When i use the PaX security enchancement in the kernel, the bitdefender-console program not run. There is a tool, chpax, which corrects the flags programs, that don't work well, but it doesn't include code for the bitdefender-console virscan app. If i run the command: chpax -s /opt/bdc/bdc, it will works. Please correct this in the /etc/conf.d/chpax file. Thanks. Reproducible: Always Steps to Reproduce: 1. emerge bitdefender-console 2. /opt/bdc/bdc --all /opt/bdc/* Actual Results: In syslog: Mar 1 14:31:55 posseidon PAX: execution attempt in: <anonymous mapping>, 52564000-525e2000 52564000 Mar 1 14:31:55 posseidon PAX: terminating task: /opt/bdc/bdc(bdc):31330, uid/euid: 102/102, PC: 52564028, SP: 5c9b56ec Mar 1 14:31:55 posseidon PAX: bytes at PC: 53 55 56 57 8b 7c 24 18 68 b4 ef 00 00 8b 1f e8 bc 21 00 00 Mar 1 14:31:55 posseidon PAX: bytes at SP: 25b4f0c5 5c9b5710 08069aa4 08069a84 25b4ef3d 00000000 08069aa4 08069a70 00000000 74706f2f 6364622f 756c502f 736e6967 7665002f 6e726b61 6d782e6c 00000064 00000000 00000000 00000000 In the console: BDC/Linux-Console v7.0 (build 2490) (i386) (Dec 10 2003 16:11:35) Copyright (C) 1996-2003 SOFTWIN SRL. All rights reserved. Le
When i use the PaX security enchancement in the kernel, the bitdefender-console program not run. There is a tool, chpax, which corrects the flags programs, that don't work well, but it doesn't include code for the bitdefender-console virscan app. If i run the command: chpax -s /opt/bdc/bdc, it will works. Please correct this in the /etc/conf.d/chpax file. Thanks. Reproducible: Always Steps to Reproduce: 1. emerge bitdefender-console 2. /opt/bdc/bdc --all /opt/bdc/* Actual Results: In syslog: Mar 1 14:31:55 posseidon PAX: execution attempt in: <anonymous mapping>, 52564000-525e2000 52564000 Mar 1 14:31:55 posseidon PAX: terminating task: /opt/bdc/bdc(bdc):31330, uid/euid: 102/102, PC: 52564028, SP: 5c9b56ec Mar 1 14:31:55 posseidon PAX: bytes at PC: 53 55 56 57 8b 7c 24 18 68 b4 ef 00 00 8b 1f e8 bc 21 00 00 Mar 1 14:31:55 posseidon PAX: bytes at SP: 25b4f0c5 5c9b5710 08069aa4 08069a84 25b4ef3d 00000000 08069aa4 08069a70 00000000 74706f2f 6364622f 756c502f 736e6967 7665002f 6e726b61 6d782e6c 00000064 00000000 00000000 00000000 In the console: BDC/Linux-Console v7.0 (build 2490) (i386) (Dec 10 2003 16:11:35) Copyright (C) 1996-2003 SOFTWIN SRL. All rights reserved. Leállítva oops, my LANG is hu_HU, so with en_US: BDC/Linux-Console v7.0 (build 2490) (i386) (Dec 10 2003 16:11:35) Copyright (C) 1996-2003 SOFTWIN SRL. All rights reserved. Killed Expected Results: Normally run the program. Portage 2.0.51.18 (hardened/x86/2.6, gcc-3.4.3, glibc-2.3.4.20041102-r0, 2.6.10-hardened-r3-02 i686) ================================================================= System uname: 2.6.10-hardened-r3-02 i686 AMD Athlon(tm) MP 2600+ Gentoo Base System version 1.6.9 Python: dev-lang/python-2.3.5 [2.3.5 (#1, Feb 21 2005, 03:36:23)] dev-lang/python: 2.3.5 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.6.3, 1.4_p6, 1.9.4, 1.5, 1.8.5-r3, 1.7.9-r1 sys-devel/binutils: 2.15.92.0.2-r4 sys-devel/libtool: 1.5.10-r5 virtual/os-headers: 2.6.8.1-r2 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CFLAGS="-O2 -mtune=athlon-mp -msse -mfpmath=sse -m3dnow -pipe -fPIC -mmmx - fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/shar e/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/sh are/config /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/mail/dspam /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -mtune=athlon-mp -msse -mfpmath=sse -m3dnow -pipe -fPIC -mmmx - fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig buildpkg ccache digest distlocks fixpackages sandbox" GENTOO_MIRRORS="http://gentoo.mirror.icd.hu/ ftp://ftp.gentoo.mesh- solutions.com/gentoo/ ftp://mirror.nutsmaas.nl/gentoo/ ftp://linux.rz.ruhr-uni- bochum.de/gentoo-mirror/ ftp://212.219.56.146/sites/www.ibiblio.org/gentoo/ http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/" LANG="hu_HU.utf8" LC_ALL="hu_HU.utf8" MAKEOPTS="-j3" PKGDIR="/usr/portage//packages/x86/" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage/" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://195.228.254.73/gentoo-portage" USE="3dnow X acl alsa apache2 avi bash-completion berkdb caps cdr crypt ctype cups curl curlwrappers dbm dlloader dvdr ethereal exif fam fastcgi ftp gd gdbm gif gmp gtk hardened iconv imagemagick imap inifile innodb ipv6 java jpeg junit kde ldap libg++ libwww mhash mime mmx mmx2 motif mpeg mpi mysql ncurses nls nptl oggvorbis opengl pam pcntl pcre perl php pic pie png pnp posix postgres python qt readline recode samba sasl shared slang snmp sockets sse ssl svg symlink sysvipc tcltk tcpd tiff usb vhosts x86 xml xml2 xmlrpc xsl zlib" Unset: ASFLAGS, CBUILD, CTARGET, LDFLAGS
Why does this program need an executable stack?
