grsec guest locks up

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

grsec guest locks up

Postby osea » Thu Jan 12, 2017 12:31 pm

Only with grsec kernels I get this crash and the guest locks up after boot. Tell me what else you need to know.

OS: KVM Debian guest x86 kernel


Code: Select all
Jan 10 19:50:58 host kernel: [   44.080096] ------------[ cut here ]------------
Jan 10 19:50:58 host kernel: [   44.080096] kernel BUG at mm/memory.c:2210!
Jan 10 19:50:58 host kernel: [   44.080096] invalid opcode: 0000 [#1] SMP
Jan 10 19:50:58 host kernel: [   44.080096] Modules linked in: dm_crypt dm_mod xts gf128mul algif_skcipher af_alg cfg80211 loop uinput 9p fscache snd_hda_codec_generic qxl snd_hda_intel drm_kms_helper syscopyarea sysfillrect snd_hda_codec sysimgblt snd_hwdep fb_sys_fops ttm snd_hda_core ppdev snd_pcm 9pnet_virtio joydev snd_timer parport_pc evdev virtio_console drm 9pnet acpi_cpufreq parport snd serio_raw tpm_tis virtio_rng i2c_piix4 tpm_tis_core soundcore pcspkr virtio_balloon tpm rng_core i2c_core button fuse autofs4 ext4 crc16 jbd2 mbcache ata_generic ata_piix libata hid_generic usbhid hid virtio_net virtio_blk uhci_hcd ehci_hcd usbcore usb_common psmouse scsi_mod virtio_pci virtio_ring floppy virtio
Jan 10 19:50:58 host kernel: [   44.080096] CPU: 3 PID: 2247 Comm: kdeinit4 Tainted: G S      W       4.8.17-grsec #1
Jan 10 19:50:58 host kernel: [   44.080096] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1 04/01/2014
Jan 10 19:50:58 host kernel: [   44.080096] task: f570c740 task.stack: f521c000
Jan 10 19:50:58 host kernel: [   44.080096] EIP: 0060:[<0012f9a0>] EFLAGS: 00010246 CPU: 3
Jan 10 19:50:58 host kernel: [   44.080096] EAX: 31040048 EBX: f6d7978c ECX: f591e180 EDX: ffffff02
Jan 10 19:50:58 host kernel: [   44.080096] ESI: 00000000 EDI: 4da5fbc0 EBP: f669cae0 ESP: f521de90
Jan 10 19:50:58 host kernel: [   44.080096]  DS: 0068 ES: 0068 FS: 00d8 GS: 007b SS: 0068
Jan 10 19:50:58 host kernel: [   44.080096] CR0: 80050033 CR2: 4da5fbc0 CR3: 358b6000 CR4: 000006d0
Jan 10 19:50:58 host kernel: [   44.080096] Stack:
Jan 10 19:50:58 host kernel: [   44.080096]  00000001 f5b4d200 f55204e0 f669cae0 001670e0 f6d7978c 00000000 3398b067
Jan 10 19:50:58 host kernel: [   44.080096]  f521df1c f6d7978c f669cae0 0013394a f6c9edc0 00000001 f6448800 f6c9edc0
Jan 10 19:50:58 host kernel: [   44.080096]  4da5f000 f6d7978c f6d7978c fff7c000 f398c000 00000200 001346c1 f521df10
Jan 10 19:50:58 host kernel: [   44.080096] Call Trace:
Jan 10 19:50:58 host kernel: [   44.080096]  [<001670e0>] ? mem_cgroup_commit_charge+0x60/0xe0
Jan 10 19:50:58 host kernel: [   44.080096]  [<0013394a>] ? alloc_set_pte+0x3ba/0x4c0
Jan 10 19:50:58 host kernel: [   44.080096]  [<001346c1>] ? handle_mm_fault+0xc71/0x14e0
Jan 10 19:50:58 host kernel: [   44.080096]  [<00046af7>] ? __do_page_fault+0x437/0x770
Jan 10 19:50:58 host kernel: [   44.080096]  [<00046e30>] ? __do_page_fault+0x770/0x770
Jan 10 19:50:58 host kernel: [   44.080096]  [<005069a2>] ? error_code+0x42/0x50
Jan 10 19:50:58 host kernel: [   44.080096]  [<00010216>] ? p4_hw_config+0x36/0x2d0
Jan 10 19:50:58 host kernel: [   44.080096] Code: ff ff 83 c4 1c b0 01 5b 5e 5f 5d c3 8d b4 26 00 00 00 00 0f 0b 8d b6 00 00 00 00 83 c4 1c 31 c0 5b 5e 5f 5d c3 8d b6 00 00 00 00 <0f> 0b 8d b6 00 00 00 00 0f 0b 8d b6 00 00 00 00 83 ec 14 89 5c
Jan 10 19:50:58 host kernel: [   44.080096] EIP: [<0012f9a0>] pax_mirror_anon_pte+0x200/0x210 SS:ESP 0068:f521de90
Jan 10 19:50:58 host kernel: [   44.080096] ---[ end trace 532dc64717fd0a3d ]---
Jan 10 19:50:58 host kernel: [   44.080096] grsec: banning user with uid 1000 until system restart for suspicious kernel crash
osea
 
