Bug 350228

Summary:	sys-kernel/hardened-sources-2.6.36-r7: NFS and Samba server "broken"
Product:	Gentoo Linux	Reporter:	El Goretto <el.goretto>
Component:	Hardened	Assignee:	The Gentoo Linux Hardened Kernel Team (OBSOLETE) <hardened-kernel+disabled>
Status:	RESOLVED FIXED
Severity:	major	CC:	hardened, pageexec, spender
Priority:	High
Version:	unspecified
Hardware:	x86
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	kernel 2.6.36-hardened-r7 config

Description El Goretto 2010-12-31 13:43:01 UTC

When upgrading a NFS/Samba server from sys-kernel/hardened-sources-2.6.36-r2 to sys-kernel/hardened-sources-2.6.36-r7 (cp .config file then make oldconfig), I noticed that I couldn't mount NFS filesystems from another linux client (gentoo-sources 2.6.36*) nor could I access samba shares from another windows client (XP & 7). Data accessible via NFS and Samba refers to the same data on the server.

I checked my logs but I can't find anything related to NFS. Samba is a bit more verbose, I get in log files (log.smbd):

[2010/12/30 23:07:08,  1] smbd/service.c:1063(make_connection_snum)
  <client_hostname> (<client_IP>) connect to service FOO initially as user elgo (uid=1000, gid=100) (pid 15368)
[2010/12/30 23:07:08,  0] smbd/reply.c:3375(send_file_readX)
  send_file_readX: sendfile failed for file <path_to_file> (Bad address). Terminating
[2010/12/30 23:07:08,  1] smbd/service.c:1240(close_cnum)
  <client_hostname> (<client_IP>) closed connection to service FOO

The problem seems to be accessing data itself.
So I add some additionnal info on data shared via NFS and Samba:
These are 2 ext4 filesystem over LVM2, mounted on /opt/foo and /opt/foo/bar on the server. Only /opt/foo is exposed to samba of course. Mount options are: "rw,noexec,nosuid,noatime,acl", and some ACLs are set.

I'm pretty out of options to go further and troubleshoot this issue, so if you have a suggestion...
In the meantime, sys-kernel/hardened-sources-2.6.36-r2 have not this issue.

Reproducible: Always

Steps to Reproduce:
1.boot sys-kernel/hardened-sources-2.6.36-r7
2.on a client box, try to mount NFS exports or Samba shares
3.it fails...




# emerge --info
Portage 2.1.9.25 (hardened/linux/x86, gcc-4.4.4, glibc-2.11.2-r3, 2.6.36-hardened-r7 i686)
=================================================================
System uname: Linux-2.6.36-hardened-r7-i686-Intel-R-_Atom-TM-_CPU_330_@_1.60GHz-with-gentoo-1.12.14
Timestamp of tree: Fri, 31 Dec 2010 03:15:01 +0000
ccache version 2.4 [enabled]
app-shells/bash:     4.1_p7
dev-java/java-config: 2.1.11-r1
dev-lang/python:     2.6.6-r1, 3.1.2-r4
dev-util/ccache:     2.4-r9
sys-apps/baselayout: 1.12.14-r1
sys-apps/sandbox:    2.4
sys-devel/autoconf:  2.13, 2.65-r1
sys-devel/automake:  1.9.6-r2, 1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.4.4-r2
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
sys-devel/make:      3.81-r2
virtual/os-headers:  2.6.30-r1 (sys-kernel/linux-headers)
ACCEPT_KEYWORDS="x86"
ACCEPT_LICENSE="* -@EULA"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-Os -march=native -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /opt/i2p/*.config"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-Os -march=native -fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs buildsyspkg ccache distlocks fixlafiles fixpackages news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox"
GENTOO_MIRRORS="ftp://ftp.free.fr/mirrors/ftp.gentoo.org/ ftp://mirrors.linuxant.fr/distfiles.gentoo.org/ http://gentoo.modulix.net/gentoo/ ftp://mirror.ovh.net/gentoo-distfiles/"
LANG="fr_FR.UTF-8"
LC_ALL="fr_FR.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j5"
PKGDIR="/var/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/sunrise /var/lib/layman/zugaina /usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="acl aio bash-completion bzip2 cli cracklib cxx dba dedicated dri dvdr extensions gd gpm hardened hardenedphp iconv ipv6 ithreads jpg lm_sensors logrotate mmx mmxext modules mudflap ncurses nfs nls nptl nptlonly openmp pam pcre pic pppd readline session sse sse2 sse3 ssl svg sysfs threads threadsafe thunar truetype unicode urandom x86 xorg xv zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif status unique_id userdir usertrack vhost_alias" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" NGINX_MODULES_HTTP="access auth_basic autoindex gzip proxy rewrite" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 1 El Goretto 2010-12-31 14:36:41 UTC

Created attachment 258529 [details]
kernel 2.6.36-hardened-r7 config

Comment 2 Anthony Basile gentoo-dev

2010-12-31 15:04:36 UTC

(In reply to comment #1)
> Created an attachment (id=258529) [details]
> kernel 2.6.36-hardened-r7 config
> 

Thanks for the report.  I don't have some of your hardware so I have to ask you to try a few things:

1) Do a diff between the configs for 2.6.36-hardened-r2 and 2.6.36-hardened-r7 and make sure they are the same.  If not post the diff.

