grsecurity forums

[g00]

I know this has been discussed, but I still cannot get any love from java. Perhaps this should be in a FAQ or something. I've tried everything I could read in this forum. I am using grsec for kernel 2.4.23 and JDK-1.4.2. Here is my kernel conf:

--- BEGIN KERNEL CONF ---
#
# Grsecurity
#
CONFIG_GRKERNSEC=y
CONFIG_CRYPTO=y
CONFIG_CRYPTO_SHA256=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MID is not set
# CONFIG_GRKERNSEC_HI is not set
CONFIG_GRKERNSEC_CUSTOM=y

#
# Address Space Protection
#
# CONFIG_GRKERNSEC_PAX_NOEXEC is not set
CONFIG_GRKERNSEC_PAX_ASLR=y
#CONFIG_GRKERNSEC_PAX_RANDUSTACK is not set
CONFIG_GRKERNSEC_PAX_RANDMMAP=y
CONFIG_GRKERNSEC_KMEM=y
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_HIDESYM=y

#
# ACL options
#
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=10
# CONFIG_GRKERNSEC_PROC_ADD is not set
# CONFIG_GRKERNSEC_LINK is not set
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
# CONFIG_GRKERNSEC_CHROOT_CHMOD is not set
# CONFIG_GRKERNSEC_CHROOT_FCHDIR is not set
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
# CONFIG_GRKERNSEC_CHROOT_SHMAT is not set
CONFIG_GRKERNSEC_CHROOT_UNIX=y
# CONFIG_GRKERNSEC_CHROOT_FINDTASK is not set
# CONFIG_GRKERNSEC_CHROOT_NICE is not set
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
# CONFIG_GRKERNSEC_CHROOT_CAPS is not set

#
# Kernel Auditing
#
CONFIG_GRKERNSEC_AUDIT_GROUP=y
CONFIG_GRKERNSEC_AUDIT_GID=1007
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y

#
# Executable Protections
#
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
CONFIG_GRKERNSEC_TPE=y
CONFIG_GRKERNSEC_TPE_ALL=y
CONFIG_GRKERNSEC_TPE_GID=1005

#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RANDISN=y
CONFIG_GRKERNSEC_RANDID=y
CONFIG_GRKERNSEC_RANDSRC=y
CONFIG_GRKERNSEC_RANDRPC=y
CONFIG_GRKERNSEC_SOCKET=y
CONFIG_GRKERNSEC_SOCKET_ALL=y
CONFIG_GRKERNSEC_SOCKET_ALL_GID=1004
CONFIG_GRKERNSEC_SOCKET_CLIENT=y
CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=1003
CONFIG_GRKERNSEC_SOCKET_SERVER=y
CONFIG_GRKERNSEC_SOCKET_SERVER_GID=1002

#
# Sysctl support

#
CONFIG_GRKERNSEC_SYSCTL=y

#
# Logging options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4
--- END KERNEL CONF ---

And I've tried all the chpax options on /usr/java/j2sdk1.4.2_01/bin/java, but I just get this:

--- BEGIN JAVA UGLINESS ---
An unexpected exception has been detected in native code outside the VM.
Unexpected Signal : 11 occurred at PC=0x0
Function=[Unknown.]
Library=(N/A)

NOTE: We are unable to locate the function name symbol for the error
just occurred. Please refer to release documentation for possible
reason and solutions.


Current Java thread:

Dynamic libraries:
08048000-0804e000 r-xp 00000000 08:05 702664 /usr/java/j2sdk1.4.2_01/bin/java
0804e000-0804f000 rw-p 00005000 08:05 702664 /usr/java/j2sdk1.4.2_01/bin/java
40000000-40015000 r-xp 00000000 08:03 354219 /lib/ld-2.3.2.so
40015000-40016000 rw-p 00015000 08:03 354219 /lib/ld-2.3.2.so
40016000-4001e000 r-xp 00000000 08:05 1257969 /usr/java/j2sdk1.4.2_01/jre/lib/i386/native_threads/libhpi.so
4001e000-4001f000 rw-p 00007000 08:05 1257969 /usr/java/j2sdk1.4.2_01/jre/lib/i386/native_threads/libhpi.so
4001f000-40023000 rw-s 00000000 08:03 129080 /tmp/hsperfdata_root/968
40024000-40031000 r-xp 00000000 08:03 418502 /lib/tls/libpthread-0.60.so
40031000-40032000 rw-p 0000c000 08:03 418502 /lib/tls/libpthread-0.60.so
40035000-40037000 r-xp 00000000 08:03 354128 /lib/libdl-2.3.2.so
40037000-40038000 rw-p 00001000 08:03 354128 /lib/libdl-2.3.2.so
40038000-4016a000 r-xp 00000000 08:03 418732 /lib/tls/libc-2.3.2.so
4016a000-4016e000 rw-p 00131000 08:03 418732 /lib/tls/libc-2.3.2.so
40171000-4056b000 r-xp 00000000 08:05 327572 /usr/java/j2sdk1.4.2_01/jre/lib/i386/client/libjvm.so
4056b000-40587000 rw-p 003f9000 08:05 327572 /usr/java/j2sdk1.4.2_01/jre/lib/i386/client/libjvm.so
40599000-405ab000 r-xp 00000000 08:03 354132 /lib/libnsl-2.3.2.so
405ab000-405ac000 rw-p 00011000 08:03 354132 /lib/libnsl-2.3.2.so
405ae000-405cf000 r-xp 00000000 08:03 418500 /lib/tls/libm-2.3.2.so
405cf000-405d0000 rw-p 00020000 08:03 418500 /lib/tls/libm-2.3.2.so
405de000-405e9000 r-xp 00000000 08:03 354148 /lib/libnss_files-2.3.2.so
405e9000-405ea000 rw-p 0000a000 08:03 354148 /lib/libnss_files-2.3.2.so
405ea000-405fa000 r-xp 00000000 08:05 327597 /usr/java/j2sdk1.4.2_01/jre/lib/i386/libverify.so
405fa000-405fc000 rw-p 0000f000 08:05 327597 /usr/java/j2sdk1.4.2_01/jre/lib/i386/libverify.so
405fc000-4061c000 r-xp 00000000 08:05 327583 /usr/java/j2sdk1.4.2_01/jre/lib/i386/libjava.so
4061c000-4061e000 rw-p 0001f000 08:05 327583 /usr/java/j2sdk1.4.2_01/jre/lib/i386/libjava.so
4061e000-40632000 r-xp 00000000 08:05 327598 /usr/java/j2sdk1.4.2_01/jre/lib/i386/libzip.so
40632000-40635000 rw-p 00013000 08:05 327598 /usr/java/j2sdk1.4.2_01/jre/lib/i386/libzip.so
40635000-41fcd000 r--s 00000000 08:05 1666003 /usr/java/j2sdk1.4.2_01/jre/lib/rt.jar
42017000-4202d000 r--s 00000000 08:05 1666002 /usr/java/j2sdk1.4.2_01/jre/lib/sunrsasign.jar
4202d000-42108000 r--s 00000000 08:05 1666001 /usr/java/j2sdk1.4.2_01/jre/lib/jsse.jar
42108000-42119000 r--s 00000000 08:05 1665993 /usr/java/j2sdk1.4.2_01/jre/lib/jce.jar
42119000-42672000 r--s 00000000 08:05 1665994 /usr/java/j2sdk1.4.2_01/jre/lib/charsets.jar

Heap at VM Abort:
Heap
def new generation total 576K, used 0K [0x44720000, 0x447c0000, 0x44c00000)
eden space 512K, 0% used [0x44720000, 0x44720048, 0x447a0000)
from space 64K, 0% used [0x447a0000, 0x447a0000, 0x447b0000)
to space 64K, 0% used [0x447b0000, 0x447b0000, 0x447c0000)
tenured generation total 1408K, used 0K [0x44c00000, 0x44d60000, 0x48720000)
the space 1408K, 0% used [0x44c00000, 0x44c00000, 0x44c00200, 0x44d60000)
compacting perm gen total 4096K, used 276K [0x48720000, 0x48b20000, 0x4c720000)
the space 4096K, 6% used [0x48720000, 0x48765070, 0x48765200, 0x48b20000)

Local Time = Sun Dec 21 13:17:08 2003
Elapsed Time = 0
#
# The exception above was detected in native code outside the VM
#
# Java VM: Java HotSpot(TM) Client VM (1.4.2_01-b06 mixed mode)
#
# An error report file has been saved as hs_err_pid968.log.
# Please refer to the file for further information.
#


****************
Another exception has been detected while we were handling last error.
Dumping information about last error:
ERROR REPORT FILE = hs_err_pid968.log
PC = 0x00000000
SIGNAL = 11
FUNCTION NAME = (N/A)
OFFSET = 0xFFFFFFFF
LIBRARY NAME = (N/A)
Please check ERROR REPORT FILE for further information, if there is any.
Good bye.
--- END JAVA UGLINESS ---

Thanks for any help!