Posts: 21
Joined: Thu Oct 27, 2016 3:17 pm

Re: grsec guest locks up

Postby PaX Team » Thu Jan 12, 2017 3:27 pm

can you enable frame pointers and post a new backtrace please? as a sidenote, why are you using SEGMEXEC instead of PAGEEXEC?

edit: can you also enable CONFIG_DEBUG_VM?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: grsec guest locks up

Postby osea » Thu Jan 12, 2017 9:13 pm

Enabled everything requested. Hope this helps.

I can't recall turning on SEGMEXEC. Must be the doing of the auto wizard. Unset it this time.


Code: Select all
Jan 13 00:59:59 host kernel: [   51.908254] ------------[ cut here ]------------
Jan 13 00:59:59 host kernel: [   51.908254] kernel BUG at mm/memory.c:2210!
Jan 13 00:59:59 host kernel: [   51.908254] invalid opcode: 0000 [#1] SMP
Jan 13 00:59:59 host kernel: [   51.908254] Modules linked in: dm_crypt dm_mod xts gf128mul algif_skcipher af_alg cfg80211 loop uinput 9p fscache snd_hda_codec_generic qxl snd_hda_intel snd_hda_codec drm_kms_helper snd_hwdep syscopyarea sysfillrect sysimgblt snd_hda_core ppdev fb_sys_fops snd_pcm 9pnet_virtio joydev snd_timer pcspkr virtio_balloon virtio_rng evdev ttm acpi_cpufreq 9pnet serio_raw virtio_console tpm_tis rng_core snd parport_pc i2c_piix4 tpm_tis_core soundcore drm parport tpm button i2c_core fuse autofs4 ext4 crc16 jbd2 mbcache hid_generic usbhid hid virtio_blk virtio_net ata_generic ata_piix uhci_hcd libata ehci_hcd scsi_mod psmouse virtio_pci usbcore virtio_ring usb_common virtio floppy
Jan 13 00:59:59 host kernel: [   51.908254] CPU: 1 PID: 3204 Comm: zenity Tainted: G S      W       4.8.17-grsec #1
Jan 13 00:59:59 host kernel: [   51.908254] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1 04/01/2014
Jan 13 00:59:59 host kernel: [   51.908254] task: f57038c0 task.stack: e49d6000
Jan 13 00:59:59 host kernel: [   51.908254] EIP: 0060:[<00131b48>] EFLAGS: 00010246 CPU: 1
Jan 13 00:59:59 host kernel: [   51.908254] EAX: 21040048 EBX: 4b1cf884 ECX: e754f7b0 EDX: ffffff02
Jan 13 00:59:59 host kernel: [   51.908254] ESI: 00000000 EDI: f6fb7ca8 EBP: e49d7e00 ESP: e49d7dd8
Jan 13 00:59:59 host kernel: [   51.908254]  DS: 0068 ES: 0068 FS: 00d8 GS: 007b SS: 0068
