Created attachment 30066 [details]
kernel config file

Happened here too. If I compile the kernel with grsecurity but *not* PaX, it runs fine. If I add also PaX it segfault when starting init. I see that init segfault because grsec log the attempt to core dump (RLIMIT_CORE=0 resource overstep).

Portage 2.0.50-r6 (default-x86-1.4, gcc-3.3.3, glibc-2.3.3_pre20040420-r0, 2.6.5-hardened-r3)
=================================================================
System uname: 2.6.5-hardened-r3 i686 Mobile Intel(R) Pentium(R) 4 - M CPU 2.20GHz
Gentoo Base System version 1.4.10
distcc 2.13 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
ccache version 2.3 [enabled]
Autoconf: sys-devel/autoconf-2.59-r3
Automake: sys-devel/automake-1.8.3
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CFLAGS="-mcpu=pentium4 -march=pentium4 -O3 -pipe -mmmx -msse -msse2 -mfpmath=sse,387 -fstack-protector -ftracer -momit-leaf-frame-pointer -fprefetch-loop-arrays -frerun-cse-after-loop -frerun-loop-opt -funroll-loops -fforce-addr -falign-functions=4"
CHOST="i686-pc-linux-gnu"
COMPILER="gcc3"
CONFIG_PROTECT="/etc /etc/tomcat /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.2/share/config /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/alias /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-mcpu=pentium4 -march=pentium4 -O3 -pipe -mmmx -msse -msse2 -mfpmath=sse,387 -fstack-protector -ftracer -momit-leaf-frame-pointer -fprefetch-loop-arrays -frerun-cse-after-loop -frerun-loop-opt -funroll-loops -fforce-addr -falign-functions=4"
DISTDIR="/home/backup/distfiles"
FEATURES="autoaddcvs ccache sandbox"
GENTOO_MIRRORS="http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ http://gentoo.oregonstate.edu http://distro.ibiblio.org/pub/Linux/distributions/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/home/backup/portage/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage /usr/local/portage-bmg-main /usr/local/portage-bmg-gnome-current"
SYNC="rsync://rsync.asia.gentoo.org/gentoo-portage"
USE="X X509 aalib acl acpi acpi4linux alsa apache2 apm arts avi berkdb bonobo breakme cdr crypt cups curl dga directfb divx dvd encode esd ethereal evo f77 faad fam fbcon firebird flac foomaticdb gcj gd gdbm ggi gif gimpprint ginac gnome gphoto2 gpm gstreamer gtk gtk2 gtkhtml hardened imap imlib innodb jack jack-caps jack-tmpfs java joystick jpeg junit lcd ldap libg++ libgda libwww lirc mad maildir mbox mikmod mmx motif mozilla moznocompose moznoirc moznomail mpeg mysql ncurses nls nntp nptl nvidia odbc oggvorbis opengl oss pam pax pcmcia pda pdflib perl pic pie plotutils png pnp postgres ppds prelude python qhull qt qtmt quicktime readline samba scanner sdl skey slang slp snmp socks5 speex spell sse ssl svga tcltk tcpd tetex tiff transcode truetype trusted usb wmf x86 xine xinerama xml xml2 xosd xv xvid zlib"


gcc -v

Reading specs from /usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.3/specs
Configured with: /home/backup/portage/tmp/portage/gcc-3.3.3-r3/work/gcc-3.3.3/configure --prefix=/usr --bindir=/usr/i686-pc-linux-gnu/gcc-bin/3.3 --includedir=/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.3/include --datadir=/usr/share/gcc-data/i686-pc-linux-gnu/3.3 --mandir=/usr/share/gcc-data/i686-pc-linux-gnu/3.3/man --infodir=/usr/share/gcc-data/i686-pc-linux-gnu/3.3/info --enable-shared --host=i686-pc-linux-gnu --target=i686-pc-linux-gnu --with-system-zlib --enable-languages=c,c++,java --enable-threads=posix --enable-long-long --disable-checking --enable-cstdio=stdio --enable-version-specific-runtime-libs --with-gxx-include-dir=/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.3/include/g++-v3 --with-local-prefix=/usr/local --enable-shared --enable-nls --without-included-gettext --x-includes=/usr/X11R6/include --x-libraries=/usr/X11R6/lib --enable-interpreter --enable-java-awt=xlib --with-x --disable-multilib --disable-libunwind-exceptions --enable-__cxa_atexit --enable-clocale=generic
Thread model: posix
gcc version 3.3.3 20040412 (Gentoo Hardened Linux 3.3.3-r3, ssp-3.3-7, pie-8.5.3)

Comment 3 Joshua Brindle (RETIRED) 2004-04-30 03:56:39 UTC

Ok, the PaX team requests that you try with only PaX enabled, no grsec or selinux and see if it happens still.

