Bug 404387

Summary:	sys-kernel/hardened-sources-2.6.32-r89: Unbootable kernel with CONFIG_GRKERNSEC_SETXID=y
Product:	Gentoo Linux	Reporter:	Torbjörn Svensson <azoff>
Component:	[OLD] Core system	Assignee:	The Gentoo Linux Hardened Kernel Team (OBSOLETE) <hardened-kernel+disabled>
Status:	RESOLVED FIXED
Severity:	critical	CC:	hardened
Priority:	Normal
Version:	unspecified
Hardware:	AMD64
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Torbjörn Svensson 2012-02-18 14:02:34 UTC

When enabling the kernel option CONFIG_GRKERNSEC_SETXID on hardened-source-2.6.32-r89, the kernel no longer boots properly. The initramfs loads and the kernel prints all the normal info. The last line I see on the screen is that proc has been mounted and after that, the system just freezes. Sometimes, it reboots after a few seconds (I've got panic=10 in grub) but most of the times it's just stuck. I never see any kernel panic message on the screen, neither on the netconsole. I've also been able to reproduce the behavior on another system with identical CPU, motherboard and memory but with different storage controller and graphics card.

pipacs in #grsecurity asked me to try a later version of spender's patch, and it worked like a charm.

Please bump to a later version of the grsec patch.

Both sys-kernel/hardened-sources-2.6.32-r90 and sys-kernel/hardened-sources-2.6.32-r91 seams to be working fine.

Reproducible: Always

Steps to Reproduce:
1. Build a kernel with CONFIG_GRKERNSEC_SETXID=y
2. Reboot to the kernel
Actual Results:  
System freezes

Expected Results:  
System boots properly

Portage 2.1.10.44 (hardened/linux/amd64, gcc-4.5.3, glibc-2.13-r4, 2.6.32-hardened-r89 x86_64)
=================================================================
System uname: Linux-2.6.32-hardened-r89-x86_64-Intel-R-_Core-TM-2_Duo_CPU_E6850_@_3.00GHz-with-gentoo-2.0.3
Timestamp of tree: Thu, 09 Feb 2012 16:45:01 +0000
app-shells/bash:          4.1_p9
dev-lang/python:          2.7.2-r3, 3.1.4-r3
dev-util/pkgconfig:       0.26
sys-apps/baselayout:      2.0.3
sys-apps/openrc:          0.9.8.4
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.68
sys-devel/automake:       1.11.1
sys-devel/binutils:       2.21.1-r1
sys-devel/gcc:            4.5.3-r1
sys-devel/gcc-config:     1.4.1-r1
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r1
sys-kernel/linux-headers: 3.1 (virtual/os-headers)
sys-libs/glibc:           2.13-r4
Repositories:

gentoo
    location: /usr/portage
    sync: rsync://rsync.europe.gentoo.org/gentoo-portage
    priority: -1000