Jan 13 00:59:59 host kernel: [   51.908254] CR0: 80050033 CR2: 4b1cf884 CR3: 2483e000 CR4: 000006d0
Jan 13 00:59:59 host kernel: [   51.908254] Stack:
Jan 13 00:59:59 host kernel: [   51.908254]  00000000 f6fb7ca8 f6448800 e7662a20 f67f6e00 f6fb7ca8 001140ae 2385a067
Jan 13 00:59:59 host kernel: [   51.908254]  e49d7e6c f6fb7ca8 e49d7e30 00135f93 f6f23b18 f6fb7ca8 f6f23b18 f6448800
Jan 13 00:59:59 host kernel: [   51.908254]  00000001 e4943060 f6fb7ca8 f6fb7ca8 fffa6000 e385b000 e49d7e94 00136d07
Jan 13 00:59:59 host kernel: [   51.908254] Call Trace:
Jan 13 00:59:59 host kernel: [   51.908254]  [<001140ae>] ? lru_cache_add+0x2e/0x70
Jan 13 00:59:59 host kernel: [   51.908254]  [<00135f93>] alloc_set_pte+0x3d3/0x500
Jan 13 00:59:59 host kernel: [   51.908254]  [<00136d07>] handle_mm_fault+0xc47/0x1500
Jan 13 00:59:59 host kernel: [   51.908254]  [<000471a7>] __do_page_fault+0x437/0x780
Jan 13 00:59:59 host kernel: [   51.908254]  [<000474f0>] ? __do_page_fault+0x780/0x780
Jan 13 00:59:59 host kernel: [   51.908254]  [<000474fb>] do_page_fault+0xb/0x10
Jan 13 00:59:59 host kernel: [   51.908254]  [<0050aee2>] error_code+0x42/0x50
Jan 13 00:59:59 host kernel: [   51.908254]  [<00010212>] ? p4_hw_config+0x62/0x2b0
Jan 13 00:59:59 host kernel: [   51.908254]  [<000474f0>] ? __do_page_fault+0x780/0x780
Jan 13 00:59:59 host kernel: [   51.908254]  [<0050a2f7>] ? entry_INT80_32+0x47/0x47
Jan 13 00:59:59 host kernel: [   51.908254]  [<00010246>] ? p4_hw_config+0x96/0x2b0
Jan 13 00:59:59 host kernel: [   51.908254] Code: 18 b0 01 0f 85 48 ff ff ff 83 c4 1c 5b 5e 5f 5d c3 66 90 0f 0b 8d b6 00 00 00 00 83 c4 1c 31 c0 5b 5e 5f 5d c3 8d b6 00 00 00 00 <0f> 0b 8d b6 00 00 00 00 0f 0b 8d b6 00 00 00 00 ba 74 5b 4d c2
Jan 13 00:59:59 host kernel: [   51.908254] EIP: [<00131b48>] pax_mirror_anon_pte+0x1e8/0x210 SS:ESP 0068:e49d7dd8
Jan 13 00:59:59 host kernel: [   51.908254] ---[ end trace 33429574074bbda8 ]---
Jan 13 00:59:59 host kernel: [   51.908254] grsec: banning user with uid 1000 until system restart for suspicious kernel crash
osea
 
Posts: 21
Joined: Thu Oct 27, 2016 3:17 pm

Re: grsec guest locks up

Postby osea » Thu Jan 12, 2017 9:29 pm

I can't recall turning on SEGMEXEC. Must be the doing of the auto wizard. Unset it this time.