Comment 4 Joshua Brindle (RETIRED) 2004-04-30 03:59:38 UTC

Correction, the PaX team requests that you try a vanilla 2.6.5 kernel with this patch http://pax.grsecurity.net/pax-linux-2.6.5-200404281425.patch applied (and only this patch) with the config that caused the problem.

ok, tested vanilla 2.6.5 + pax-linux-2.6.5-200404281425.patch - same behavior:
kernel hangs at "Freeing unused kernel memory".
my config is attached below.
that behavior seems is CPU speciffic

CPU on that box is:
vendor_id       : GenuineIntel
cpu family      : 6
model           : 5
model name      : Pentium II (Deschutes)
stepping        : 2
cpu MHz         : 400.981
cache size      : 512 KB
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 2
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 sep mtrr pge mca cmov pat pse36 mmx fxsr

I tested almost same kernel config in my vmware testbox (only differences are included SCSI Disk support & BusLogic low level SCSI driver for VMware emulated SCSI host controller) and it works.
CPU on host machine is Pentium4

I made try to izolate what is problematic option and disabled "Enforce non-executable pages":
on my Pentium II box kernel hangs again, but with some more messages after "Freeing unused ...":
init: must be superuser.
Kernel panic: Attempted to kill init!
Same kernel works on vmware box.
 

Created attachment 30392 [details]
kernel config for vanilla-2.6.5 + pax-linux-2.6.5-200404281425

could you try it without enabling selinux? also, could you determine which pax feature you have to enable to trigger the hang?

tested without selinux enabled:
hangs again at "Freeing unused ..." with following config:
#
# Security options
#

#
# PaX
#
CONFIG_PAX=y

#
# PaX Control
#
CONFIG_PAX_SOFTMODE=y
# CONFIG_PAX_EI_PAX is not set
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
# CONFIG_PAX_PAGEEXEC is not set
CONFIG_PAX_SEGMEXEC=y
# CONFIG_PAX_EMUTRAMP is not set
# CONFIG_PAX_MPROTECT is not set

#
# Address Space Layout Randomization
#
# CONFIG_PAX_ASLR is not set
# CONFIG_SECURITY is not set

can you try it while disabling SEGMEXEC as well?

with disabled CONFIG_PAX_SEGMEXEC kernel boots

in comment #5 you said that disabling non-exec pages would still kill init and now when you did the same it works? what's the difference between these two configs? also could you try to enable PAGEEXEC instead of SEGMEXEC (MPROTECT is optional) and see if anything changes? another thing to test is 2.4.26 and PaX with these configs? for now it seems to be a problem in PaX either on this P2 CPU or with 2.6, but i don't see any obvious place in the code that would cause this.

no
in comment #5 config is as attached config but with CONFIG_PAX_NOEXEC disabled

config with what kernel boots is that in comment #8 but with disabled SEGMEXEC

i understand but those two are the same, NOEXEC enabled alone doesn't do anything if neither of PAGEEXEC/SEGMEXEC is enabled (which was your case in #10, right?).

in comment #5  CONFIG_PAX_NOEXEC is disabled but CONFIG_PAX_ASLR and some options under ASLR are enabled
in comment #10 both CONFIG_PAX_ASLR  and CONFIG_PAX_NOEXEC are disabled

ok, so we might have a problem with ASLR then. if you have time, could you disable those one by one and see when it begins to work (and keep NOEXEC disabled for now)?

