drweb + rlimit

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

drweb + rlimit

Postby Klopp » Sun Jun 15, 2003 3:08 pm

Logs:

-----------------
22759a22760,22762
-----------------
Jun 14 17:47:59 map PAX: terminating task: /opt/drweb/drweb(drweb):18538,
uid/euid: 0/0, EIP: 22871B18, ESP: 5E5581BC

Jun 14 17:47:59 map PAX: bytes at EIP: 53 56 8b 54 24 18 52 8b 4c 24 18 51 8b
5c 24 18 53 8b 74 24

Jun 14 17:47:59 map grsec: attempted resource overstep by requesting 4096 for
RLIMIT_CORE against limit 0 by (drweb:18538) UID(0) EUID(0), parent
(bash:10716) UID(0) EUID(0)


But *trace logs of drweb (without grsec) does not contains any rlimit(RLIMIT_CORE ...) calls! Why?
Klopp
 
Posts: 1
Joined: Sun Jun 15, 2003 3:00 pm

Postby spender » Sun Jun 15, 2003 3:39 pm

The coredump is attempted by the kernel if the process is dumpable (eg isn't suid root or a few other things). The application itself doesn't request the coredump.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: drweb + rlimit

Postby PaX Team » Mon Jun 16, 2003 7:01 am

Klopp wrote:Jun 14 17:47:59 map PAX: terminating task: /opt/drweb/drweb(drweb):18538,
uid/euid: 0/0, EIP: 22871B18, ESP: 5E5581BC

Jun 14 17:47:59 map PAX: bytes at EIP: 53 56 8b 54 24 18 52 8b 4c 24 18 51 8b
5c 24 18 53 8b 74 24
this is PaX in action, drweb tried to execute code from non-executable memory. on a first look it seems to be some kind of runtime loaded module using a homegrown loader a'la XFree86 (malloc() vs. mmap()). a temporary solution is chpax -sp /opt/drweb/drweb, otherwise someone should fix drweb itself to use proper file mappings for loading modules.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm


Return to grsecurity support