I've grsecurity installed; on a hardened-dev-sources-2.6.7-r15: himura snmp # snmpd -f snmpd: stack smashing attack in function netsnmp_udp_transport() Aborted himura snmp # chpax -v /usr/sbin/snmpd ----[ chpax 0.7 : Current flags for /usr/sbin/snmpd (pEmrxs) ]---- * Paging based PAGE_EXEC : disabled * Trampolines : emulated * mprotect() : not restricted * mmap() base : not randomized * ET_EXEC base : not randomized * Segmentation based PAGE_EXEC : disabled himura snmp # sysctl kernel.grsecurity kernel.grsecurity.grsec_lock = 0 kernel.grsecurity.chroot_findtask = 0 kernel.grsecurity.rand_rpc = 1 kernel.grsecurity.audit_mount = 1 kernel.grsecurity.audit_gid = 1007 kernel.grsecurity.audit_group = 1 kernel.grsecurity.socket_server_gid = 1002 kernel.grsecurity.socket_server = 1 kernel.grsecurity.socket_client_gid = 1003 kernel.grsecurity.socket_client = 1 kernel.grsecurity.socket_all_gid = 1004 kernel.grsecurity.socket_all = 1 kernel.grsecurity.rand_isns = 1 kernel.grsecurity.rand_tcp_src_ports = 1 kernel.grsecurity.rand_ip_ids = 1 kernel.grsecurity.rand_pids = 1 kernel.grsecurity.tpe_restrict_all = 0 kernel.grsecurity.tpe_gid = 1005 kernel.grsecurity.tpe = 1 kernel.grsecurity.chroot_deny_sysctl = 1 kernel.grsecurity.chroot_caps = 1 kernel.grsecurity.chroot_execlog = 0 kernel.grsecurity.chroot_restrict_nice = 1 kernel.grsecurity.chroot_deny_mknod = 1 kernel.grsecurity.chroot_deny_mount = 1 kernel.grsecurity.chroot_deny_unix = 1 kernel.grsecurity.timechange_logging = 1 kernel.grsecurity.forkfail_logging = 1 kernel.grsecurity.execve_limiting = 0 kernel.grsecurity.fifo_restrictions = 0 kernel.grsecurity.linking_restrictions = 0 did I miss something?
I have net-snmp installed on over 30 boxes and I've never seen this happen. Please provide more details such as 'emerge info' and 'cat /var/db/pkg/net-analyzer/net-snmp-5.*/{C{FLAGS,XXFLAGS,HOST},USE,IUSE}' What snmp version? etc.. My PaX flags are also PeMRxS (why did you have to change your flags at all?
> I have net-snmp installed on over 30 boxes and I've never seen this happen. > Please provide more details such as 'emerge info' and himura ~ # emerge info Portage 2.0.51-r3 (hardened/x86/2.6, gcc-3.4.3, glibc-2.3.4.20041102-r0, 2.6.7-hardened-r15 i686) ================================================================= System uname: 2.6.7-hardened-r15 i686 AMD Athlon(tm) XP 2800+ Gentoo Base System version 1.6.6 distcc 2.18.2 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] Autoconf: sys-devel/autoconf-2.59-r5 Automake: sys-devel/automake-1.8.5-r1 Binutils: sys-devel/binutils-2.15.92.0.2-r1 Headers: sys-kernel/linux26-headers-2.6.8.1-r1 Libtools: sys-devel/libtool-1.5.2-r7 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CFLAGS="-march=athlon-xp -O3 -pipe " CHOST="i686-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=athlon-xp -O3 -pipe " DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache cvs digest distlocks nostrip sandbox strict userpriv usersandbox" GENTOO_MIRRORS=" http://sws.surakware.net/gentoo-rsync/gentoo/ ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo/ ftp://mirrors.sec.informatik.tu-darmstadt.de/gentoo/ " MAKEOPTS="-j2" PKGDIR="/usr/portage//packages/x86/" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage/" PORTDIR_OVERLAY="/usr/local/overlays/bmg-main.alternative /usr/local/overlays/surakware /usr/local/overlays/gentoo-apache /usr/local/overlays/my" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="acl acpi apache2 bash-completion berkdb clamav crypt curl dedicated devmap dlloader expat fam gd gdbm gmp gpm hardened hardenedphp imagemagick imap ipv6 java javascript jpeg libwww lm_sensors maildir mmx mysql ncurses nls nptl nptlonly ntlm odbc oggvorbis pam pcre pdflib perl pic pie png pthreads pwdb python readline rrdtool sasl skey slang snmp spell sqlite sse ssl tcpd tiff truetype unicode vhost vhosts x86 xml xml2 zlib" > 'cat /var/db/pkg/net-analyzer/net-snmp-5.*/{C{FLAGS,XXFLAGS,HOST},USE,IUSE}' > What snmp version? etc.. net-analyzer/net-snmp-5.2 -X +ipv6 +lm_sensors -minimal +perl +ssl +tcpd himura ~ # cat /var/db/pkg/net-analyzer/net-snmp-5.*/{C{FLAGS,XXFLAGS,HOST},USE,IUSE} -march=athlon-xp -O3 -pipe -march=athlon-xp -O3 -pipe i686-pc-linux-gnu acl acpi apache2 bash-completion berkdb clamav crypt curl dedicated devmap dlloader expat fam gd gdbm gmp gpmhardened hardenedphp imagemagick imap ipv6 java javascript jpeg libwww lm_sensors maildir mmx mysql ncurses nls nptl nptlonly ntlm odbc oggvorbis pam pcre pdflib perl pic pie png pthreads pwdb python readline rrdtool sasl skey slang snmp spell sqlite sse ssl tcpd tiff truetype unicode vhost vhosts x86 xml xml2 zlib perl ipv6 ssl tcpd X lm_sensors minimal > My PaX flags are also PeMRxS (why did you have to change your flags at all? I played around a bit with them, in order to find, which flag is responsible for them; finally I noticed, noone of them was ;) himura ~ # gcc-config -l [1] i686-pc-linux-gnu-3.3.4 [2] i686-pc-linux-gnu-3.4.3 * [3] i686-pc-linux-gnu-3.4.3-hardenednopie [4] i686-pc-linux-gnu-3.4.3-hardenednossp [5] i686-pc-linux-gnu-3.4.3-vanilla I finally worked around by switching (temporarily) to *-hardenednossp to remerge net-snmp. Though, I guess, it's somewhat related to gcc's hardened patches then :))