With that config kernel boots. I will try now with CONFIG_PAX_ASLR enabled

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
# CONFIG_PAX_SEGMEXEC is not set
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_NOELFRELOCS is not set

#
# Address Space Layout Randomization
#
# CONFIG_PAX_ASLR is not set
# CONFIG_SECURITY is not set

ok, the problematic option under PAX_ASLR is PAX_RANDKSTACK.
with PAX_RANDKSTACK disabled kernel boots.

ok, that's not so much of a surprise, depending on the stack usage of various drivers your kernel has the randomization may trigger overflows. i take it that everything else can be enabled and works fine, right? (in which case this bug can be closed)

well compiled with SEGMEXEC doesn't work

ok, so that was two bugs... now that RANDKSTACK is off, do you get the same hang/messages when init starts?

:)
comment #8

what about 2.4.26?

i'm looking at 2.6 kernels.
That box is running 2.6.3-hardened selinux + pax enabled
kernel is compiled with SEGMEXEC enabled and works 

i'd like to know if the problem is inherent to SEGMEXEC or SEGMEXEC on 2.6.

xorg-x11-6.7.0/work/xc/lib/font/X-TrueType/module links to the X server and something else (FontDefaultFormat and the like), no -z defs for now.

oops, wrong bug, ignore #26 ;-).

tested vanilla-2.4.26+pax-linux-2.4.26-200404281425, but kernel hangs with "Kernel too old" and try to kill init, even without PAX enabled at all, maybe something with selinux patched init ...

oh, silly me, you have the nptl use flag which creates a glibc that cannot run with pre-2.6 kernels. on the other hand i'm wondering if that could be the culprit as i don't have nptl here (and no problems either). a question: could you enable NOVSYSCALL for a test?

oh yes, i enabled nptl for testing and forgot about that ;/
but it is enabled in my vmware test box also and i dont have problems with SEGMEXEC nor with RANDKSTACK - both are enabled and kernel works fine.

about NOVSYSCALL, i will enable it for testing.
you wanna know only that kernel boots or something more?

well, as they say, if it boots it works ;-). seriously, from my point of view, if init and others run then as far as PaX is concerned it should be ok, other issues are specific to such apps not PaX directly. as for why all this works under vmware, no idea, for me it always worked both ways (without nptl).

ok then, vanilla + pax + selinux boots without problems
NOVSYSCALL enabled, PAGEEXEC enabled, RANDKSTACK disabled.
now will try hardened-2.6.5 with same config

hardened-dev-sources-2.6.5-r3 works too with that kernel config

what about SEGMEXEC (and with NOVSYSCALL)?

yes, it boots SEGMEXEC and NOVSYSCALL

after having looked at the glibc sources i've got another question: have you by any chance enabled prelink on your system? if so, could you send me your ld-linux.so and libc.so to pageexec at freemail.hu please? what i suspect could happen is that prelink 'remembers' the syscall stub address from the vsyscall page - but at a time when SEGMEXEC wasn't active, so later when you try to run these apps under SEGMEXEC glibc would end up calling syscalls at an invalid address (invalid under SEGMEXEC, that is). alternatively, if you don't mind risking to blow up your system for good, you could prelink your system while SEGMEXEC is active then reboot with a kernel that has NOVSYSCALL disabled and it should work (but then a non-PaX kernel or one with only PAGEEXEC won't work).

ok, further looking at the glibc sources makes me think that prelink is irrelevant in fact, ld.so will use the entry point field of the fake vsyscall library as the kernel provided syscall address, overriding what the kernel told via AT_SYSINFO... that's complete crap IMHO. the code in question is in glibc/elf/rtld.c:dl_main():

  if (GL(dl_sysinfo_dso) != NULL)
    {
      /* We have a prelinked DSO preloaded by the system.  */
      GL(dl_sysinfo) = GL(dl_sysinfo_dso)->e_entry;

i think this should look something like:
  if (GL(dl_sysinfo_dso) != NULL)
    {
      if (!GL(dl_sysinfo))
        /* We have a prelinked DSO preloaded by the system.  */
        GL(dl_sysinfo) = GL(dl_sysinfo_dso)->e_entry;

ok, the suggested patch won't work as it is, the if() should be more like:

if (GL(dl_sysinfo) == DL_SYSINFO_DEFAULT)

but best is to ask the glibc guys and have them fix it properly ;-).

Comment 39 Joshua Brindle (RETIRED) 2004-11-16 14:47:51 UTC

old bug, shouldn't be an issue anymore