Frequent bug: BUG: unable to handle kernel NULL pointer dereference at virtual address 0000017c printing eip: c041d697 *pde = 00000000 Oops: 0000 [#1] SMP Modules linked in: tg3 ipw3945 CPU: 1 EIP: 0060:[<c041d697>] Not tainted VLI EFLAGS: 00210246 (2.6.22-hardened-r7 #1) EIP is at arch_vma_name+0x7/0x20 eax: 00000000 ebx: 00000078 ecx: 00000000 edx: ffffe000 esi: 00000070 edi: 00000000 ebp: 00000000 esp: ed881e54 ds: 007b es: 0068 fs: 00d8 gs: 0033 ss: 0068 Process java (pid: 5109, ti=ed880000 task=f64ab540 task.ti=ed880000) Stack: c04b5129 f76f0f00 c0914ba4 ffffe000 fffff000 00000072 0000002d 00000078 00000070 00000000 00000000 00000000 00000000 ed881eb0 00000000 c0a134a0 f76f0f00 f6711540 00000000 00000000 00000000 00000000 00000000 00000028 Call Trace: [<c04b5129>] show_map_internal+0x249/0x300 [<c049ea03>] seq_read+0x1d3/0x2b0 [<c0484f11>] vfs_read+0xa1/0x130 [<c049e830>] seq_read+0x0/0x2b0 [<c0485431>] sys_read+0x41/0x70 [<c04042dd>] sysenter_past_esp+0x66/0x99 [<c0860000>] ieee80211softmac_assoc_work+0x120/0x520 [<c049e830>] seq_read+0x0/0x2b0 [<c0485458>] sys_read+0x68/0x70 [<c04042f6>] sysenter_past_esp+0x7f/0x99 ======================= Code: 00 00 00 00 8b 4c 24 0c 8b 54 24 10 8b 44 24 14 83 c4 28 5b 5e 5f 5d e9 68 c2 20 00 90 90 90 90 90 90 90 90 8b 08 8b 50 04 31 c0 <3b> 91 7c 01 00 00 ba 62 3c 90 c0 0f 44 c2 c3 8d 76 00 8d bc 27 EIP: [<c041d697>] arch_vma_name+0x7/0x20 SS:ESP 0068:ed881e54 by regarding diff beetween http://www.grsecurity.net/test/pax-linux-2.6.22.9-test30.patch and http://www.grsecurity.net/test/pax-linux-2.6.22.9-test31.patch it seems to solve this problem. file (arch/i386/kernel/sysenter.c)
const char *arch_vma_name(struct vm_area_struct *vma) { - if (vma->vm_start == vma->vm_mm->context.vdso) + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso) return "[vdso]"; #ifdef CONFIG_PAX_SEGMEXEC - if (vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso) + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso) return "[vdso]"; #endif return NULL; }
OK, 2.6.23 should fix your problems.
Not fixed in 2.6.23. Same bug in hardened-sources 2.6.22-r5 -r7 and 2.6.23 Some software like Java, Flash are returning without been executed. $java --version && echo 1 1 $dmesg BUG: unable to handle kernel NULL pointer dereference at virtual address 0000017c printing eip: c041d687 *pde = 00000000 Oops: 0000 [#2] SMP Modules linked in: tg3 ipw3945 CPU: 0 EIP: 0060:[<c041d687>] Tainted: G D VLI EFLAGS: 00210246 (2.6.23-hardened #2) EIP is at arch_vma_name+0x7/0x20 eax: 00000000 ebx: 00000078 ecx: 00000000 edx: ffffe000 esi: 00000070 edi: 00000000 ebp: 00000000 esp: eb9afe8c ds: 007b es: 0068 fs: 00d8 gs: 0033 ss: 0068 Process java (pid: 4815, ti=eb9ae000 task=eb841ab0 task.ti=eb9ae000) Stack: c04a6709 ebb90680 c0913880 ffffe000 fffff000 00000072 0000002d 00000078 00000070 00000000 00000000 00000000 00000000 eb9afee8 00000000 c0a17460 ebb90680 eb652570 00000000 00000000 00000000 00000000 00000000 00000028 Call Trace: [<c04a6709>] show_map_internal+0x249/0x300 [<c048fd73>] seq_read+0x1d3/0x2b0 [<c04761c1>] vfs_read+0xa1/0x130 [<c048fba0>] seq_read+0x0/0x2b0 [<c04766e1>] sys_read+0x41/0x70 [<c04043a9>] sysenter_past_esp+0x66/0x99 ======================= Code: 00 00 00 00 89 d0 e9 e9 cb 04 00 89 f6 8d bc 27 00 00 00 00 85 c0 75 03 31 c0 c3 e9 64 ce 04 00 90 90 90 90 8b 08 8b 50 04 31 c0 <3b> 91 7c 01 00 00 ba 4d 16 90 c0 0f 44 c2 c3 8d 76 00 8d bc 27 EIP: [<c041d687>] arch_vma_name+0x7/0x20 SS:ESP 0068:eb9afe8c It's may due to my kernel config: # CONFIG_PAX_NOEXEC is not set I will take a look
It's not due to CONFIG_PAX_NOEXEC: same bug with: CONFIG_PAX_NOEXEC=y my pax config: # # PaX # CONFIG_PAX=y # # PaX Control # # CONFIG_PAX_SOFTMODE is not set # CONFIG_PAX_EI_PAX is not set CONFIG_PAX_PT_PAX_FLAGS=y CONFIG_PAX_NO_ACL_FLAGS=y # CONFIG_PAX_HAVE_ACL_FLAGS is not set # CONFIG_PAX_HOOK_ACL_FLAGS is not set # # Non-executable pages # CONFIG_PAX_NOEXEC=y # # Address Space Layout Randomization # CONFIG_PAX_ASLR=y CONFIG_PAX_RANDKSTACK=y CONFIG_PAX_RANDUSTACK=y CONFIG_PAX_RANDMMAP=y the test: $java -version && echo 1 1 #dmesg BUG: [...]
(In reply to comment #1) > const char *arch_vma_name(struct vm_area_struct *vma) > { > - if (vma->vm_start == vma->vm_mm->context.vdso) > + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso) > > return "[vdso]"; > > #ifdef CONFIG_PAX_SEGMEXEC > - if (vma->vm_mirror && vma->vm_mirror->vm_start == > vma->vm_mm->context.vdso) > + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == > vma->vm_mm->context.vdso) > > return "[vdso]"; > #endif > > return NULL; > } Any insight about this pipacs ?
(In reply to comment #5) > Any insight about this pipacs ? yeah, mea culpa, i simply forgot to forward port this fix to .23, i'll push a new patch when i tested out some other changes i've done since.
Fixed in hardened-sources-2.6.23-r1