its trying to scan the mail the log spits this out.


@400000003ec6e5411d5aabdc /usr/local/bin/sweep: error while loading shared libraries: failed to map segment from shared object: cannot load shared object file: Cannot allocate memory

i saw a simillar problem on tcpserver(with qmail) and how you guys fixed it so i tryed the same thing (chpax -s /usr/local/bin/sweep) but that didnt help.
Any help would be appretiated.

zorgin wrote:@400000003ec6e5411d5aabdc /usr/local/bin/sweep: error while loading shared libraries: failed to map segment from shared object: cannot load shared object file: Cannot allocate memory

i take it that you enabled NOELFRELOCS in the kernel config but didn't actually make sure that all of your ELF libraries were PIC . the proper solution would be to find the offending library (e.g., via strace) and recompile it with -fPIC, or as a quick 'solution' you can disable MPROTECT on it (chpax -m).

i saw a simillar problem on tcpserver(with qmail) and how you guys fixed it so i tryed the same thing (chpax -s /usr/local/bin/sweep) but that didnt help.

if you enabled PAGEEXEC in the kernel config, then you'd have to disable that as well via chpax -p (that is, if you walk this way and want to disable all of the non-executable page features).

Heya. thanks for responding.. however i tryed to do as you said. did the chpax on both sweep and the libs its using.. no good. also tryed to disable mprotect (just to see if it would work) but no change at all.
it spit out the same error in the log so i have no clue on why it would not work.
Yes im kinda new into this sort of stuff so bare with me please

zorgin wrote:Heya. thanks for responding.. however i tryed to do as you said. did the chpax on both sweep and the libs its using.. no good. also tryed to disable mprotect (just to see if it would work) but no change at all. it spit out the same error in the log so i have no clue on why it would not work.

ok, my mistake, i didn't fully read the error message and thought it was the usual problem with someone having enabled NOELFRELOCS without having verified all .so files, but that's not the case. rather, it seems 'sweep' needs a library that's too big (or would at least exceed RLIMIT_AS). what you should do is run 'sweep' through 'strace' and check the output, towards the end you should see a mmap() call that fails, then look back and you will find which library was going to be mapped, that's the problem. also verify your address space limit ('ulimit -d -v'), probably it's set too low.

Okay.. after checking the ulimit -d -v im getting even more confused :p
see for yourself

root@arcanos:~/qscan-1.5/src# ulimit -d -v
data seg size (kbytes) unlimited
virtual memory (kbytes) unlimited

i dunno this might be right or wrong you tell me

anyways since its when sweep is used by qscan it flips out i'm gonna have to dig throu some of the source of qscan to see what args it uses on sweep unless you know a easier way to check this..?

zorgin wrote:root@arcanos:~/qscan-1.5/src# ulimit -d -v
data seg size (kbytes) unlimited
virtual memory (kbytes) unlimited

i dunno this might be right or wrong you tell me

it just means that in a normal shell these resource limits cannot be a problem, so something must explicitly override them for qscan/sweep (could be explicit setrlimit() calls but i saw nothing like that in the source code or maybe your PAM configuration). the only similar issue i found is http://forums.grsecurity.net/viewtopic.php?t=158 but that should have been resolved last year.

Yea i know.. i did try to do what fixed the problem on my machine but nothing helped.. so i dunno what to do next..

Any chance you're using softlimit? If you are and its reached the max.
allowance it will give you that error.