2) Using your 2.6.36-hardened-r7, turn off all GRSEC and PaX options and see if the problem clears.  If it doesn't then try vanilla 2.6.36.2 with the same config, except GRSEC/PaX obviously.  Report your results

I have a suspicion it may be due to the changes to the R8169 driver that comes from vanilla and its interaction with GRSEC/PaX.

In the mean time, 2.6.36-r2 is secure provided you don't configure ECONET which you almost certainly don't need.

Comment 3 El Goretto 2011-01-03 13:16:47 UTC

Hi Anthony, here we go:

1) Do a diff between the configs for 2.6.36-hardened-r2 and 2.6.36-hardened-r7
and make sure they are the same.  If not post the diff.

3,4c3,4
< # Linux kernel version: 2.6.36-hardened-r2
< # Wed Dec 22 15:31:51 2010
---
> # Linux kernel version: 2.6.36-hardened-r7
> # Tue Dec 28 11:15:22 2010
345d344
< CONFIG_CC_STACKPROTECTOR=y
682d680
< # CONFIG_ECONET is not set

I checked CC_STACKPROTECTOR and why it isn't enabled anymore:
"Depends on: X86_64 [=n] || !PAX_MEMORY_UDEREF [=y]"
Ok then, none of these conditions is met on my box :)


2) Using your 2.6.36-hardened-r7, turn off all GRSEC and PaX options and see if
the problem clears.  If it doesn't then try vanilla 2.6.36.2 with the same
config, except GRSEC/PaX obviously.  Report your results

Booted 2.6.36-hardened-r7 without grsec nor pax, and NFS "works" again (can't test samba right now. If you want I may try it later).

Comment 4 Anthony Basile gentoo-dev

2011-01-07 18:23:22 UTC

(In reply to comment #3)
> Hi Anthony, here we go:
> 
> 1) Do a diff between the configs for 2.6.36-hardened-r2 and 2.6.36-hardened-r7
> and make sure they are the same.  If not post the diff.
> 
> 3,4c3,4
> < # Linux kernel version: 2.6.36-hardened-r2
> < # Wed Dec 22 15:31:51 2010
> ---
> > # Linux kernel version: 2.6.36-hardened-r7
> > # Tue Dec 28 11:15:22 2010
> 345d344
> < CONFIG_CC_STACKPROTECTOR=y
> 682d680
> < # CONFIG_ECONET is not set
> 
> I checked CC_STACKPROTECTOR and why it isn't enabled anymore:
> "Depends on: X86_64 [=n] || !PAX_MEMORY_UDEREF [=y]"
> Ok then, none of these conditions is met on my box :)
> 
> 
> 2) Using your 2.6.36-hardened-r7, turn off all GRSEC and PaX options and see if
> the problem clears.  If it doesn't then try vanilla 2.6.36.2 with the same
> config, except GRSEC/PaX obviously.  Report your results
> 
> Booted 2.6.36-hardened-r7 without grsec nor pax, and NFS "works" again (can't
> test samba right now. If you want I may try it later).
> 

Okay it a hardened issue. I thought it might be hardware related because I can't reproduce it here, and the major difference between our config files is hardware.  Something changed between 36-r2 which was based on

  grsecurity-2.2.0-2.6.36-201011151726

and 36-r7 based on

  grsecurity-2.2.1-2.6.36.2-201012221906

I'll poke upstream see if they have a clue.  I will be adding 36-r8 soon, and you may want to try that, but I don't see any obvious changes that would address this.

Comment 5 El Goretto 2011-01-10 20:46:05 UTC

Tried 2.6.36-hardened-r8 with the very same .config than -r7... and "it works". Ahem. Well, good for me then, but I'm unable to identify what has changed.
I'll test it further and report if a problem arise on r8.

Comment 6 Anthony Basile gentoo-dev

2011-01-10 22:37:01 UTC

(In reply to comment #5)
> Tried 2.6.36-hardened-r8 with the very same .config than -r7... and "it works".
> Ahem. Well, good for me then, but I'm unable to identify what has changed.
> I'll test it further and report if a problem arise on r8.
> 

Please keep me up to date.  2.6.36-r8 and 2.6.32-r33 have shown no issues so far and are the next candidates for stabilization.

I'll close this bug once they go stable.

Comment 7 PaX Team 2011-01-11 16:40:39 UTC

(In reply to comment #5)
> Tried 2.6.36-hardened-r8 with the very same .config than -r7... and "it works".
> Ahem. Well, good for me then, but I'm unable to identify what has changed.

there was a small issue with a recent change in UDEREF/i386 where i forgot to update the IP checksum code that works directly on userland, so any kernel networking facility that relied on it was broken.

Comment 8 El Goretto 2011-01-12 10:45:56 UTC

(In reply to comment #7)
> (In reply to comment #5)
> > Tried 2.6.36-hardened-r8 with the very same .config than -r7... and "it works".
> > Ahem. Well, good for me then, but I'm unable to identify what has changed.
> 
> there was a small issue with a recent change in UDEREF/i386 where i forgot to
> update the IP checksum code that works directly on userland, so any kernel
> networking facility that relied on it was broken.

Thank you very much for this clarification.

Comment 9 Anthony Basile gentoo-dev

2011-02-04 00:46:21 UTC

2.6.36-r9 and 2.6.32-r34 are now in the tree and include the fix.  Closing.