How to check the real work of CONFIG_PAX_MEMORY_SANITIZE=y kernel config option.

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

How to check the real work of CONFIG_PAX_MEMORY_SANITIZE=y kernel config option.

Postby BlitzKrieg » Thu Oct 20, 2016 5:00 am

Hi guys.
I am not a developer so can't read kernel source code. I need to check if CONFIG_PAX_MEMORY_SANITIZE=y is working or not.
For example i can write a simple program to allocate buffer in memory and put something to it. Program execute free(buffer) when it stops. Run this prog, and than dump its memory through /proc/self/pagemap, translate virt. memory addressing to physical, stop that program and dump it again but with physical addresses. With kernel without PaX i will see the content of that buffer in dump those was dumped after program stops. And with kernel with Pax is will see nothing. Is it possible?
BlitzKrieg
 
Posts: 3
Joined: Thu Oct 20, 2016 4:38 am

Re: How to check the real work of CONFIG_PAX_MEMORY_SANITIZE=y kernel config option.

Postby PaX Team » Thu Oct 20, 2016 6:12 pm

sure, you can access physical memory via /dev/mem (you'll have to disable GRKERNSEC_KMEM though).
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: How to check the real work of CONFIG_PAX_MEMORY_SANITIZE=y kernel config option.

Postby BlitzKrieg » Fri Oct 21, 2016 4:40 am

I used fmem project https://github.com/NateBrune/fmem to access the physical memory through /dev/fmem dev without /dev/mem restrictions.
I tried this but i don't see any difference with PaX or without it in real working.
This my real plan of testing^
1. Load kernel without PaX
2. Load this program
Code: Select all
#include <stdio.h>      /* printf, scanf, NULL */
#include <stdlib.h>     /* malloc, free, rand */

int main ()
{
    int i,n;
    char * buffer;
    i = 8192;

    buffer = (char*) malloc (i+1);
    if (buffer==NULL) exit (1);

    for (n=0; n<i; n++)
        buffer[n]=rand()%26+'a';
    buffer[i]='\0';
    sleep(30);
    printf("END\n");
    return 0;
}

3. Dump process memory with py script through /proc/pid/pagemap and /proc/pid/maps to file.
4. Translate virtual memory addresses from /proc/pid/maps to physical offset of /dev/fmem device and dump it to another file with py script.
(3 and 4 output files are the same at this time). At this step i see content of the buffer in "[heap]" section of the maps file. This script makes file with offsets too.
5. Wait while 2. program will end.
6. Dump memory from /dev/fmem with offset file 4. in another file. There is no buffer content in that dump contrary to my expectations.

I repeat this step for PaX kernel and there is no any principal differences between dumps.
What iam doing wrong?
BlitzKrieg
 
Posts: 3
Joined: Thu Oct 20, 2016 4:38 am

Re: How to check the real work of CONFIG_PAX_MEMORY_SANITIZE=y kernel config option.

Postby PaX Team » Fri Oct 21, 2016 10:13 am

i think the buffer size in your litmus test is too small; chances are that the kernel will have reused those freed process pages by the time you look at them. in other words, you're racing against kernel memory allocations (and thus page reuse) and you should probably use much larger buffers for your testing approach.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: How to check the real work of CONFIG_PAX_MEMORY_SANITIZE=y kernel config option.

Postby BlitzKrieg » Mon Oct 24, 2016 4:11 am

Just right after then i send my last message just in case I tried to use a different buffer size. And then it was grow about 1Mb i find a little part of common strings in dumps. About 10-15%. If i use buffer about 10Mb common strings is about 70-80%.
Thansk a lot, you have confirmed that I did everything right.
BlitzKrieg
 
Posts: 3
Joined: Thu Oct 20, 2016 4:38 am


Return to grsecurity support