ABI="amd64"
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
ACCEPT_PROPERTIES="*"
ALSA_CARDS=""
ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol"
APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias"
ARCH="amd64"
AUTOCLEAN="yes"
BOOTSTRAP_USE="cxx unicode multilib hardened pax_kernel pic -jit"
CALLIGRA_FEATURES="kexi words flow plan stage tables krita karbon braindump"
CAMERAS="ptp2"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=nocona -O2 -pipe -fforce-addr -ggdb"
CFLAGS_amd64="-m64"
CFLAGS_x32="-mx32"
CFLAGS_x86="-m32"
CHOST="x86_64-pc-linux-gnu"
CHOST_amd64="x86_64-pc-linux-gnu"
CHOST_x32="x86_64-pc-linux-gnu"
CHOST_x86="i686-pc-linux-gnu"
CLEAN_DELAY="5"
COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog"
COLLISION_IGNORE="/lib/modules"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=nocona -O2 -pipe -fforce-addr -ggdb"
DEFAULT_ABI="amd64"
DISTDIR="/usr/portage/distfiles"
EDITOR="/bin/nano"
ELIBC="glibc"
EMERGE_DEFAULT_OPTS="--verbose"
EMERGE_WARNING_DELAY="10"
EPREFIX=""
EROOT="/"
FCFLAGS=""
FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
FETCHCOMMAND="wget -t 3 -T 60 --passive-ftp -O "${DISTDIR}/${FILE}" "${URI}""
FETCHCOMMAND_RSYNC="rsync -avP "${URI}" "${DISTDIR}/${FILE}""
FETCHCOMMAND_SFTP="bash -c "x=\${2#sftp://} ; host=\${x%%/*} ; port=\${host##*:} ; host=\${host%:*} ; [[ \${host} = \${port} ]] && port=22 ; exec sftp -P \${port} \"\${host}:/\${x#*/}\" \"\$1\"" sftp "${DISTDIR}/${FILE}" "${URI}""
FETCHCOMMAND_SSH="bash -c "x=\${2#ssh://} ; host=\${x%%/*} ; port=\${host##*:} ; host=\${host%:*} ; [[ \${host} = \${port} ]] && port=22 ; exec rsync --rsh=\"ssh -p\${port}\" -avP \"\${host}:/\${x#*/}\" \"\$1\"" rsync "${DISTDIR}/${FILE}" "${URI}""
FFLAGS=""
GCC_SPECS=""
GENTOO_MIRRORS="http://trumpetti.atm.tut.fi/gentoo/"
GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx"
GRUB_PLATFORMS=""
HOME="/root"
HUSHLOGIN="FALSE"
INFOPATH="/usr/share/info:/usr/share/binutils-data/x86_64-pc-linux-gnu/2.21.1/info:/usr/share/gcc-data/x86_64-pc-linux-gnu/4.5.3/info"
INPUT_DEVICES="keyboard mouse evdev"
KERNEL="linux"
KERNEL="linux" 
LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" 
LDFLAGS="-Wl,-O1 -Wl,--as-needed" 
LDFLAGS_amd64="-m elf_x86_64" 
LDFLAGS_x32="-m elf32_x86_64" 
LDFLAGS_x86="-m elf_i386" 
LESS="-R -M --shift 5" 
LESSOPEN="|lesspipe %s" 
LIBDIR_amd64="lib64" 
LIBDIR_amd64_fbsd="lib64" 
LIBDIR_n32="lib32" 
LIBDIR_n64="lib64" 
LIBDIR_o32="lib" 
LIBDIR_ppc="lib32" 
LIBDIR_ppc64="lib64" 
LIBDIR_s390="lib32" 
LIBDIR_s390x="lib64" 
LIBDIR_sparc32="lib32" 
LIBDIR_sparc64="lib64" 
LIBDIR_x32="libx32" 
LIBDIR_x86="lib32" 
LIBDIR_x86_fbsd="lib32" 
LOGNAME="root" 
LS_COLORS="rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.pdf=00;32:*.ps=00;32:*.txt=00;32:*.patch=00;32:*.diff=00;32:*.log=00;32:*.tex=00;32:*.doc=00;32:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36:" 
MAIL="/var/mail/root" 
MAKEOPTS="-j4" 
MANPATH="/usr/local/share/man:/usr/share/man:/usr/share/binutils-data/x86_64-pc-linux-gnu/2.21.1/man:/usr/share/gcc-data/x86_64-pc-linux-gnu/4.5.3/man" 
MULTILIB_ABIS="amd64 x86" 
MULTILIB_STRICT_DENY="64-bit.*shared object" 
MULTILIB_STRICT_DIRS="/lib32 /lib /usr/lib32 /usr/lib /usr/kde/*/lib32 /usr/kde/*/lib /usr/qt/*/lib32 /usr/qt/*/lib /usr/X11R6/lib32 /usr/X11R6/lib" 
MULTILIB_STRICT_EXEMPT="(perl5|gcc|gcc-lib|binutils|eclipse-3|debug|portage|udev)" 
NETBEANS="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml" 
NOCOLOR="true" 
PAGER="/usr/bin/less" 
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.5.3" 
PHP_TARGETS="php5-3" 
PKGDIR="/usr/portage/packages" 
PORTAGE_ARCHLIST="ppc sparc64-freebsd ppc-openbsd x86-openbsd ppc64 x86-winnt x86-fbsd ppc-aix alpha arm x86-freebsd s390 amd64 arm-linux x86-macos x64-openbsd ia64-hpux hppa x86-netbsd x86-cygwin amd64-linux ia64-linux x86 sparc-solaris x64-freebsd sparc64-solaris x86-linux x64-macos sparc m68k-mint ia64 mips ppc-macos x86-interix hppa-hpux amd64-fbsd x64-solaris m68k sh x86-solaris sparc-fbsd" 
