Both hardened-sources 2.6.22-r8 and 2.6.23-r1 BUG when mplayer tries to play a wmv file (windows codecs): Nov 4 13:59:09 laptop kernel: ------------[ cut here ]------------ Nov 4 13:59:09 laptop kernel: kernel BUG at mm/mmap.c:1674! Nov 4 13:59:09 laptop kernel: invalid opcode: 0000 [#1] Nov 4 13:59:09 laptop kernel: PREEMPT Nov 4 13:59:09 laptop kernel: CPU: 0 Nov 4 13:59:09 laptop kernel: EIP: 0060:[<c0453798>] Not tainted VLI Nov 4 13:59:09 laptop kernel: EFLAGS: 00210246 (2.6.23-hardened-r1 #1) Nov 4 13:59:09 laptop kernel: eax: a0400fff ebx: 00401000 ecx: dd509aa8 edx: 00000000 Nov 4 13:59:09 laptop kernel: esi: 004d2000 edi: 00100077 ebp: 004a6000 esp: dd7f0eb0 Nov 4 13:59:09 laptop kernel: ds: 0068 es: 0068 fs: 0000 gs: 0033 ss: 0068 Nov 4 13:59:09 laptop kernel: Process mplayer (pid: 3345, ti=dd7f0000 task=dff7a540 task.ti=dd7f0000) Nov 4 13:59:09 laptop kernel: Stack: dd8b0a80 dd509aa8 dd509aa8 c0453d36 dd509aa8 00401000 604a6000 00000000 Nov 4 13:59:09 laptop kernel: 004c1000 004a6000 dd509aa8 dd8b0a80 c0454038 00000000 00000000 dd5099f8 Nov 4 13:59:09 laptop kernel: dd8b0a80 004a6000 0001b000 004c1000 c0453f59 dd8b0a80 004a6000 00000073 Nov 4 13:59:09 laptop kernel: Call Trace: Nov 4 13:59:09 laptop kernel: [<c0453d36>] <0> [<c0454038>] <0> [<c0453f59>] <0> [<c0453383>] <0> [<c0455273>] <0> [<c0452e1d>] <0> [<c0407c72>] <0> [<c0402d32>] <0> ======================= Nov 4 13:59:09 laptop kernel: Code: 41 3c 75 2f 33 7a 14 89 d0 81 e7 dd df ef df 75 26 5b 5e 5f c3 8b 51 54 31 c0 85 d2 74 f3 0f 0b eb fe 90 0f 0b eb fe 0f 0b eb fe <0f> 0b eb fe 0f 0b eb fe 0f 0b eb fe 0f 0b eb fe 90 8d b4 26 00 Nov 4 13:59:09 laptop kernel: EIP: [<c0453798>] SS:ESP 0068:dd7f0eb0 After that, the only way to stop the system is AltSysRQ s u b. I've configured PAX with # # PaX # CONFIG_PAX=y # # PaX Control # # CONFIG_PAX_SOFTMODE is not set # CONFIG_PAX_EI_PAX is not set CONFIG_PAX_PT_PAX_FLAGS=y CONFIG_PAX_NO_ACL_FLAGS=y # CONFIG_PAX_HAVE_ACL_FLAGS is not set # CONFIG_PAX_HOOK_ACL_FLAGS is not set # # Non-executable pages # CONFIG_PAX_NOEXEC=y # CONFIG_PAX_PAGEEXEC is not set CONFIG_PAX_SEGMEXEC=y # CONFIG_PAX_EMUTRAMP is not set CONFIG_PAX_MPROTECT=y # CONFIG_PAX_NOELFRELOCS is not set # CONFIG_PAX_KERNEXEC is not set # # Address Space Layout Randomization # CONFIG_PAX_ASLR=y # CONFIG_PAX_RANDKSTACK is not set CONFIG_PAX_RANDUSTACK=y CONFIG_PAX_RANDMMAP=y # # Miscellaneous hardening features # # CONFIG_PAX_MEMORY_SANITIZE is not set CONFIG_PAX_MEMORY_UDEREF=y mplayer has the following PAX settings: - PaX flags: -----m-x-e-- [/usr/bin/mplayer] It has worked fine with these settings with all stable hardened kernels before. The BUG disappears and mplayer works fine when I set mplayer to - PaX flags: ---s-m-x-e-- [/usr/bin/mplayer] (but I really don't want to run mplayer with no seatbelts!)
Still there in 2.6.23-hardened-r5.
Confirmed here, willing to help any way I can.
Just a status update. This bug appears it could be resolved in the latest PaX patches for 2.6.24.x. There is no grsec snapshot for 2.6.24 yet though, so there is no hardened-sources-2.6.24.x yet.
