grsec: halting the system due to suspicious kernel crash

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Moderators: spender, PaX Team

Re: grsec: halting the system due to suspicious kernel crash

Postby spender » Mon Dec 29, 2014 9:45 am

Can you try the following patch?

https://grsecurity.net/~spender/kernfs.diff

Thanks,
-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: grsec: halting the system due to suspicious kernel crash

Postby Orfheo » Sun Jan 11, 2015 9:15 am

Sorry for the delay Brad, I've just seen your post.

A fast check with your patch, applied to my current kernel "3.15.10-hardened-r1", seems to work correctly.

Now I can "mkdir -p /sys/fs/cgroup/openrc/acct" without any kernel panic, with grsecurity enabled.

It looks you did it Brad, nice job :-)

But let me take the time to test the patch for a couple of days, I'll report when finished, in this thread. I got a warning compiling the kernel, from the lines you added, and I would like to see if any side effect would come up.

Thanks Brad. Appreciated. Orfheo.
Orfheo
 
Posts: 16
Joined: Fri Oct 31, 2014 7:10 am

Re: grsec: halting the system due to suspicious kernel crash

Postby Orfheo » Sun Jan 11, 2015 9:44 am

Not now, I was in hurry and left the warning in my clipboard on my office workstation.

But, going by memory, the offending line is, of course

ret = kernfs_iop_lookup(dir, dentry, 0);

and the warning is about an integer cast.

It looks the static function you are calling

static struct dentry *kernfs_iop_lookup()

in the same "dir.c" source, doesn't return an integer, while "ret" IS declared as an "int" in
the "kernfs_iop_mkdir()" function you patched.

Orfheo.
Orfheo
 
Posts: 16
Joined: Fri Oct 31, 2014 7:10 am

Re: grsec: halting the system due to suspicious kernel crash

Postby spender » Sun Jan 11, 2015 10:39 am

Hi,

This should fix that issue, it'll be included in the next patches:
https://grsecurity.net/~spender/kernfs2.diff

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: grsec: halting the system due to suspicious kernel crash

Postby Orfheo » Sun Jan 11, 2015 12:15 pm

Got what you've done Brad. Tyvm for your efforts and patches.

Last questions.

Which "official" kernel version will include your patches?

I'm an hardened-gentoo user, as you already know.
May I hope that my next "world update", in about a month,
will get these fixes applied to my virtual firewall?

You know, I'm just a poor sysadm and I need these infos
for my records ;-)

Orfheo.
Orfheo
 
Posts: 16
Joined: Fri Oct 31, 2014 7:10 am

Re: grsec: halting the system due to suspicious kernel crash

Postby spender » Sun Jan 11, 2015 12:36 pm

This only affects 3.14 and the latest test patch, so assuming gentoo hardened updates within the next month, then it'll include this fix.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: grsec: halting the system due to suspicious kernel crash

Postby Orfheo » Mon Jan 12, 2015 6:51 am

Nope.

Applied the last patch, the kernel systematically crash at the first
kernfs_iop_mkdir() call, while booting.

But I can confirm the previous version, with the integer
cast warning, works without a glitch, apparently.

I don't understand what is going on here, Brad.

Orfheo.
Orfheo
 
Posts: 16
Joined: Fri Oct 31, 2014 7:10 am

Re: grsec: halting the system due to suspicious kernel crash

Postby Orfheo » Mon Jan 12, 2015 7:22 am

I think I understood what is going on here.

In your last patch Brad you are overwriting the "dentry" variable in
the "kernfs_iop_mkdir()" function scope with the "dentry" variable
in the "if(!ret){}" block scope and passing it to the "kernfs_iop_lookup()"
static function, essentially passing a not initialized variabled to the
function. Of course, garbage in, panic out :-)

I tested this small modification of your patch

Code: Select all
        kernfs_put_active(parent);

        if (!ret) {
                struct dentry *dentry_ret = kernfs_iop_lookup(dir, dentry, 0);
                ret = PTR_ERR_OR_ZERO(dentry_ret);
        }

        return ret;


where I changed the block variable "dentry" into "dentry_ret"
and the kernel boot, and work, correctly, as to be expected from
the previous tests.

Let me know if it looks correct to your eyes Brad.

Orfheo.
Orfheo
 
Posts: 16
Joined: Fri Oct 31, 2014 7:10 am

Re: grsec: halting the system due to suspicious kernel crash

Postby spender » Mon Jan 12, 2015 9:20 am

Hi,

Thanks, fixing it now.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: grsec: halting the system due to suspicious kernel crash

Postby Orfheo » Thu Apr 02, 2015 1:11 pm

It looks like the small patch for this bug has been applied to the gentoo 3.18.9-hardened kernel, fs/kernfs/dir.c:line[833].

May I ask, Brad, if I got it?

Orfheo.
Orfheo
 
Posts: 16
Joined: Fri Oct 31, 2014 7:10 am

Re: grsec: halting the system due to suspicious kernel crash

Postby spender » Thu Apr 02, 2015 5:10 pm

Hi Orfheo,

You got it right, thank you!

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Previous

Return to grsecurity support

cron