[PaX Team]

given that both NOEXEC and randomization were turned off, it's likely not a PaX issue. you could try to strace the JVM (including its threads) and see what it did last.

[g00]

Thanks,
Here's the strace where I think the problem occurs:

--- BEGIN STRACE ---
gettimeofday({1072041587, 404347}, NULL) = 0
mmap2(NULL, 528384, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4c710000
mprotect(0x4c710000, 4096, PROT_NONE) = 0
clone(child_stack=0x4c790b08, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SE
TTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID|CLONE_DETACHED, parent_tidptr=0x4c790bf8, {entry_number:0, base_addr:
0x4c790bb0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:
1}, child_tidptr=0x4c790bf8) = 1687

An unexpected exception has been detected in native code outside the VM.
futex(0x8097b50, FUTEX_WAIT, 0, NULLUnexpected Signal : 11 occurred at PC=0x0
Function=[Unknown.) = -1 ENOSYS (Function not implemented)
]
Library=(N/A)

futex(0x8097b50, FUTEX_WAIT, 0, NULLNOTE: We are unable to locate the function name symbol for the error
just occurred. Please refer to release documentation for possible
reason and solutions.


) = -1 ENOSYS (Function not implemented)
Current Java thread:

Dynamic libraries:
futex(0x8097b50, FUTEX_WAIT, 0, NULL) = -1 ENOSYS (Function not implemented)
futex(0x8097b50, FUTEX_WAIT, 0, NULL) = -1 ENOSYS (Function not implemented)
futex(0x8097b50, FUTEX_WAIT, 0, NULL) = -1 ENOSYS (Function not implemented)
08048000-0804e000 r-xp 00000000 08:05 669989 /usr/java/j2sdk1.4.2/bin/java
0804e000-0804f000 rw-p 00005000 08:05 669989 /usr/java/j2sdk1.4.2/bin/java
40000000-40015000 r-xp 00000000 08:03 354219 /lib/ld-2.3.2.so
futex(0x8097b50, FUTEX_WAIT, 0, NULL40015000-40016000 rw-p 00015000 08:03 354219 /lib/ld-2.3.2.so
40016000-4001e000 r-xp 00000000 08:05 376683 /usr/java/j2sdk1.4.2/jre/lib/i386/native_threads/libhpi.so
) = -1 ENOSYS (Function not implemented)
4001e000-4001f000 rw-p 00007000 08:05 376683 /usr/java/j2sdk1.4.2/jre/lib/i386/native_threads/libhpi.so
4001f000-40023000 rw-s 00000000 08:03 129070 /tmp/hsperfdata_root/1686
40024000-40031000 r-xp 00000000 08:03 418502 /lib/tls/libpthread-0.60.so
futex(0x8097b50, FUTEX_WAIT, 0, NULL40031000-40032000 rw-p 0000c000 08:03 418502 /lib/tls/libpthread-0.60.so
40035000-40037000 r-xp 00000000 08:03 354128 /lib/libdl-2.3.2.so
) = -1 ENOSYS (Function not implemented)
40037000-40038000 rw-p 00001000 08:03 354128 /lib/libdl-2.3.2.so
40038000-4016a000 r-xp 00000000 08:03 418732 /lib/tls/libc-2.3.2.so
4016a000-4016e000 rw-p 00131000 08:03 418732 /lib/tls/libc-2.3.2.so
futex(0x8097b50, FUTEX_WAIT, 0, NULL40171000-40425000 r-xp 00000000 08:05 1535385 /usr/java/j2sdk1.4.2/jre/lib/i
386/client/libjvm.so
40425000-4043e000 rw-p 002b4000 08:05 1535385 /usr/java/j2sdk1.4.2/jre/lib/i386/client/libjvm.so
) = -1 ENOSYS (Function not implemented)
40450000-40462000 r-xp 00000000 08:03 354132 /lib/libnsl-2.3.2.so
