GRSec and Virtualbox kernel modules "X86_EFLAGS_AC"

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Moderators: spender, PaX Team

GRSec and Virtualbox kernel modules "X86_EFLAGS_AC"

Postby aurelf » Wed Dec 28, 2016 7:53 pm

Hi Brad, Paxteam,

I'm having trouble running virtualbox on a Gentoo hardened with kernel 4.8.15-hardened. It's been like that for few versions, see BUG log below.
It seems that this problem was discussed on the virtualbox page:
https://www.virtualbox.org/ticket/16236

The issue seem to be triggered by a BUG_ON(flags & X86_EFLAGS_AC) in native_save_fl (arch/x86/include/asm/irqflags.h).

I understand that vbox kernel modules are not great, but this is a Dektop computer I'm trying to make a bit hardened and I need virtualbox there (which is working fine with gentoo-sources).

Is there any quick fix or workaround possible? Or is the problem more complicated?

Best regards,
Aurélien

[ 435.652136] ------------[ cut here ]------------
[ 435.652171] kernel BUG at ./arch/x86/include/asm/irqflags.h:26!
[ 435.652203] PAX: overwritten function pointer or return address detected: 0000 [#1] SMP
[ 435.652245] Modules linked in: rfcomm xfrm_user xfrm_algo br_netfilter bridge stp llc bnep vboxpci(O) vboxnetadp(O) vboxnetflt(O) vboxdrv(O)
dm_zero dm_thin_pool dm_persistent_data dm_bio_prison dm_round_robin dm_multipath dm_flakey dm_delay virtio_pci virtio_scsi virtio_blk virtio_console
virtio_balloon iscsi_tcp libiscsi_tcp libiscsi ixgb ixgbe samsung_sxgbe tulip cxgb3 cxgb mdio cxgb4 vxge vmxnet3 virtio_net virtio_ring virtio tg3
libphy sky2 r8169 pcnet32 igb hwmon e1000 bnx2 atl1c jfs multipath linear raid10 raid1 raid0 dm_raid raid456 async_raid6_recov async_memcpy async_pq
async_xor async_tx dm_snapshot dm_bufio dm_mirror dm_region_hash dm_log firewire_sbp2 firewire_ohci firewire_core hid_sunplus hid_sony hid_samsung
hid_pl hid_petalynx hid_gyration sl811_hcd ohci_pci ohci_hcd uhci_hcd ehci_pci
[ 435.652767] ehci_hcd mpt3sas raid_class aic94xx libsas lpfc qla2xxx scsi_transport_fc megaraid_sas megaraid_mbox megaraid_mm megaraid aacraid sx8
DAC960 hpsa scsi_transport_sas cciss 3w_9xxx 3w_xxxx atp870u dc395x qla1280 dmx3191d sym53c8xx gdth initio BusLogic arcmsr aic7xxx aic79xx
scsi_transport_spi sg sata_inic162x ata_piix sata_sil24 pata_cypress pata_mpiix mmc_block usb_storage btusb btrtl btbcm btintel bluetooth mousedev
rtsx_pci_sdmmc mmc_core arc4 snd_hda_codec_hdmi snd_hda_codec_generic x86_pkg_temp_thermal psmouse ahci libahci libata iwlmvm mac80211 e1000e ptp
pps_core snd_hda_intel iwlwifi snd_hda_codec rtsx_pci snd_hda_core mfd_core cfg80211 snd_pcm rfkill snd_timer xhci_pci snd xhci_hcd soundcore elan_i2c
evdev battery fujitsu_laptop acpi_pad ac acpi_cpufreq processor
[ 435.653285] CPU: 1 PID: 9029 Comm: VirtualBox Tainted: G O 4.8.15-hardened #12
[ 435.653328] Hardware name: FUJITSU LIFEBOOK U745/FJNB286, BIOS Version 1.10 04/10/2015
[ 435.653368] task: ffff88005298ed40 task.stack: ffff880110ea4000
[ 435.653402] RIP: 0010:[<ffffffff811af125>] [<ffffffff811af125>] __kmalloc+0x64/0xf4
[ 435.653450] RSP: 0018:ffff880110ea7d78 EFLAGS: 00050206
[ 435.653480] RAX: 0000000007ffffff RBX: 0000000000000000 RCX: 0000000000000000
[ 435.653520] RDX: ffff880110ea7e08 RSI: 0000000000000000 RDI: ffff88033f800240
[ 435.653560] RBP: ffff88033f800240 R08: 0000000000000003 R09: 0000000000000010
[ 435.653599] R10: ffff880110ea7e08 R11: 0000000000000246 R12: 00000000024002c0
[ 435.653639] R13: 0000000000040282 R14: 0000000000000000 R15: 00000000024002c0
[ 435.653679] FS: 000078eae1a53740(0000) GS:ffff88034dc40000(0000) knlGS:0000000000000000
[ 435.653724] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 435.653756] CR2: 000078eae080fe60 CR3: 00000000516ae000 CR4: 00000000003606f0
[ 435.653796] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 435.653835] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 435.653873] Stack:
[ 435.653886] 0000000000000000 ffff880110ea7df0 0000000000000038 0000000000000048
[ 435.653935] ffffffffa0f0dc56 ffff880110ea7e08 0000000000040286 0000000000000048
[ 435.653983] ffff880110ea7e28 00000000c0385681 ffff880110ea7e08 0000000000000038
[ 435.654031] Call Trace:
[ 435.654056] [<ffffffffa0f0dc56>] ? rtR0MemAllocEx+0x1b9/0x2f8 [vboxdrv]
[ 435.654098] [<ffffffffa0f0bbda>] ? VBoxHost_RTMemAllocTag+0x10/0x2f [vboxdrv]
[ 435.654143] [<ffffffffa0f0bbda>] ? VBoxHost_RTMemAllocTag+0x10/0x2f [vboxdrv]
[ 435.654186] [<ffffffffa0efd4c5>] ? SUPR0Printf+0x191/0x28c [vboxdrv]
[ 435.654224] [<ffffffff811d8227>] ? vfs_ioctl+0x20/0x39
[ 435.654254] [<ffffffff811d8915>] ? do_vfs_ioctl+0x5e1/0x864
[ 435.654288] [<ffffffff811c5ea8>] ? vfs_read+0x18c/0x226
[ 435.654319] [<ffffffff811d8bd0>] ? sys_ioctl+0x38/0x5c
[ 435.654351] [<ffffffff81962423>] ? entry_SYSCALL_64_fastpath+0x17/0x97
[ 435.654388] Code: 00 10 00 44 85 e0 75 06 f6 47 23 04 74 08 e8 fa f1 00 00 48 89 c5 48 85 ed 0f 84 88 00 00 00 9c 41 5d 41 f7 c5 00 00 04 00 74 02
<0f> 0b fa 48 8b 45 00 65 48 03 05 d4 9f e5 7e 8b 10 85 d2 74 12
[ 435.654608] RIP [<ffffffff811af125>] __kmalloc+0x64/0xf4
[ 435.654642] RSP <ffff880110ea7d78>
[ 435.663605] ---[ end trace bfb735fe421ef9f2 ]---
aurelf
 
