Page 1 of 1

paxctl wirdo: python segfaults when copied

PostPosted: Thu Feb 16, 2017 4:44 pm
by kolargol
Hi,

Since few days i am running on patch 4.9.9 (test) and today after server reboot i started to notice that python segfaults, example:
Code: Select all
grsec: From XX.XX.XX.XX: Segmentation fault occurred at            (nil) in /usr/bin/python2.7[bash:3388] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3241] uid/euid:0/0 gid/egid:0/0


running from bash:
Code: Select all
python
Segmentation fault


note that python was running fine on exactly same kernel for last few days. Any idea?

Re: python started to segfault after reboot

PostPosted: Sun Feb 19, 2017 2:13 pm
by kolargol
ok I found more details about that, and here is weird behavior:

Code: Select all
root@xxx:~/gr# paxctl -v ./python2.7
PaX control v0.9
Copyright 2004,2005,2006,2007,2009,2010,2011,2012,2014 PaX Team <pageexec@freemail.hu>

file ./python2.7 does not have a PT_PAX_FLAGS program header, try conversion
root@xxx:~/gr# ./python2.7 -c 'print "PAX"'
PAX
root@xxx:~/gr# paxctl -cm python2.7
file python2.7 had a PT_GNU_STACK program header, converted
root@xxx:~/gr# paxctl -v ./python2.7
PaX control v0.9
Copyright 2004,2005,2006,2007,2009,2010,2011,2012,2014 PaX Team <pageexec@freemail.hu>

- PaX flags: -----m-x-e-- [./python2.7]
        MPROTECT is disabled
        RANDEXEC is disabled
        EMUTRAMP is disabled
root@xxx:~/gr# ./python2.7 -c 'print "PAX"'
PAX
root@xxx:~/gr# cp python2.7 /usr/bin/python2.7
root@xxx:~/gr# /usr/bin/python2.7 -c 'print "PAX"'
Segmentation fault
root@xxx:~/gr# paxctl -v /usr/bin/python2.7
PaX control v0.9
Copyright 2004,2005,2006,2007,2009,2010,2011,2012,2014 PaX Team <pageexec@freemail.hu>

- PaX flags: -----m-x-e-- [/usr/bin/python2.7]
        MPROTECT is disabled
        RANDEXEC is disabled
        EMUTRAMP is disabled


and in dmesg:
Code: Select all
grsec: From 10.0.100.104: Segmentation fault occurred at            (nil) in /usr/bin/python2.7[bash:4658] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:5931] uid/euid:0/0 gid/egid:0/0


kernel 4.9.10 with corresponding grsec patch. grsec have almost all options enabled.

When i enable EMUTRAP:
Code: Select all
- PaX flags: -------xE--- [/usr/bin/python2.7]
        RANDEXEC is disabled
        EMUTRAMP is enabled


python works, but with that error in dmesg
Code: Select all
grsec: From 10.0.100.104: denied RWX mmap of <anonymous mapping> by /usr/bin/python2.7[python:5260] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:5931] uid/euid:0/0 gid/egid:0/0


what is that problem when copying binary with "-cm" flags? I have no occur that before.

Re: paxctl wirdo: python segfaults when copied

PostPosted: Sun Feb 19, 2017 5:38 pm
by PaX Team
do you have the xattr based PaX flag control mechanism enabled in the kernel and on your binaries? are there any xattr flags on the python binaries (both the original and the copy)? other than this, i can't think of a reason why a copy would behave differently.

Re: paxctl wirdo: python segfaults when copied

PostPosted: Mon Feb 20, 2017 5:07 am
by kolargol
i do not use any additional attributes (flags are clean) on that binary. I have also tried gdb but it SIGSEGV with no stack. strace gives some clue:

Code: Select all
strace /usr/bin/python2.7
execve("/usr/bin/python2.7", ["/usr/bin/python2.7"], [/* 12 vars */]) = -1 EINVAL (Invalid argument)
--- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=0} ---
+++ killed by SIGSEGV +++
Segmentation fault


but i dont know what's that "Invalid argument" is and why only in that path...