Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 193272

Summary: sys-kernel/hardened-sources-2.6.20-r6 causing kernel Oopses with audit_bprm
Product: Gentoo Linux Reporter: Eric Brown <eric.brown>
Component: [OLD] Core systemAssignee: The Gentoo Linux Hardened Team <hardened>
Status: RESOLVED NEEDINFO    
Severity: major    
Priority: High    
Version: unspecified   
Hardware: x86   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Eric Brown 2007-09-21 01:02:43 UTC 
Not sure if this is a sys-process/audit, or a sys-kernel/hardened-sources-2.6.20-r6 problem, linux-audit patches are applied to the kernel (i'm pretty sure, since it works).

I started playing with sys-process/audit today, and I noticed that it created the following reproducible problem:

1) start auditd
/etc/init.d/auditd start

2) add these rules (to trace all exits from NICE, GETPRIO, SETPRIO syscalls)
autitctl -a exit,always -S 34
auditctl -a exit,always -S 96
auditctl -a exit,always -S 97

3) run revdep-rebuild, see weird error output like this:
Checking dynamic linking consistency...
/usr/bin/revdep-rebuild: line 494: 22480 Done                    ldd "$FILE" 2> /dev/null
     22482 Broken pipe             | grep -v "$LD_MASK"
     22483 Segmentation fault      | $SONAME_GREP -q "$SONAME_SEARCH"

4) this is a hardened-pax system, so I check the system logs (not auditd's logs) to see what's segfaulting and to my surprise, I see tons of kernel Oops logs:

Sep 20 20:52:50 satellite Oops: 0000 [#34]
Sep 20 20:52:50 satellite SMP 
Sep 20 20:52:50 satellite Modules linked in: snd_seq snd_seq_device r8101 ndiswrapper snd_hda_intel snd_pcm snd_timer snd_page_alloc snd_hwdep snd uvcvideo
Sep 20 20:52:50 satellite CPU:    0
Sep 20 20:52:50 satellite EIP:    0060:[<c0156008>]    Tainted: P      VLI
Sep 20 20:52:50 satellite EFLAGS: 00210246   (2.6.20-hardened-r6 #8)
Sep 20 20:52:50 satellite EIP is at kmap+0x8/0x40
Sep 20 20:52:50 satellite eax: 00000000   ebx: 00000000   ecx: c1292d20   edx: dd206000
Sep 20 20:52:50 satellite esi: 00020000   edi: e0075000   ebp: c1977800   esp: dd207eb0
Sep 20 20:52:50 satellite ds: 0068   es: 0068   gs: 00d8   ss: 0068
Sep 20 20:52:50 satellite Process revdep-rebuild (pid: 26293, ti=dd206000 task=d950b560 task.ti=dd206000)
Sep 20 20:52:50 satellite Stack: 00021000 c01894d1 e0075000 c1292d20 00000000 dd5c2000 dd5c2959 e0075000 
Sep 20 20:52:50 satellite dd0dbc00 e0075000 dd207fb8 c01b0d59 e0075000 1440fe68 ffffffff e0075000 
Sep 20 20:52:50 satellite dd0dbc00 dd207f8c 00000000 c01b1173 00000001 00000000 f2e13600 f127fc00 
Sep 20 20:52:50 satellite Call Trace:
Sep 20 20:52:50 satellite [<c01894d1>] audit_bprm+0xd1/0x130
Sep 20 20:52:50 satellite [<c01b0d59>] search_binary_handler+0x49/0x210
Sep 20 20:52:50 satellite [<c01b1173>] do_execve+0x253/0x3c0
Sep 20 20:52:50 satellite [<c0188a35>] __audit_getname+0x85/0xe0
Sep 20 20:52:50 satellite [<c013fa9f>] sys_execve+0x2f/0x80
Sep 20 20:52:50 satellite [<c0140fdc>] syscall_call+0x7/0xb
Sep 20 20:52:50 satellite [<c0460033>] ieee80211_wx_set_encode+0xc3/0x5c0
Sep 20 20:52:50 satellite =======================
Sep 20 20:52:50 satellite Code: ff ff e8 3c f8 18 00 89 c1 81 e1 ff ff 0f 00 e9 45 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 53 89 c3 e8 98 17 31 00 <8b> 03 c1 e8 1e 8d 14 80 8d 14 50 c1 e2 06 81 c2 80 f4 54 c0 8b 
Sep 20 20:52:50 satellite EIP: [<c0156008>] kmap+0x8/0x40 SS:ESP 0068:dd207eb0
Sep 20 20:53:26 satellite auditd[25706]: The audit daemon is exiting.
Sep 20 20:53:26 satellite <5>audit(1190336006.785:423): audit_pid=0 old=25706 by auid=4294967295
Sep 20 20:53:26 satellite audispd[25708]: input read: EOF
Sep 20 20:53:26 satellite grsec: signal 6 sent to /sbin/audispd[audispd:25708] uid/euid:0/0 gid/egid:0/0, parent /sbin/auditd[auditd:25706] uid/euid:0/0 gid/egid:0/0
Sep 20 20:53:26 satellite grsec: signal 6 sent to /sbin/audispd[audispd:25708] uid/euid:0/0 gid/egid:0/0, parent /sbin/auditd[auditd:25706] uid/euid:0/0 gid/egid:0/0
Sep 20 20:53:26 satellite grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /sbin/audispd[audispd:25708] uid/euid:0/0 gid/egid:0/0, parent /sbin/auditd[auditd:25706] uid/euid:0/0 gid/egid:0/0