Brad has published a grsecurity patch for 2.6.24.2 recently. Is this bug still reproducible in hardened-2.6.23-r7?
(In reply to comment #4) > Brad has published a grsecurity patch for 2.6.24.2 recently. Is this bug still > reproducible in hardened-2.6.23-r7? > Yes, the bug is still reproducible on hardened-sources-2.6.23-r7. Supposedly pax-linux-2.6.24-test11 included the fix for this bug. Atleast it fixes it for the reporter on the grsecurity.net forums.
Created attachment 143535 [details, diff] hardened-sources-2.6.23-r7-mplayer-hang-pax-fix-backport.patch Attaching a patch to fix this BUG when playing .wmv files in mplayer. I backported the parts of upstream's pax-linux-2.6.24-test11.patch relevant to fixing this bug. It applies against a clean hardened-sources-2.6.23-r7 tree. I have tested it on 3 hardened/x86 machines and have found no regressions so far. Playing .wmv files through mplayer no longer BUGs and the media plays without issue as well. C is not a strong point for me so you test at your own risk, but I am using it without issue and feel rather confident it is correct. Anybody willing to test it please share your results. Thanks.
PaX Team, would you be so kind as to review the patch Gordon attached? A new 2.6.23 revision is forthcoming and I hope to close as many bugs as possible in it before moving on.
(In reply to comment #7) > PaX Team, would you be so kind as to review the patch Gordon attached? A new > 2.6.23 revision is forthcoming and I hope to close as many bugs as possible in > it before moving on. yes this looks ok (fixes a bit more than strictly necessary for this bug, but it's ok). on the other hand there's another important vma mirroring fix that went in the latest test27 (interdiff it from test26, it's like a line or two in mm/mprotect.c) that you also want. i think i also fixed #205344 but i forget which testxx that was, it's again a few lines only in mm/memory.c in one of the pax_mirror_*_pte functions (even if it doesn't fix that bug, it is a bugfix you want).
(In reply to comment #8) > on the other hand there's another important vma mirroring fix that > went in the latest test27 (interdiff it from test26, it's like a line or two in > mm/mprotect.c) that you also want. This will be attached as hardened-sources-2.6.23-r7-fix1.patch. It applies against a clean -r7 tree. > i think i also fixed #205344 but i forget which testxx that was, it's again a > few lines only in mm/memory.c in one of the > pax_mirror_*_pte functions > (even if it doesn't fix that bug, it is a bugfix you want). This will be attached as hardened-sources-2.6.23-r7-fix2.patch. It applies against a clean -r7 tree. I will also attach hardened-sources-2.6.23-r7-allfixes.patch. This patch applies against a clean -r7 tree. It contains: hardened-sources-2.6.23-r7-mplayer-hang-pax-fix-backport.patch from Comment #6 hardened-sources-2.6.23-r7-fix1.patch hardened-sources-2.6.23-r7-fix2.patch Kerin, I have been testing -allfixes + patch @ https://bugs.gentoo.org/show_bug.cgi?id=210022#c0 on four hardened/x86 machines. All function as expected in their respective roles so far. PaX Team, thank you for directing our attention to the additional low-hanging-fruit bugfixes and helping us improve the 2.6.23 series. :)
Created attachment 143870 [details, diff] hardened-sources-2.6.23-r7-fix1.patch hardened-sources-2.6.23-r7-fix1.patch
Created attachment 143872 [details, diff] hardened-sources-2.6.23-r7-fix2.patch hardened-sources-2.6.23-r7-fix2.patch
Created attachment 143873 [details, diff] hardened-sources-2.6.23-r7-allfixes.patch hardened-sources-2.6.23-r7-allfixes.patch
sorry to bug you guys again, but one of the fixes still wasn't perfect (noone triggered it, but reading the code makes it obvious now ;) so please apply the interdiff between test28-test29 as well.
Created attachment 143931 [details, diff] hardened-sources-2.6.23-r7-fix2-r2.patch hardened-sources-2.6.23-r7-fix2-r2.patch implements changes requested in Comment #13. Obsoletes hardened-sources-2.6.23-r7-fix2.patch.
Created attachment 143932 [details, diff] hardened-sources-2.6.23-r7-allfixes-r2.patch hardened-sources-2.6.23-r7-allfixes-r2.patch implements changes requested in Comment #13. Obsoletes hardened-sources-2.6.23-r7-allfixes.patch. I have been testing this -allfixes-r2 + patch @ https://bugs.gentoo.org/show_bug.cgi?id=210022#c0 on four hardened/x86 machines. All function as expected in their respective roles so far.
Thanks. Included in 2.6.23-r8.