40462000-40463000 rw-p 00011000 08:03 354132 /lib/libnsl-2.3.2.so
futex(0x8097b50, FUTEX_WAIT, 0, NULL40465000-4050e000 r-xp 00000000 08:05 636622 /usr/lib/libstdc++.so.5.0.3
4050e000-40513000 rw-p 000a8000 08:05 636622 /usr/lib/libstdc++.so.5.0.3
) = -1 ENOSYS (Function not implemented)
40518000-40539000 r-xp 00000000 08:03 418500 /lib/tls/libm-2.3.2.so
40539000-4053a000 rw-p 00020000 08:03 418500 /lib/tls/libm-2.3.2.so
4053a000-40542000 r-xp 00000000 08:03 354114 /lib/libgcc_s-3.2.3-20030829.so.1
futex(0x8097b50, FUTEX_WAIT, 0, NULL40542000-40543000 rw-p 00007000 08:03 354114 /lib/libgcc_s-3.2.3-20030829.s
o.1
40551000-4055c000 r-xp 00000000 08:03 354148 /lib/libnss_files-2.3.2.so
) = -1 ENOSYS (Function not implemented)
4055c000-4055d000 rw-p 0000a000 08:03 354148 /lib/libnss_files-2.3.2.so
4055d000-4056e000 r-xp 00000000 08:05 996375 /usr/java/j2sdk1.4.2/jre/lib/i386/libverify.so
4056e000-4056f000 rw-p 00011000 08:05 996375 /usr/java/j2sdk1.4.2/jre/lib/i386/libverify.so
futex(0x8097b50, FUTEX_WAIT, 0, NULL4056f000-4058e000 r-xp 00000000 08:05 996369 /usr/java/j2sdk1.4.2/jre/lib/i
386/libjava.so
4058e000-4058f000 rw-p 0001f000 08:05 996369 /usr/java/j2sdk1.4.2/jre/lib/i386/libjava.so
) = -1 ENOSYS (Function not implemented)
4058f000-405a0000 r-xp 00000000 08:05 996819 /usr/java/j2sdk1.4.2/jre/lib/i386/libzip.so
405a0000-405a2000 rw-p 00011000 08:05 996819 /usr/java/j2sdk1.4.2/jre/lib/i386/libzip.so
405a2000-41f3b000 r--s 00000000 08:05 964322 /usr/java/j2sdk1.4.2/jre/lib/rt.jar
futex(0x8097b50, FUTEX_WAIT, 0, NULL41f85000-41f9b000 r--s 00000000 08:05 964316 /usr/java/j2sdk1.4.2/jre/lib/s
unrsasign.jar
41f9b000-42076000 r--s 00000000 08:05 964294 /usr/java/j2sdk1.4.2/jre/lib/jsse.jar
) = -1 ENOSYS (Function not implemented)
42076000-42087000 r--s 00000000 08:05 964304 /usr/java/j2sdk1.4.2/jre/lib/jce.jar
42087000-425e0000 r--s 00000000 08:05 964309 /usr/java/j2sdk1.4.2/jre/lib/charsets.jar
futex(0x8097b50, FUTEX_WAIT, 0, NULL
Heap at VM Abort:
) = -1 ENOSYS (Function not implemented)
Heap
def new generation futex(0x8097b50, FUTEX_WAIT, 0, NULL total 576K, used 0K [0x44690000, 0x44730000, 0x44b70000)
eden) = -1 ENOSYS (Function not implemented)
space 512K, 0% used [0x44690000, 0x44690048, 0x44710000)
fromfutex(0x8097b50, FUTEX_WAIT, 0, NULL space 64K, 0% used [0x44710000, 0x44710000, 0x44720000)
to ) = -1 ENOSYS (Function not implemented)
space 64K, 0% used [0x44720000, 0x44720000, 0x44730000)
tenured generation futex(0x8097b50, FUTEX_WAIT, 0, NULL total 1408K, used 0K [0x44b70000, 0x44cd0000, 0x48690000)
the) = -1 ENOSYS (Function not implemented)
space 1408K, 0% used [0x44b70000, 0x44b70000, 0x44b70200, 0x44cd0000)
compacting perm gen futex(0x8097b50, FUTEX_WAIT, 0, NULL total 4096K, used 276K [0x48690000, 0x48a90000, 0x4c69000
0)
the) = -1 ENOSYS (Function not implemented)
space 4096K, 6% used [0x48690000, 0x486d5070, 0x486d5200, 0x48a90000)