5) stop auditd, run revdep-rebuild, no problems (/etc/init.d/auditd stop)

Reproducible: Always




Portage 2.1.2.12 (hardened/x86/2.6, gcc-3.4.6, glibc-2.5-r4, 2.6.20-hardened-r6 i686)
=================================================================
System uname: 2.6.20-hardened-r6 i686 Genuine Intel(R) CPU T2080 @ 1.73GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Tue, 18 Sep 2007 00:30:09 +0000
app-shells/bash:     3.2_p17
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.21
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=i686 -O2 -pipe -fforce-addr -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=i686 -O2 -pipe -fforce-addr -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks metadata-transfer sandbox sfperms strict"
GENTOO_MIRRORS="http://gentoo.chem.wisc.edu/gentoo/"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac aalib acl acpi aim alsa ao apm berkdb bluetooth bzip2 cairo calendar caps cdda cddb cdr cjk clamav cracklib crypt cups curl dbm dbx doc dri dvd dvdr dvdread encode fastcgi ffmpeg firefox flac gnutls gphoto2 gtk hardened iconv ieee1394 imagemagick imap imlib javascript jpeg libcaca matroska midi mime mmap mmx mp3 mpeg msn ncurses nls nptl nptlonly nsplugin odbc offensive ogg openal opengl pam pango pcre pdf perl pic png posix python readline samba sasl sdl skey sockets sox speex spell sse sse2 ssl startup-notification svg tcpd threads tiff truetype unicode urandom usb v4l vcd vorbis wifi win32codecs x264 x86 xcomposite xorg xscreensaver xv xvid zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="i810 i915"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2007-10-02 01:25:38 UTC 
The audit package provides userspace only.
punting to the kernel folk.
Comment 2 Christian Heim (RETIRED) gentoo-dev 2007-10-03 12:45:39 UTC 
(In reply to comment #0)
> Not sure if this is a sys-process/audit, or a
> sys-kernel/hardened-sources-2.6.20-r6 problem, linux-audit patches are applied
> to the kernel (i'm pretty sure, since it works).
> 
> I started playing with sys-process/audit today, and I noticed that it created
> the following reproducible problem:
> 
> 1) start auditd
> /etc/init.d/auditd start
> 
> 2) add these rules (to trace all exits from NICE, GETPRIO, SETPRIO syscalls)
> autitctl -a exit,always -S 34
> auditctl -a exit,always -S 96
> auditctl -a exit,always -S 97
> 
> 3) run revdep-rebuild, see weird error output like this:
> Checking dynamic linking consistency...
> /usr/bin/revdep-rebuild: line 494: 22480 Done                    ldd "$FILE" 2>
> /dev/null
>      22482 Broken pipe             | grep -v "$LD_MASK"
>      22483 Segmentation fault      | $SONAME_GREP -q "$SONAME_SEARCH"
> 
> 4) this is a hardened-pax system, so I check the system logs (not auditd's
> logs) to see what's segfaulting and to my surprise, I see tons of kernel Oops
> logs:
> 
> Sep 20 20:52:50 satellite Oops: 0000 [#34]
> Sep 20 20:52:50 satellite SMP 
