"Randomized" Segmentation faults

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

"Randomized" Segmentation faults

Postby Habermas » Mon May 19, 2003 7:43 am

Hello!

I have compiled grsec (patch 1.99g) with the official 2.4.20 kernel and rebooted the system. It is a production server. Ever since I am running into "Segmentation faults" - only during kernel compilation. But they appear randomly - it looks like a RAM problem.

My system is a dual SMP PIII, 1,2 GB ECC reg. RAM.

Does anybody else have similar problems?

Thanks!

Habermas
Habermas
 
Posts: 5
Joined: Mon May 19, 2003 7:38 am

It was a grsecurity issue!

Postby Habermas » Sat May 24, 2003 7:48 am

Hey!

After installing an older, not-grsec kernel, I found out that the compiling problem (segmentation faults) is indeed a GR-Security issue. Without the grsec-kernel the server runs just fine without any segfaults.

Any idea?

Cheers,
Habermas
Habermas
 
Posts: 5
Joined: Mon May 19, 2003 7:38 am

Re: It was a grsecurity issue!

Postby PaX Team » Sat May 24, 2003 6:21 pm

Habermas wrote:After installing an older, not-grsec kernel, I found out that the compiling problem (segmentation faults) is indeed a GR-Security issue. Without the grsec-kernel the server runs just fine without any segfaults.
can you post your .config file (or just the GRSEC options), also maybe try to disable all PaX options and see if there's a difference.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: It was a grsecurity issue!

Postby Habermas » Sun May 25, 2003 4:54 am

PaX Team wrote:can you post your .config file (or just the GRSEC options), also maybe try to disable all PaX options and see if there's a difference.


Ok, here is the .config with the GR part, hope it helps:

#
# Grsecurity
#
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MID is not set
# CONFIG_GRKERNSEC_HI is not set
CONFIG_GRKERNSEC_CUSTOM=y

#
# Address Space Protection
#
# CONFIG_GRKERNSEC_PAX_NOEXEC is not set
# CONFIG_GRKERNSEC_PAX_KERNEXEC is not set
CONFIG_GRKERNSEC_PAX_ASLR=y
CONFIG_GRKERNSEC_PAX_RANDKSTACK=y
CONFIG_GRKERNSEC_PAX_RANDUSTACK=y
CONFIG_GRKERNSEC_PAX_RANDMMAP=y
# CONFIG_GRKERNSEC_KMEM is not set
# CONFIG_GRKERNSEC_IO is not set
# CONFIG_GRKERNSEC_PROC_MEMMAP is not set
# CONFIG_GRKERNSEC_HIDESYM is not set

#
# ACL options
#
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
# CONFIG_GRKERNSEC_LINK is not set
# CONFIG_GRKERNSEC_FIFO is not set
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
# CONFIG_GRKERNSEC_CHROOT_UNIX is not set
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
# CONFIG_GRKERNSEC_CHROOT_SYSCTL is not set
# CONFIG_GRKERNSEC_CHROOT_CAPS is not set

#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
# CONFIG_GRKERNSEC_RESLOG is not set
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
# CONFIG_GRKERNSEC_SIGNAL is not set
# CONFIG_GRKERNSEC_FORKFAIL is not set
# CONFIG_GRKERNSEC_TIME is not set

#
# Executable Protections
#
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
# CONFIG_GRKERNSEC_TPE is not set

#
# Network Protections
#
# CONFIG_GRKERNSEC_RANDNET is not set
CONFIG_GRKERNSEC_RANDISN=y
CONFIG_GRKERNSEC_RANDID=y
CONFIG_GRKERNSEC_RANDSRC=y
CONFIG_GRKERNSEC_RANDRPC=y
CONFIG_GRKERNSEC_RANDPING=y
# CONFIG_GRKERNSEC_SOCKET is not set

#
# Sysctl support
#
CONFIG_GRKERNSEC_SYSCTL=y

#
# Logging options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4


If you need something else too, please let me know! There was no error message or anything like that in /var/log/messages or even /var/log/warn. Just a "usual" segfault.

I wouldn't want to retry the grsec-kernel since this is only happening on my production server.

Habermas
Habermas
 
Posts: 5
Joined: Mon May 19, 2003 7:38 am

Re: It was a grsecurity issue!

Postby PaX Team » Sun May 25, 2003 7:26 am

Habermas wrote:# CONFIG_GRKERNSEC_PAX_NOEXEC is not set
# CONFIG_GRKERNSEC_PAX_KERNEXEC is not set
this would have been one of my bets but apparently you're not using non-exec pages. the other thing i can think of is that the other grsecurity restrictions/ACLs trigger a bug in gcc/whereever, but to find it out you'd have to do some debugging on your production server (or at least take a look at the previously generated coredumps if you enabled them) - probably not a good idea. in any case, you could post your ACLs or at least the portions that are relevant for a kernel compilation, maybe we can spot a problem in there.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm


Return to grsecurity support