futex(0x8097b50, FUTEX_WAIT, 0, NULL) = -1 ENOSYS (Function not implemented)
Local Time = Sun Dec 21 16:19:47 2003
futex(0x8097b50, FUTEX_WAIT, 0, NULLElapsed Time = 0
) = -1 ENOSYS (Function not implemented)
#
# The exception above was detected in native code outside the VM
#
futex(0x8097b50, FUTEX_WAIT, 0, NULL# Java VM: Java HotSpot(TM) Client VM (Blackdown-1.4.2-rc1 mixed mode)
#
) = -1 ENOSYS (Function not implemented)
futex(0x8097b50, FUTEX_WAIT, 0, NULL) = -1 ENOSYS (Function not implemented)
futex(0x8097b50, FUTEX_WAIT, 0, NULL) = -1 ENOSYS (Function not implemented)
futex(0x8097b50, FUTEX_WAIT, 0, NULL) = -1 ENOSYS (Function not implemented)
futex(0x8097b50, FUTEX_WAIT, 0, NULL) = -1 ENOSYS (Function not implemented)
futex(0x8097b50, FUTEX_WAIT, 0, NULL) = -1 ENOSYS (Function not implemented)
futex(0x8097b50, FUTEX_WAIT, 0, NULL) = -1 ENOSYS (Function not implemented)
futex(0x8097b50, FUTEX_WAIT, 0, NULL) = -1 ENOSYS (Function not implemented)
futex(0x8097b50, FUTEX_WAIT, 0, NULL) = -1 ENOSYS (Function not implemented)
futex(0x8097b50, FUTEX_WAIT, 0, NULL) = -1 ENOSYS (Function not implemented)
futex(0x8097b50, FUTEX_WAIT, 0, NULL) = -1 ENOSYS (Function not implemented)
futex(0x8097b50, FUTEX_WAIT, 0, NULL) = -1 ENOSYS (Function not implemented)
# An error report file has been saved as hs_err_pid1686.log.
# Please refer to the file for further information.
#
futex(0x8097b50, FUTEX_WAIT, 0, NULL) = -1 ENOSYS (Function not implemented)
futex(0x8097b50, FUTEX_WAIT, 0, NULL

****************
Another exception has been detected while we were handling last error.
Dumping information about last error:
ERROR REPORT FILE = hs_err_pid1686.log
) = -1 ENOSYS (Function not implemented)
PC = 0x00000000
SIGNAL = 11
FUNCTION NAME = (N/A)
futex(0x8097b50, FUTEX_WAIT, 0, NULLOFFSET = 0xFFFFFFFF
LIBRARY NAME = (N/A)
Please check ERROR REPORT FILE for further information, if there is any.
Good bye.
) = -1 ENOSYS (Function not implemented)
futex(0x8097b50, FUTEX_WAIT, 0, NULL) = -1 ENOSYS (Function not implemented)
futex(0x8097b50, FUTEX_WAIT, 0, NULL) = -1 ENOSYS (Function not implemented)
futex(0x8097b50, FUTEX_WAIT, 0, NULL) = -1 ENOSYS (Function not implemented)
futex(0x8097b50, FUTEX_WAIT, 0, NULL) = -1 ENOSYS (Function not implemented)
futex(0x8097b50, FUTEX_WAIT, 0, NULL) = -1 ENOSYS (Function not implemented)
futex(0x8097b50, FUTEX_WAIT, 0, NULL) = -1 ENOSYS (Function not implemented)
futex(0x8097b50, FUTEX_WAIT, 0, NULL) = -1 ENOSYS (Function not implemented)
futex(0x8097b50, FUTEX_WAIT, 0, NULL) = -1 ENOSYS (Function not implemented)
--- END STRACE ---


That last line will just go forever if I let it run, BTW.

Thanks for any assistance!

[PaX Team]

ok, i think we have some interesting mixture here to begin with. looks like you're not using a vanilla kernel but something that's been patched with nptl support at least (i see the TLS stuff in the trace), then your glibc (or whoever) tries to use futexes whose support is apparently not even in your kernel... quite messy. so, could you tell me what kernel/distro this is, and more importantly, try grsec with a vanilla kernel? also, you could try your current kernel with LD_ASSUME_KERNEL set to something like 2.2.5 or 2.4.1 and see if java works better.

[g00]

Yes, you are exactly right. I am using Redhat Advanced Server 3, but I am using the vanilla 2.4.23 kernel. I did not think the grsec kernel patch would work with the Redhat source. Maybe there is a NPTL kernel patch for this so my vanilla kernel will be consistent with the RH one? Or is this a bad idea?

[PaX Team]

Yes, you are exactly right. I am using Redhat Advanced Server 3, but I am using the vanilla 2.4.23 kernel. I did not think the grsec kernel patch would work with the Redhat source. Maybe there is a NPTL kernel patch for this so my vanilla kernel will be consistent with the RH one? Or is this a bad idea?

it's probably a bad idea, your best option would be a proper port to the RHAS kernel (which is not a trivial patchwork as it requires some logical changes, at least in PaX). beyond this, isn't there a problem with support if you're not using the RHAS kernel?

[g00]

Forums like this are my support, so as you can see, it works wonderfully We are only running AS3 because it was $50.00 because the machine is hosted at a university. Thanks a lot for your help. I really love the grsecurity software, BTW. I think I will start making part of my standard procedures.