Ok lets establish some of our working diff's I do about 3-4 net-snmp installs a week My setups look like uCpie local # emerge info Portage 2.0.51-r2 (uclibc/x86/hardened, gcc-3.3.5, uclibc-0.9.26-r7, 2.4.27-hardened-r3 i686) ================================================================= Gentoo Base System version 1.4.16 Autoconf: sys-devel/autoconf-2.59-r5 Automake: sys-devel/automake-1.8.5-r1 Binutils: sys-devel/binutils-2.15.90.0.1.1-r3 Headers: sys-kernel/linux-headers-2.4.21-r1 Libtools: sys-devel/libtool-1.5.2-r7 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-Os -march=i486 -pipe -fomit-frame-pointer -Wformat=2" CHOST="i486-pc-linux-uclibc" COMPILER="" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-Os -march=i486 -pipe -fomit-frame-pointer -Wformat=2" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig buildipkg buildpkg ccache distlocks nodoc noinfo noman sandbox sfperms strict" GENTOO_MIRRORS="http://mirror.datapipe.net/gentoo ftp://ftp.ussg.iu.edu/pub/linux/gentoo http://gentoo.oregonstate.edu" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages/i486-pc-linux-uclibc/" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage/" PORTDIR_OVERLAY="/usr/portage/local" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="atheros hardened hostap hostap-noplx justify minimal multicall ncurses pcmcia pic pie readline snmp uclibc wifi x86 zlib" uCpie local # gcc-config -l [1] i486-pc-linux-uclibc-3.3.5 * [2] i486-pc-linux-uclibc-3.3.5-ssp [3] i486-pc-linux-uclibc-3.3.5-pie [4] i486-pc-linux-uclibc-3.3.5-vanilla [5] i486-pc-linux-uclibc-3.4.2 [6] i486-pc-linux-uclibc-3.4.2-pie [7] i486-pc-linux-uclibc-3.4.2-vanilla -- Can you recompile net-snmp with CFLAGS="-g3 -ggdb -fno-pie" FEATURES=nostrip ulimit -c unlimited Lets get a core and a nice backtrace, strace logs etc. for pappy to look at. I'd provide one but my envs do not fail.
>>> net-analyzer/net-snmp-5.2 merged. >>> Recording net-analyzer/net-snmp in "world" favorites file... mv: cannot stat `/var/tmp/portage/net-snmp-5.2/temp/environment': No such file or directory >>> clean: No packages selected for removal. >>> Auto-cleaning packages ... >>> No outdated packages were found on your system. * Regenerating GNU info directory index... * Processed 8 info files. 19:29:53 [/space/chroots/chroot002:9248.pts-0.papillon]papillon ~ # gcc -v Reading specs from /usr/lib/gcc/i686-pc-linux-gnu/3.4.3/specs Configured with: /var/tmp/portage/gcc-3.4.3/work/gcc-3.4.3/configure --enable-version-specific-runtime-libs --prefix=/usr --bindir=/usr/i686-pc-linux-gnu/gcc-bin/3.4.3 --includedir=/usr/lib/gcc/i686-pc-linux-gnu/3.4.3/include --datadir=/usr/share/gcc-data/i686-pc-linux-gnu/3.4.3 --mandir=/usr/share/gcc-data/i686-pc-linux-gnu/3.4.3/man --infodir=/usr/share/gcc-data/i686-pc-linux-gnu/3.4.3/info --with-gxx-include-dir=/usr/lib/gcc/i686-pc-linux-gnu/3.4.3/include/g++-v3 --host=i686-pc-linux-gnu --disable-altivec --enable-nls --without-included-gettext --enable-__cxa_atexit --enable-clocale=gnu --with-system-zlib --disable-checking --disable-werror --disable-libunwind-exceptions --enable-shared --enable-threads=posix --disable-multilib --enable-java-awt=gtk --enable-languages=c,c++,f77,objc,java Thread model: posix gcc version 3.4.3 (Gentoo Hardened Linux 3.4.3, ssp-3.4.3-0, pie-8.7.6.6) after # CFLAGS="-O3" emerge -v net-snmp that is
Error is confirmed, i can reproduce it here. I am trying with -O2 at the moment to reproduce it. When there is no error with -O2, you are losing the game- the documentation clearly states: Use SSP not with higher than -O2. TIA, Alex
20:27:08 [/space/chroots/chroot002:9248.pts-0.papillon]papillon /master/tmp # snmpd -f works with -O2 WONTFIX http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#Othreessp
okay, I lost. I accept it. thx for the direct link anyway ;-) when it works with -O2 but not with higher, then it *must* be a GCC code optimizer bug, right? (which will be hard to trace down)
