I've tried to start # /usr/bin/tcpserver 127.0.0.1 11111 echo ok then kill it using Ctrl-C and start again several times. When checking memory used by this process (using `ps axu`) I notice it uses random amount of memory (10-300MB), for ex.: USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 9108 0.0 0.0 151432 280 pts/2 S+ 05:16 0:00 /usr/bin/tcpserver 127.0.0.1 11111 echo ok root 9114 0.0 0.0 239164 280 pts/2 S+ 05:16 0:00 /usr/bin/tcpserver 127.0.0.1 11111 echo ok root 9118 0.0 0.0 132836 280 pts/2 S+ 05:17 0:00 /usr/bin/tcpserver 127.0.0.1 11111 echo ok root 9201 0.0 0.0 10452 280 pts/2 S+ 05:17 0:00 /usr/bin/tcpserver 127.0.0.1 11111 echo ok This happens on 32-bit system. On 64-bit system it uses less amount of memory, but still random (5-60MB). Problem is, tcpserver is used by qmail-pop3d service, and it started under /usr/bin/softlimit -m 16000000 which result in killing tcpserver on nearly every attempt to connect to localhost:pop3 with this error: kern.alert: grsec: From 127.0.0.1: denied resource overstep by requesting 132014080 for RLIMIT_AS against limit 16000000 for /var/qmail/bin/qmail-popup[qmail-popup:16527] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/tcpserver[tcpserver:1400] uid/euid:0/0 gid/egid:0/0 Portage 2.1.11.55 (hardened/linux/amd64, gcc-4.6.3, glibc-2.15-r3, 3.7.5-hardened-r1 x86_64) ================================================================= System uname: Linux-3.7.5-hardened-r1-x86_64-Intel-R-_Core-TM-_i7-2600K_CPU_@_3.40GHz-with-gentoo-2.1 KiB Mem: 8151432 total, 886140 free KiB Swap: 4200960 total, 4200960 free Timestamp of tree: Tue, 19 Mar 2013 21:15:01 +0000 ld GNU ld (GNU Binutils) 2.22 app-shells/bash: 4.2_p37 dev-java/java-config: 2.1.12-r1 dev-lang/python: 2.7.3-r3, 3.2.3-r2 dev-util/cmake: 2.8.9 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.1-r1 sys-apps/openrc: 0.11.8 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.11.6 sys-devel/binutils: 2.22-r1 sys-devel/gcc: 4.6.3 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.6 (virtual/os-headers) sys-libs/glibc: 2.15-r3 Repositories: gentoo powerman perl-experimental-snapshots gamerlay local ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /opt/upsmon-usb/EXT/DownOS /opt/upsmon-usb/EXT/JSystem /service /usr/inferno/keydb /usr/inferno/lib /usr/inferno/services /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa /var/log /var/qmail/alias /var/qmail/control" CONFIG_PROTECT_MASK="${EPREFIX}/etc/gconf /etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/usr/portage-distfiles" EMERGE_DEFAULT_OPTS="--with-bdeps=y" FCFLAGS="-march=native -O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync webrsync-gpg xattr" FFLAGS="-march=native -O2 -pipe" GENTOO_MIRRORS="http://portage.org.ua/ http://gentoo.iteam.net.ua/ http://mirror.mdfnet.se/gentoo http://gentoo.mneisen.org/ http://gentoo.wheel.sk/" LANG="ru_RU.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j8" PKGDIR="/usr/portage-packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_EXTRA_OPTS="--exclude ChangeLog --delete-excluded" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/powerman /var/lib/layman/perl-experimental-snapshots /var/lib/layman/gamerlay /usr/local/portage" SYNC="rsync://rsync.ua.gentoo.org/gentoo-portage" USE="X a52 aac acl alac alsa amd64 avx bash-completion berkdb bzip2 caps cdda cddb cli cracklib crypt cxx dbus dri dts dvb dvd flac fontconfig gdbm gif gnutls gpg gpm hardened iconv icu id3tag idn ipv6 jpeg jpeg2k justify libnotify mac mad matroska mbox mmx mng modules mp3 mpeg mudflap multilib musepack mysql ncurses network-cron nls nptl nsplugin ogg opengl openmp pam pax_kernel pcre perl png qt3support readline session spell sse sse2 sse3 sse4_1 sse4_2 ssl ssse3 svg tcpd theora tiff truetype unicode urandom vdpau vim-syntax vorbis wavpack x264 xosd xv xvid xvmc zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="log_config vhost_alias autoindex alias rewrite dir deflate filter mime negotiation auth_basic authn_file authz_host authz_user authz_groupfile cgi actions headers env setenvif" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en ru" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" QEMU_SOFTMMU_TARGETS="x86_64 i386" QEMU_USER_TARGETS="x86_64 i386" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="nvidia nv nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, USE_PYTHON
I've tried to drop all patches from ebuild (except trivial exit/errno patches). I've tried to build ucspi-tcp using vanilla gcc instead of hardened. I've tried to switch off CONFIG_GRKERNSEC_RAND_THREADSTACK. Neither of these helps. Any ideas what to check next?