Scratch that. My changes got reverted when running make.
osea
 
Posts: 21
Joined: Thu Oct 27, 2016 3:17 pm

Re: grsec guest locks up

Postby PaX Team » Thu Jan 12, 2017 9:38 pm

can you run addr2line on 0x135f93 and 0x136d07 (using the SEGMEXEC vmlinux image)?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: grsec guest locks up

Postby osea » Fri Jan 13, 2017 12:54 am

$ addr2line -e vmlinux 0x135f93
/home/user/linux-4.8.17/mm/memory.c:3257

$ addr2line -e vmlinux 0x136d07
/home/user/linux-4.8.17/mm/memory.c:3440
osea
 
Posts: 21
Joined: Thu Oct 27, 2016 3:17 pm

Re: grsec guest locks up

Postby PaX Team » Fri Jan 13, 2017 9:31 pm

can you try the following patch please:
Code: Select all
--- a/mm/memory.c   2017-01-12 21:05:49.231792068 +0100
+++ b/mm/memory.c 2017-01-14 01:21:33.212225342 +0100
@@ -3437,6 +3437,11 @@
                copy_user_highpage(new_page, fault_page, fe->address, vma);
        __SetPageUptodate(new_page);

+#ifdef CONFIG_PAX_SEGMEXEC
+       if (pax_find_mirror_vma(vma))
+               BUG_ON(!trylock_page(new_page));
+#endif
+
        ret |= alloc_set_pte(fe, memcg, new_page);
        if (fe->pte)
                pte_unmap_unlock(fe->pte, fe->ptl);
@@ -3446,6 +3451,12 @@
        } else {
                dax_unlock_mapping_entry(vma->vm_file->f_mapping, pgoff);
        }
+
+#ifdef CONFIG_PAX_SEGMEXEC
+       if (pax_find_mirror_vma(vma))
+               unlock_page(new_page);
+#endif
+
        if (unlikely(ret & (VM_FAULT_ERROR | VM_FAULT_NOPAGE | VM_FAULT_RETRY)))
                goto uncharge_out;
        return ret;
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: grsec guest locks up

Postby osea » Sat Jan 14, 2017 4:28 am

$ sudo patch -p1 < ../patch.patch

Code: Select all
patching file mm/memory.c
Hunk #1 FAILED at 3437.
patch unexpectedly ends in middle of line
Hunk #2 FAILED at 3446.
2 out of 2 hunks FAILED -- saving rejects to file mm/memory.c.rej
osea
 
Posts: 21
Joined: Thu Oct 27, 2016 3:17 pm

Re: grsec guest locks up

Postby spender » Sat Jan 14, 2017 8:14 am

Use patch -p1 -l since what you pasted was whitespace-damaged. It will apply cleanly then, I just tested it here.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: grsec guest locks up

Postby osea » Sat Jan 14, 2017 6:43 pm

I got this message. Does it mean it worked? I'll compile the new kernel for testing.

sudo patch -p1 -l < ../patch.patch


patching file mm/memory.c
patch unexpectedly ends in middle of line
Hunk #2 succeeded at 3451 with fuzz 1.
osea
 
Posts: 21
Joined: Thu Oct 27, 2016 3:17 pm

Re: grsec guest locks up

Postby spender » Sat Jan 14, 2017 6:58 pm

You may have pasted the text incorrectly if you're getting the error about the diff ending in the middle of a line.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: grsec guest locks up

Postby osea » Sat Jan 14, 2017 7:29 pm

That was it. Now I get:

(Patch is indented 4 spaces.)
patching file mm/memory.c
osea
 
Posts: 21
Joined: Thu Oct 27, 2016 3:17 pm

Re: grsec guest locks up

Postby osea » Sat Jan 14, 2017 8:23 pm

All good now! Thanks for the support guys.
osea
 
Posts: 21
Joined: Thu Oct 27, 2016 3:17 pm


Return to grsecurity support

cron