Are you asking from me???? :)
yes. You reported this. I'm asking why the program really needs it.
???? Yes, i reported this, because i used this program, and i had that problem, and i solved, and i wanted, to anybody, who wish to use this program in the future - like me - not have this problem, like me. I wish to fix this, but i am not a programmer, i just a simple user. I don't know, what this problem is about, what this protection is about, or what happen, if i run this command exactly. I just know, that this program not working in a hardened pool, and after that i enter this command it works. and i know if i make a bug in the gentoo bugzilla, the gentoo developers will fix this, because they are so lovely guys:) Sorry, but i am not your man, who know answers. cheers, tsabi
ok thanks. I'll ask around and see if anybody else uses this and can do some debugging. In the meantime I'll leave this bug open incase anybody else runs across this.
Hi! Please don't forget about this bug! Thanks, tsabi
found some free time and managed to look at this package a little closer. Ok bad news guy. This package is binary only, has poor q/a and we are powerless to fix them. TEXTREL's are not really permitted by Gentoo policy in any shared object and this package provides two ELF shared objects with a quite a few run-time text relocations in them. which is why you have to chpax this package. In the end what this means is that this package either 1) needs to be removed from the tree - and or - 2) the upstream vendor contacted and you nicely ask them to fix code they are releasing by compiling whatever *.a object they are that they later static link into the shared object with -fPIC. You should opt for #2 ASAP as it should resolve apart of the fundamental underlying problem with this package cd /var/tmp/portage/bitdefender-console-7.0.1/work scanelf -t -q $(find . -type f) TEXTREL ./i386/opt/bdc/bdupd.so TEXTREL ./i386/opt/bdc/libfn.so The second lib is a little more interesting as it appears like it has some pointless obscured run-time self decrypting code in it. For now I would rather not put this in /etc/conf.d/chpax vs seeing something like this in the ebuild. --------------- pkg_postinst () { einfo You should upgrade virus database by running bdc --update + [ -x /sbin/chpax && -w ] && /sbin/chpax -m /opt/bdc/bdc } --------------- At this point there is not much else hardened@ can do for you so I'm reassigning the bug to the package maintainer and putting hardened@ on the CC: so we can track the progress.
pkg_postinst () { einfo You should upgrade virus database by running bdc --update + [ -x /sbin/chpax ] && /sbin/chpax -spm /opt/bdc/bdc }
Upstream just responded to my yesterday's email about this, saying that they're working on a "fix/workaround" for this issue.
We are currently testing our products (the console scanner, as well as the mail/file-server scanners), and hopefully we'll reach a resolution. In the mean time, I can say that the program needs the executable heap/stack in order to load the cross-platform scanning engines, and yes, the workaround proposed by solar@gentoo.org in Comment #8 should be valid. -- Bogdan Agica BitDefender Linux Internal Testing Engineer
Hello again. We have done our share of testing, and I can say that tright now, the workaround proposed by solar@gentoo.org in Comment #8 is the only valid approach. In the future, the engines might be rewritten in order to meet such shortcomings, but in the mean time, this is the only way. Please read the full article on the BitDefender Knowledge Base at http://kb.bitdefender.com/KB211-en--BitDefender-and-GRSec/PAX-enabled-environments.html
7.0.1-r1 has just been committed to portage (~x86, ~amd64) with the "chpax -spm" workaround. Thanks everyone involved!
(In reply to comment #11) >In the future, the engines might be rewritten in order to meet such shortcomings, I/we look forward to this. > but in the mean time, this is the only way. Please read the full > article on the BitDefender Knowledge Base at > http://kb.bitdefender.com/KB211-en--BitDefender-and-GRSec/PAX-enabled-environments.html Re: I'm a little confused about this. The webpage states you can run paxctl -smp however in order for that to work on given executable it must contain a PT_PAX_FLAGS program header which the existing bdc does not. Perhaps there is a new version of bdc which include these headers? :) If so then perhaps it would be best if you the vendor deployed the program with the needed runtime flags of just -sp. The -m flag seems like you can work around in the next release of the program by simply making sure that bdupd.so and libfn.so are both compiled with -fPIC Oh and all this probably also holds true for not just PaX/grsec environments but also kernel supported NX bits (amd64) OpenWall, and Exec-Shield
