Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 592614 - sys-kernel/hardened-sources + vmware-modules & vmware-workstation: instant reboot of host when launching a guest VM
Summary: sys-kernel/hardened-sources + vmware-modules & vmware-workstation: instant re...
Status: RESOLVED OBSOLETE
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: The Gentoo Linux Hardened Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-08-31 15:31 UTC by Hank Leininger
Modified: 2017-11-30 10:51 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hank Leininger 2016-08-31 15:31:45 UTC
vmware-workstation-12.1.0.3272444-r2 and app-emulation/vmware-modules-308.1.0 with USE="pax_kernel", using either sys-kernel/hardened-sources or vanilla+pax, the host system reboots instantly when a guest VM is started.  Currently using gcc-4.9.4, hardened profile.

This isn't a new problem - I remember having this problem with several different 4.x kernels and vmware 10.x - 12.x, but here are details on the most recent combination I've tried.

I've tried the following, always with the same reboot:

- hardened-sources-4.5.7-r5, most GRKERNSEC+PAX features enabled except CONFIG_GRKERNSEC_IO
- hardened-sources-4.5.7-r5, CONFIG_PAX=n
- hardened-sources-4.5.7-r5, CONFIG_GRKERNSEC_CONFIG_AUTO + CONFIG_GRKERNSEC_CONFIG_VIRT_HOST + CONFIG_GRKERNSEC_CONFIG_VIRT_VMWARE
- hardened-sources-4.5.7-r5, CONFIG_GRKERNSEC=n (and thus PAX is not even asked about)
- hardened-sources-4.4.8-r1 (newest hardened-4.4.x) with CONFIG_GRKERNSEC=n
- stock 4.5.7 + https://grsecurity.net/~paxguy1/pax-linux-4.5.7-test24.patch, all features =n

Just as sanity checks, these work fine:

- gentoo-sources-4.4.18
- stock 4.5.7

Combinations are somewhat limited because vmware support lags behind newer kernels, but hardened-sources / pax patches are not available for the latest 4.4 stable kernels, etc.

In all cases using hardened-sources / pax, vmware-modules compiles fine and /etc/init.d/vmware loads them all successfully.

But when powering-on a guest VM using a kernel with pax and/or grsec patches included, the box reboots instantly.  With maximum printk spam to a serial console, I get:

hardened-sources-4.5.7-r5:

[  NNN.183657] grsec: From NN.NN.NN.NN: mount of  to / by /opt/vmware/lib/vmware/bin/vmware-vmx[vmx-vmem:3183] uid/euid:NNN/NNN gid/egid:NNN/NNN, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[  NNN.200870] grsec: From NN.NN.NN.NN: mount of /tmp/vmware-AAAAAA/564dfb1a-ee72-9771-b6ab-6a87daa42160 to /tmp/vmware-AAAAAA/564dfb1a-ee72-9771-b6ab-6a87daa42160 by /opt/vmware/lib/vmware/bin/vmware-vmx[vmx-vmem:3183] uid/euid:NNN/NNN gid/egid:NNN/NNN, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
...and then BIOS POST messages.

stock 4.5.7 + pax-linux-4.5.7-test24.patch I get:
[  NNN.046581] /dev/vmmon[2418]: PTSC: initialized at 2099997000 Hz using TSC, TSCs are synchronized.
[  NNN.302698] /dev/vmmon[2418]: Monitor IPI vector: ff
[  NNN.307676] /dev/vmmon[2418]: HV      IPI vector: f2
...and then BIOS POST messages from the host.

Slightly surprising to me that hardened-sources does not get to a single /dev/vmmon message before dying but pax does.

Using gentoo-sources-4.4.18, it works as expected.  printk's and syslogs start:

[   NNN.342597] /dev/vmmon[9935]: PTSC: initialized at 2099999000 Hz using TSC, TSCs are synchronized.
[   NNN.574193] /dev/vmmon[9935]: Monitor IPI vector: ff
[   NNN.574197] /dev/vmmon[9935]: HV      IPI vector: f2
vmnetBridge: RTM_NEWLINK: name:eth0 index:2 flags:0x00011043
[   NNN.794746] /dev/vmnet: open called by PID 9944 (vmx-vcpu-0)
[   NNN.794760] device eth0 entered promiscuous mode
[   NNN.794842] bridge-eth0: enabled promiscuous mode
[   NNN.794844] /dev/vmnet: port on hub 0 successfully opened
...and the VM sucessfully starts.

This system has two E5-2620v2's, but I think I have experienced this on various recent Core2 and newer Intel CPUs.

This seems similar to what is discussed in this old but not ancient grsecurity forum thread:

https://forums.grsecurity.net/viewtopic.php?f=3&t=4211

I have not tried the vmception suggestion at the end of the thread, host_no_pax(vmware(guest_with_pax(vmware(guest)))).  Not sure what else that will give me (other than faster reset time!) since I do have a working serial console for the host.
Comment 1 Anthony Basile gentoo-dev 2016-10-01 14:15:38 UTC
can you test hardened-sources-4.7.6
Comment 2 Hank Leininger 2016-10-21 01:50:53 UTC
Tested / duplicated with hardened-sources-4.7.8, same behavior.
Comment 3 Manfred Knick 2017-03-23 18:53:58 UTC
(In reply to Hank Leininger from comment #0)
> vmware-workstation-12.1.0.3272444-r2 and
> app-emulation/vmware-modules-308.1.0 with USE="pax_kernel", using either
> sys-kernel/hardened-sources or vanilla+pax,

Could you kindly re-test with

[I-O] [  ] app-emulation/vmware-modules-308.5.4:0
[I-O] [  ] app-emulation/vmware-tools-10.1.5.5055693:0
[I-O] [  ] app-emulation/vmware-workstation-12.5.4.5192485:0

please ?

Thanks in advance!
Comment 4 Anton Bolshakov 2017-07-06 00:08:09 UTC
This is dup of the bug #382793 where I reported the same issue back in 2011.
It used to work fine before that.
Comment 5 Manfred Knick 2017-07-07 16:00:04 UTC
REFERENCE:

Bug 616958 :  12.5.7 version bump ,

comments {30..48} :

[ https://bugs.gentoo.org/show_bug.cgi?id=616958#c30 ]
..
[ https://bugs.gentoo.org/show_bug.cgi?id=616958#c48 ]
Comment 6 Manfred Knick 2017-11-30 10:51:54 UTC
VMware Products have been removed from Main Portage Tree during Nov-2017.

Further development has been relegated to [vmware] Overlay.

Situation as of today, 30-Nov-2017:
Workstation : stable in [vmware] = 12.5.8  / released = 14.0.0  : Bug 634770
Player      : stable in [vmware] = 12.5.8  / released = 14.0.0  : Bug 639162
Modules     : stable in [vmware] = 308.5.8 / released = 329.0.0 : Bug 634862
Tools       : stable in [vmware] = 10.1.6  / released = 10.1.15 : Bug 634854