Posts: 4
Joined: Thu Jan 14, 2016 8:27 pm

Re: GRSec and Virtualbox kernel modules "X86_EFLAGS_AC"

Postby PaX Team » Wed Dec 28, 2016 8:38 pm

as frank explained it briefly at https://www.virtualbox.org/ticket/16236#comment:5, this is a problem with vbox and your only option is to remove these consistency checks i added (the other one that'll probably bite you is in native_restore_fl). in the next grsec patch spender will put these under the config option we have for vbox already.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: GRSec and Virtualbox kernel modules "X86_EFLAGS_AC"

Postby spender » Fri Dec 30, 2016 9:11 pm

The latest patch should resolve this, but you should look into using some other virtualization technology than VirtualBox if possible. VirtualBox on the host precludes you from using KERNEXEC, UDEREF, and RANDKSTACK to protect the host's kernel.

-Brad
spender
 
Posts: 2175
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: GRSec and Virtualbox kernel modules "X86_EFLAGS_AC"

Postby aurelf » Sat Dec 31, 2016 2:10 pm

Great, thanks for the responses and the advice.
I'll think of migrating to KVM or VMWare, Both equally supported in GRSec ?

Aurélien
aurelf
 
Posts: 4
Joined: Thu Jan 14, 2016 8:27 pm

Re: GRSec and Virtualbox kernel modules "X86_EFLAGS_AC"

Postby sarahs » Wed Feb 15, 2017 1:11 pm

Hello @paxteam & @spender

I am running gentoo hardened (4.9.9) and I still have the same problem as described above.

You've mentioned 'in the next grsec patch spender will put these under the config option we have for vbox already.' but I don't see any options related for VirtualBox when running 'make menuconfig' under grsecurity-menu. Can you help here please?
sarahs
 
Posts: 3
Joined: Wed Feb 15, 2017 1:07 pm

Re: GRSec and Virtualbox kernel modules "X86_EFLAGS_AC"

Postby spender » Wed Feb 15, 2017 7:50 pm

When you're in the grsecurity config menu, for Configuration Method, choose "Automatic", this will give you some additional options. For Virtualization Type, choose "Host" and then for Virtualization Software, choose "VirtualBox". You can then make any other configuration changes you want via the "Customize Configuration" at the bottom, but making the two selections I mentioned is what will ensure VirtualBox doesn't run into this problem.

-Brad
spender
 
Posts: 2175
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: GRSec and Virtualbox kernel modules "X86_EFLAGS_AC"

Postby sarahs » Thu Feb 16, 2017 4:38 am

@spender, thanks a lot! I will give a try and let you know.
sarahs
 
Posts: 3
Joined: Wed Feb 15, 2017 1:07 pm

Re: GRSec and Virtualbox kernel modules "X86_EFLAGS_AC"

Postby sarahs » Thu Feb 16, 2017 5:34 am

spender wrote:When you're in the grsecurity config menu, for Configuration Method, choose "Automatic", this will give you some additional options. For Virtualization Type, choose "Host" and then for Virtualization Software, choose "VirtualBox". You can then make any other configuration changes you want via the "Customize Configuration" at the bottom, but making the two selections I mentioned is what will ensure VirtualBox doesn't run into this problem.

-Brad


@spender, thanks a lot. this indeed worked for me!
sarahs
 
Posts: 3
Joined: Wed Feb 15, 2017 1:07 pm


Return to grsecurity support