Firefox 44 broken with grsec / PaX

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Firefox 44 broken with grsec / PaX

Postby careta » Sat Feb 06, 2016 7:33 am

It seems the latest FF 44 doesn't work at all with grsec / PaX.
I can't really trace the problem, but I've tried disabling every since protection on the Firefox (actually Iceweasel) binary, and all the libraries it comes bundled with, and still no go.
I've tried tracing it under GDB and this is what I get:
warning: Cannot call inferior functions, Linux kernel PaX protection forbids return to non-executable pages!
XPCOMGlueLoad error for file /usr/lib/iceweasel/libxul.so:
/usr/lib/iceweasel/libxul.so: cannot change memory protections: Permission denied

Without GDB it simply segfauls.

Obviously I've removed all the permissions from all the libraries and I still get the above. Has anyone noticed a problem with FF 44? Or is it just Debian's Iceweasel? Or just my configuration?
careta
 
Posts: 11
Joined: Sun May 18, 2014 6:43 pm

Re: Firefox 44 broken with grsec / PaX

Postby PaX Team » Sat Feb 06, 2016 7:46 am

PaX flags don't matter on libraries, only on executables. can you post an strace -f output of firefox? also what does readelf -edW /usr/lib/iceweasel/libxul.so show?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: Firefox 44 broken with grsec / PaX

Postby szg0000 » Sat May 07, 2016 1:07 pm

Firefox 46.0.1 also crashes with kernel 4.5.3 if pached & enabled with PaX.
-----------------------------------------------------------------------------------------------------------------------------------------------------
out of memory
Assertion failure: [unhandlable oom] OOM in createJitRuntime, at /tmp/buildd/iceweasel-38.8.0esr/js/src/jscntxt.cpp:1184
Szegmentálási hiba (Segmentation fault)

-----------------------------------------------------------------------------------------------------------------------------------------------------
szg0000
 
Posts: 2
Joined: Sat May 07, 2016 1:01 pm

Re: Firefox 44 broken with grsec / PaX

Postby PaX Team » Sat May 07, 2016 7:08 pm

is it 46.0.1 or 38.8.0esr)? can you post the information i asked for before?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: Firefox 44 broken with grsec / PaX

Postby szg0000 » Sun May 08, 2016 3:54 am

Yes.

The version information is:
szg@debian:~/firefox$ ./firefox --version
Mozilla Firefox 46.0.1

After the crash, a "Crash report window" was on the screen, but there was no button, like "show me what is in the crash report". I sniffed with wireshark, what were in the crash report packets, but there was no useful information.
The strace outpus is about ~9500 lines. Is it possible to attach text file somehow? (At "User Control Panel" ----> "Manage attachments" there is nothing regarding how to upload attachement)
szg0000
 
Posts: 2
Joined: Sat May 07, 2016 1:01 pm

Re: Firefox 44 broken with grsec / PaX

Postby PaX Team » Sun May 08, 2016 4:10 am

you can just email me the strace output. use strace -f -ff -o firefox -e mmap,munmap,mprotect,open firefox to reduce its size and hopefully still get the information i need.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: Firefox 44 broken with grsec / PaX

Postby quasar366 » Sun May 08, 2016 8:28 am

Don't know, which os you use, but never had problems with firefox and grsec.
I think the important part is to also disable mprotect for the plugin-container.

setfattr -n user.pax.flags -vm /usr/lib/firefox/firefox
setfattr -n user.pax.flags -vm /usr/lib/firefox/plugin-container

don't know, if there is a plugin-container for iceweasel in /usr/lib/iceweasel/plugin-container?
quasar366
 
Posts: 36
Joined: Mon Dec 02, 2013 2:26 pm

Re: Firefox 44 broken with grsec / PaX

Postby PaX Team » Sun May 08, 2016 3:47 pm

thanks for the strace logs, this looks like the culprit:
Code: Select all
mmap(NULL, 65536, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x361a3056000
mprotect(0x361a3056000, 4096, PROT_READ|PROT_WRITE) = -1 EACCES (Permission denied)
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0} ---
this runs against MPROTECT so you'll have to disable it on the firefox binaries as mentioned above.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm


Return to grsecurity support