Summary: | net-analyzer/wireshark-1.4.8: crash in dumpcap | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Alex Efros <powerman-asdf> |
Component: | Hardened | Assignee: | Peter Volkov (RETIRED) <pva> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | aranea, hardened, netmon, pageexec |
Priority: | Highest | ||
Version: | unspecified | ||
Hardware: | x86 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | wireshark-cap_dac_read_search.patch |
Description
Alex Efros
2011-08-16 11:01:03 UTC
I've tried 1.4.7 and 1.4.6, and they all crash with similar error. I've enabled CONFIG_EXT3_FS_SECURITY, reinstalled 1.4.8 and got same error: 2011-08-16_11:44:44.18715 kern.info: dumpcap[22030]: segfault at 4 ip af27cdb6 sp bc555878 error 6 in libc-2.12.2.so[af1ec000+14c000] 2011-08-16_11:44:44.18720 kern.alert: grsec: Segmentation fault occurred at 00000004 in /usr/bin/dumpcap[dumpcap:22030] uid/euid:1000/1000 gid/egid:100/100, parent /usr/bin/wireshark[wireshark:22027] uid/euid:1000/1000 gid/egid:100/100 Also looks like everything works when wireshark is running as root (tried 1.4.6 SUID and 1.4.8 non-SUID with EXT3_FS_SECURITY). Thank you for report. Please, try upgrade to 1.6.2 and reproduce this problem. (In reply to comment #2) > Thank you for report. Please, try upgrade to 1.6.2 and reproduce this problem. 1.6.2 have same issue: kern.info: dumpcap[19199]: segfault at 4 ip a79338d2 sp bd8d9dc8 error 6 in libc-2.12.2.so[a78a0000+14f000] kern.alert: grsec: Segmentation fault occurred at 00000004 in /usr/bin/dumpcap[dumpcap:19199] uid/euid:1000/1000 gid/egid:100/100, parent /usr/bin/wireshark[wireshark:19196] uid/euid:1000/1000 gid/egid:100/100 Installed as SUID. Works ok when running as root. I.e. everything is same as for previous versions. "bruteforce prevention initiated against uid 1000, banning for 15 minutes" I guess this means some hardened feature kill wireshark and thus kernel upgrade could expose this feature, not wireshark. Could you try reinstall 1.4.7 or 1.4.6 to see if it works (just cp 1.4.x ebuild and run repoman manifest)? (In reply to comment #4) > "bruteforce prevention initiated against uid 1000, banning for 15 minutes" > > I guess this means some hardened feature kill wireshark and thus kernel upgrade > could expose this feature, not wireshark. Could you try reinstall 1.4.7 or > 1.4.6 to see if it works (just cp 1.4.x ebuild and run repoman manifest)? This behavior was triggered by CONFIG_GRKERNSEC_KERN_LOCKOUT. I've disabled it, so now I've only segfault on dumpcap, without killing all my user's processes. When dumpcap run as root, it works fine, segfault only for non-root users. I've already tried 1.4.6 and 1.4.7 without success, see comment #1 above. Okay, thanks to pageexec help in hardened maillist I was able to identify this issue:
> #0 0xb749f152 in __readdir64 (dirp=0x0) at ../sysdeps/unix/readdir.c:45
> dp = <optimized out>
> saved_errno = <optimized out>
> #1 0xb759d7ea in scan_sys_class_net (devlistp=0xbfffe488,
> errbuf=0xbfffe4dc "tun0: You don't have permission to capture on that device (socket: Operation not permitted)") at ./pcap-linux.c:1832
> sys_class_net_d = 0x0
Looks like bug in libpcap-1.1.1-r1:
pcap-linux.c:1816:
sys_class_net_d = opendir("/sys/class/net");
if (sys_class_net_d == NULL && errno == ENOENT)
return (0);
...
for (;;) {
errno = 0;
ent = readdir(sys_class_net_d);
the second line with if looks just plain wrong. Moreover, as far as I see,
in libpcap-1.2.1 they've already fixed this:
pcap-linux.c:1949:
sys_class_net_d = opendir("/sys/class/net");
if (sys_class_net_d == NULL) {
if (errno == ENOENT)
return (0);
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"Can't open /sys/class/net: %s", pcap_strerror(errno));
return (-1);
}
So, I'm going to upgrade libpcap to latest ~x86 version and see is this
really fix this bug… Okay, here it is:
$ dumpcap
dumpcap: Can't get list of interfaces: Can't open /sys/class/net: Permission denied
So, wireshark still doesn't work on hardened under non-root, but doesn't
crash anymore, that's a big progress.
(In reply to comment #6) > $ dumpcap > dumpcap: Can't get list of interfaces: Can't open /sys/class/net: Permission > denied > > So, wireshark still doesn't work on hardened under non-root, but doesn't > crash anymore, that's a big progress. This one can be worked around by disabling CONFIG_GRKERNSEC_SYSFS_RESTRICT. Also, when this option disabled dumpcap won't crash with libpcap-1.1.1-r1. Next one issue was: $ dumpcap dumpcap: Can't get list of interfaces: Can't open netlink socket 93:Protocol not supported This one solved by enabling in kernel CONFIG_NF_CT_NETLINK. Actually I think it needs CONFIG_NETFILTER_NETLINK, but to enable that one we have to enable one of three other options, and all of them have nothing with dumping packets at a glance. NOW wireshark able to run as non-root! I'm not sure is it better to fix the code to not requiring these kernel options (I'm pretty sure it's possible to list available network interfaces without using /sys/class/net and NETLINK), or add warning into ebuild about requiring these kernel options. I encounter the same problem with wireshark-1.8.1 (useflag +caps): dumpcap fails because it can't read /sys/class/net on my hardened system. As Alex Efros already mentioned, one workaround would be to disable CONFIG_GRKERNSEC_SYSFS_RESTRICT in the kernel. But I found another, more secure workaround: If dumpcap had the capability dac_read_search, it could read the directory. Could you apply the attached ebuild patch to achieve that? Created attachment 320044 [details, diff]
wireshark-cap_dac_read_search.patch
Fixed in 1.6.9-r1 and 1.8.1-r1. Thanks for reporting and for the patch. |