I've completely switched off GrSecurity/PaX and this fixed issue - now tcpserver uses 4120KB VSZ on each run. I'll try to bisect GrSec options to find which one result in this behavior.
`paxctl -r /usr/bin/tcpserver` fix this issue. Looks like paxmarking should be added to ebuild.
Actually, it looks like issue with CONFIG_PAX_RANDMMAP. Thing is, there are a lot of tools executed in chain by qmail using `softlimit -m 16000000`: /usr/bin/tcpserver /usr/bin/greysmtpd /var/qmail/bin/qmail-smtpd /var/qmail/bin/qmail-queue ... and all should be paxmarked -r now. Keeping in mind greysmtpd is a perl script, /usr/bin/perl5.12.4 also should be paxmarked. This is surely very bad idea and wasn't required until I've updated system (including kernel 3.7.0->3.7.5).
> Assignee: bug-wranglers@gentoo.org → qmail-bugs@gentoo.org I don't think this is correct. This issue has nothing with qmail itself, any application executed under strict memory limit (using ulimit or softlimit or chpst etc.) will be affected by this issue. This issue related only to hardened/PaX.
hardened patchset update is supposed to fix this issue: http://www.gossamer-threads.com/lists/gentoo/hardened/269583
(In reply to comment #6) > hardened patchset update is supposed to fix this issue: > http://www.gossamer-threads.com/lists/gentoo/hardened/269583 Supposed, but didn't fixed it yet, at least for 32-bit. There was few more updates of grsec patch since one I've tested (20130319), but it now require kernel 3.8.4, which isn't in portage yet. When someone add 3.8.4 to portage I'll test it with latest grsec patch and will report here is this issue was fixed or not.
(In reply to comment #7) > (In reply to comment #6) > > hardened patchset update is supposed to fix this issue: > > http://www.gossamer-threads.com/lists/gentoo/hardened/269583 > > Supposed, but didn't fixed it yet, at least for 32-bit. > There was few more updates of grsec patch since one I've tested (20130319), > but it now require kernel 3.8.4, which isn't in portage yet. When someone > add 3.8.4 to portage I'll test it with latest grsec patch and will report > here is this issue was fixed or not. Try turning off PAX_RANDMMAP and see what happens.
(In reply to comment #8) > Try turning off PAX_RANDMMAP and see what happens. Already did that. When it turned off tcpserver on each run uses 1.9MB on 32-bit and 4.2MB on 64-bit. And thus 16MB softlimit also works ok.
I've tested 3.8.4 (current in portage, it use grsec 201303221826). On 64-bit system tcpserver use same amount of VSZ (4.1MB) on each run. On 64-bit system it's 1.9MB on each run. I don't know is that mean this bug is fixed or RANDMMAP just doesn't work at all.
it's fixed now, my last attempt had a silly typo and used the wrong variable for aslr gap accounting, that's why you saw random memory consumption (it wasn't actual memory consumption, just an accounting bug).