> Sep 20 20:52:50 satellite Modules linked in: snd_seq snd_seq_device r8101
> ndiswrapper snd_hda_intel snd_pcm snd_timer snd_page_alloc snd_hwdep snd
> uvcvideo
> Sep 20 20:52:50 satellite CPU:    0
> Sep 20 20:52:50 satellite EIP:    0060:[<c0156008>]    Tainted: P      VLI
> Sep 20 20:52:50 satellite EFLAGS: 00210246   (2.6.20-hardened-r6 #8)
> Sep 20 20:52:50 satellite EIP is at kmap+0x8/0x40
> Sep 20 20:52:50 satellite eax: 00000000   ebx: 00000000   ecx: c1292d20   edx:
> dd206000
> Sep 20 20:52:50 satellite esi: 00020000   edi: e0075000   ebp: c1977800   esp:
> dd207eb0
> Sep 20 20:52:50 satellite ds: 0068   es: 0068   gs: 00d8   ss: 0068
> Sep 20 20:52:50 satellite Process revdep-rebuild (pid: 26293, ti=dd206000
> task=d950b560 task.ti=dd206000)
> Sep 20 20:52:50 satellite Stack: 00021000 c01894d1 e0075000 c1292d20 00000000
> dd5c2000 dd5c2959 e0075000 
> Sep 20 20:52:50 satellite dd0dbc00 e0075000 dd207fb8 c01b0d59 e0075000 1440fe68
> ffffffff e0075000 
> Sep 20 20:52:50 satellite dd0dbc00 dd207f8c 00000000 c01b1173 00000001 00000000
> f2e13600 f127fc00 
> Sep 20 20:52:50 satellite Call Trace:
> Sep 20 20:52:50 satellite [<c01894d1>] audit_bprm+0xd1/0x130
> Sep 20 20:52:50 satellite [<c01b0d59>] search_binary_handler+0x49/0x210
> Sep 20 20:52:50 satellite [<c01b1173>] do_execve+0x253/0x3c0
> Sep 20 20:52:50 satellite [<c0188a35>] __audit_getname+0x85/0xe0
> Sep 20 20:52:50 satellite [<c013fa9f>] sys_execve+0x2f/0x80
> Sep 20 20:52:50 satellite [<c0140fdc>] syscall_call+0x7/0xb
> Sep 20 20:52:50 satellite [<c0460033>] ieee80211_wx_set_encode+0xc3/0x5c0
> Sep 20 20:52:50 satellite =======================
> Sep 20 20:52:50 satellite Code: ff ff e8 3c f8 18 00 89 c1 81 e1 ff ff 0f 00 e9
> 45 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 53 89 c3 e8 98 17 31
> 00 <8b> 03 c1 e8 1e 8d 14 80 8d 14 50 c1 e2 06 81 c2 80 f4 54 c0 8b 
> Sep 20 20:52:50 satellite EIP: [<c0156008>] kmap+0x8/0x40 SS:ESP 0068:dd207eb0
> Sep 20 20:53:26 satellite auditd[25706]: The audit daemon is exiting.
> Sep 20 20:53:26 satellite <5>audit(1190336006.785:423): audit_pid=0 old=25706
> by auid=4294967295
> Sep 20 20:53:26 satellite audispd[25708]: input read: EOF
> Sep 20 20:53:26 satellite grsec: signal 6 sent to /sbin/audispd[audispd:25708]
> uid/euid:0/0 gid/egid:0/0, parent /sbin/auditd[auditd:25706] uid/euid:0/0
> gid/egid:0/0
> Sep 20 20:53:26 satellite grsec: signal 6 sent to /sbin/audispd[audispd:25708]
> uid/euid:0/0 gid/egid:0/0, parent /sbin/auditd[auditd:25706] uid/euid:0/0
> gid/egid:0/0
> Sep 20 20:53:26 satellite grsec: denied resource overstep by requesting 4096
> for RLIMIT_CORE against limit 0 for /sbin/audispd[audispd:25708] uid/euid:0/0
> gid/egid:0/0, parent /sbin/auditd[auditd:25706] uid/euid:0/0 gid/egid:0/0
> 
> 5) stop auditd, run revdep-rebuild, no problems (/etc/init.d/auditd stop)

Did triy something different than hardened-sources ? Since PAX/Grsecurity touches vital kernel things.