grsecurity forums

[Mr.Nobody]

Here small program:
/* Two nested functions but one trampoline (for passing the address of nested function) */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

void caller (void (*trampoline)(void))
{
printf("Attempting to call a trampoline...");
//Jump to our nested function
trampoline();
}

void do_trampoline (void)
{
void nested (void)
{
printf("succeeded\n");
}
//If do trampoline impossible-next line lead to error
caller(nested);
}

int main (int argc, char **argv, char **envp)
{
int i=0;
void inner (void) {
i=1;
}
printf("\n\nTesting trampoline:\n\n");
//First nested function
do_trampoline();
//Second nested function-it modify i
printf("Before trampoline i=%d\n",i);
inner();
printf("After trampoline i=%d\n",i);
return 0;
}
-----------------------------------------------------------------------------
If ./grsec_trampo:
PaX ...
Killed
If then (enabling trampolines emulation):
chpax -m grsec_trampo
./grsec_trampo
PaX...
Killed
(Again).What is wrong? grsecurity-patch for 2.4.19. Looks like trampolines emulation doesn't work yet?

Sorry for bad English.

[PaX Team]

If then (enabling trampolines emulation):
chpax -m grsec_trampo

this disables MPROTECT, you need chpax -E to enable EMUTRAMP on a given binary. note that you must also enable CONFIG_GRKERNSEC_PAX_EMUTRAMP in your kernel .config.

[Mr.Nobody]

Sorry I did a mistake. (I check option with mprotect() - which works).

Of course I wanted to say (I did):
chpax -E grsec_trampo
./grsec_trampo
PaX ...tra-ta-ta
Killed

(kernel with all grsecurity options on-2.4.19)
Why this option doesn't work?

[PaX Team]

(kernel with all grsecurity options on-2.4.19)
Why this option doesn't work?

hmm, not sure, i just tested it on 2.4.22 and PaX alone and it worked fine. could you send me your binary (maybe your gcc generated a yet unknown sequence that needs emulation) and also try it with a newer kernel (2.4.22) and grsecurity/PaX?

[Mr.Nobody]

I tried patch-1.9.12 for 2.4.22-kernel and got the same result.
I don't know why but this option doesn't work

[PaX Team]

I tried patch-1.9.12 for 2.4.22-kernel and got the same result.
I don't know why but this option doesn't work

as i suggested above, send me your own compiled binary so that i can take a look (or just post the disassembly of the relevant code).

[PaX Team]

I tried patch-1.9.12 for 2.4.22-kernel and got the same result.
I don't know why but this option doesn't work

check out the next release of grsec (or CVS), i added emulation for a few more sequences that i ran into with newer gcc versions.

[Mr.Nobody]

I checked the last release of grsec (grsecurity-2.0-rc3-2.4.22.patch) and got the same result - as it was before absolutely.

[PaX Team]

I checked the last release of grsec (grsecurity-2.0-rc3-2.4.22.patch) and got the same result - as it was before absolutely.

rc3 was released back in september, it could hardly have my recent changes , that's why i said CVS or 'next' release, the latter is (for now) in http://www.grsecurity.net/~spender/, give that one a try (or alternatively, the latest PaX patch released a few days ago).

[Mr.Nobody]

I also checked grsecurity-2.0-rc4-2.4.22.patch (the latter as you have say) and after twelve bootings and twelve "Kernel panic" (in various configs of GRSecurity including minimal - with only emulating trampolines) I have come to a conclusion that this option is too flawy for now. Waiting for a more stable release - I have no time for determination of what is wrong - sorry - I only can say that it doesn't work yet.

Sorry for my English

[spender]

Those were pre-release versions. The bug you talk about was unrelated to PaX and has been fixed in CVS.

-Brad

[PaX Team]

Waiting for a more stable release - I have no time for determination of what is wrong - sorry - I only can say that it doesn't work yet.

you can try the latest PaX patch then and/or send me your test binaries as i had requested it a while ago.