[solved]PAX_ASLR not work in centos7 x64

Community support for paid kernel users

Moderators: spender, PaX Team

[solved]PAX_ASLR not work in centos7 x64

Postby perlish » Sun May 17, 2015 10:09 am

I used kernel-3.14.42_grsec-1.x86_64.rpm in centos7 x64 but it seems that ASLR not work.

paxtest.log
Mode: blackhat
Linux localhost.localdomain 3.14.42-grsec #1 SMP Sun May 17 07:21:20 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable shared library bss : Killed
Executable shared library data : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments : Killed
Anonymous mapping randomisation test : 29 quality bits (guessed)
Heap randomisation test (ET_EXEC) : 22 quality bits (guessed)
Heap randomisation test (PIE) : 35 quality bits (guessed)
Main executable randomisation (ET_EXEC) : 29 quality bits (guessed)
Main executable randomisation (PIE) : 29 quality bits (guessed)
Shared library randomisation test : 29 quality bits (guessed)
VDSO randomisation test : 29 quality bits (guessed)
Stack randomisation test (SEGMEXEC) : 35 quality bits (guessed)
Stack randomisation test (PAGEEXEC) : 35 quality bits (guessed)
Arg/env randomisation test (SEGMEXEC) : 39 quality bits (guessed)
Arg/env randomisation test (PAGEEXEC) : 39 quality bits (guessed)
Randomization under memory exhaustion @~0: 29 bits (guessed)
Randomization under memory exhaustion @0 : 29 bits (guessed)
Return to function (strcpy) : paxtest: return address contains a NULL byte.
Return to function (memcpy) : Killed
Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte.
Return to function (memcpy, PIE) : Killed


I've also chpax the randarg1 for X and R , but it's still guessed.
Image

I've check the config about RAND
[root@localhost paxtest-0.9.13]# grep RAND /boot/config-3.14.42-grsec
CONFIG_ARCH_RANDOM=y
# CONFIG_RANDOMIZE_BASE is not set
CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE=y
CONFIG_NET_TEAM_MODE_RANDOM=m
CONFIG_HW_RANDOM=y
CONFIG_HW_RANDOM_TIMERIOMEM=m
CONFIG_HW_RANDOM_INTEL=m
CONFIG_HW_RANDOM_AMD=m
# CONFIG_HW_RANDOM_ATMEL is not set
CONFIG_HW_RANDOM_VIA=m
CONFIG_HW_RANDOM_VIRTIO=m
# CONFIG_HW_RANDOM_EXYNOS is not set
CONFIG_HW_RANDOM_TPM=m
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_GRKERNSEC_RAND_THREADSTACK=y
CONFIG_GRKERNSEC_RANDSTRUCT=y
# CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE is not set
# CONFIG_RANDOM32_SELFTEST is not set
Last edited by perlish on Wed Jun 10, 2015 8:44 am, edited 1 time in total.
perlish
 
Posts: 42
Joined: Sun Jan 11, 2004 10:42 pm

Re: PAX_ASLR not work in centos7 x64

Postby spender » Sun May 17, 2015 12:03 pm

The ASLR is working fine there -- that's the expected result. The "guessed" is because given the number of times we perform the test, the result could probabilistically be off by a bit or so.

-Brad
spender
 
Posts: 2184
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: PAX_ASLR not work in centos7 x64

Postby perlish » Sun May 17, 2015 7:27 pm

spender wrote:The ASLR is working fine there -- that's the expected result. The "guessed" is because given the number of times we perform the test, the result could probabilistically be off by a bit or so.

-Brad

Would you like to tell me which test show the ASLR is working fine ?
Thank you very much!
perlish
 
Posts: 42
Joined: Sun Jan 11, 2004 10:42 pm

Re: PAX_ASLR not work in centos7 x64

Postby spender » Sun May 17, 2015 7:40 pm

All of these:

Anonymous mapping randomisation test : 29 quality bits (guessed)
Heap randomisation test (ET_EXEC) : 22 quality bits (guessed)
Heap randomisation test (PIE) : 35 quality bits (guessed)
Main executable randomisation (ET_EXEC) : 29 quality bits (guessed)
Main executable randomisation (PIE) : 29 quality bits (guessed)
Shared library randomisation test : 29 quality bits (guessed)
VDSO randomisation test : 29 quality bits (guessed)
Stack randomisation test (SEGMEXEC) : 35 quality bits (guessed)
Stack randomisation test (PAGEEXEC) : 35 quality bits (guessed)
Arg/env randomisation test (SEGMEXEC) : 39 quality bits (guessed)
Arg/env randomisation test (PAGEEXEC) : 39 quality bits (guessed)
Randomization under memory exhaustion @~0: 29 bits (guessed)
Randomization under memory exhaustion @0 : 29 bits (guessed)


-Brad
spender
 
Posts: 2184
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA


Return to grsecurity paid kernel support