PORTAGE_BINHOST_CHUNKSIZE="3000" 
PORTAGE_BIN_PATH="/usr/lib64/portage/bin" 
PORTAGE_COMPRESS_EXCLUDE_SUFFIXES="css gif htm[l]? jp[e]?g js pdf png" 
PORTAGE_CONFIGROOT="/" 
PORTAGE_DEBUG="0" 
PORTAGE_DEPCACHEDIR="/var/cache/edb/dep" 
PORTAGE_ELOG_CLASSES="warn error log" 
PORTAGE_ELOG_MAILFROM="portage@frog" 
PORTAGE_ELOG_MAILSUBJECT="[portage] ebuild log for ${PACKAGE} on ${HOST}" 
PORTAGE_ELOG_MAILURI="portage@azoff.se localhost" 
PORTAGE_ELOG_SYSTEM="save mail_summary:*" 
PORTAGE_FETCH_CHECKSUM_TRY_MIRRORS="5" 
PORTAGE_FETCH_RESUME_MIN_SIZE="350K" 
PORTAGE_GID="250" 
PORTAGE_GPG_SIGNING_COMMAND="gpg --sign --clearsign --yes --default-key "${PORTAGE_GPG_KEY}" --homedir "${PORTAGE_GPG_DIR}" "${FILE}"" 
PORTAGE_INST_GID="0" 
PORTAGE_INST_UID="0" 
PORTAGE_OVERRIDE_EPREFIX="" 
PORTAGE_PYM_PATH="/usr/lib64/portage/pym" 
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" 
PORTAGE_RSYNC_RETRIES="-1" 
PORTAGE_SYNC_STALE="30" 
PORTAGE_TMPDIR="/var/tmp" 
PORTAGE_VERBOSE="1" 
PORTAGE_WORKDIR_MODE="0700" 
PORTDIR="/usr/portage" 
PORTDIR_OVERLAY="" 
PORT_LOGDIR_CLEAN="find "${PORT_LOGDIR}" -type f ! -name "summary.log*" -mtime +7 -delete" 
PROFILE_ONLY_VARIABLES="ARCH ELIBC KERNEL USERLAND" 
PWD="/root" 
PYTHONDONTWRITEBYTECODE="1" 
RESUMECOMMAND="wget -c -t 3 -T 60 --passive-ftp -O "${DISTDIR}/${FILE}" "${URI}"" 
RESUMECOMMAND_RSYNC="rsync -avP "${URI}" "${DISTDIR}/${FILE}"" 
RESUMECOMMAND_SSH="bash -c "x=\${2#ssh://} ; host=\${x%%/*} ; port=\${host##*:} ; host=\${host%:*} ; [[ \${host} = \${port} ]] && port=22 ; exec rsync --rsh=\"ssh -p\${port}\" -avP \"\${host}:/\${x#*/}\" \"\$1\"" rsync "${DISTDIR}/${FILE}" "${URI}"" 
ROOT="/" 
ROOTPATH="/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.5.3" 
RPMDIR="/usr/portage/rpm" 
RUBY_TARGETS="ruby18" 
SHELL="/bin/bash" 
SHLVL="1" 
SYMLINK_LIB="yes" 
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" 
TERM="linux" 
USE="acl amd64 berkdb bzip2 cli cracklib crypt cups curl cxx dri gdbm hardened iconv jpeg justify mmx modules mudflap multilib ncurses nptl nptlonly openmp pam pax_kernel pcre perl png pppd python readline sasl session smp sse sse2 ssl sysfs tcpd tetex tiff truetype unicode urandom vim-syntax xorg zlib" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
USER="root" 
USERLAND="GNU" 
USE_EXPAND="ALSA_CARDS ALSA_PCM_PLUGINS APACHE2_MODULES APACHE2_MPMS CALLIGRA_FEATURES CAMERAS COLLECTD_PLUGINS CROSSCOMPILE_OPTS DRACUT_MODULES DVB_CARDS ELIBC FCDSL_CARDS FOO2ZJS_DEVICES FRITZCAPI_CARDS GPSD_PROTOCOLS GRUB_PLATFORMS INPUT_DEVICES KERNEL LCD_DEVICES LINGUAS LIRC_DEVICES MISDN_CARDS NETBEANS_MODULES NGINX_MODULES_HTTP NGINX_MODULES_MAIL OFED_DRIVERS PHP_TARGETS QEMU_SOFTMMU_TARGETS QEMU_USER_TARGETS RUBY_TARGETS SANE_BACKENDS USERLAND VIDEO_CARDS XFCE_PLUGINS XTABLES_ADDONS" 
USE_EXPAND_HIDDEN="CROSSCOMPILE_OPTS ELIBC KERNEL USERLAND" 
USE_ORDER="env:pkg:conf:defaults:pkginternal:repo:env.d" 
VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" 
XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
_="/usr/bin/emerge"

Comment 1 Anthony Basile gentoo-dev

2012-02-18 14:09:12 UTC

> pipacs in #grsecurity asked me to try a later version of spender's patch, and
> it worked like a charm.
> 
> Please bump to a later version of the grsec patch.
> 
> Both sys-kernel/hardened-sources-2.6.32-r90 and
> sys-kernel/hardened-sources-2.6.32-r91 seams to be working fine.
> 

Thanks for the report.  Unfortunately, hardened-sources-2.6.32-r89 was fastrack stabilized with hardened-sources-3.2.2-r1 to deals with a information leak out of /proc.  So I wonder if the same problem is in 3.2.2-r1.  Can you test that one with as close a config as possible and see if you hit the same hangup.  If so, I'll fastrack 2.6.32-r90 and 3.2.5.

Comment 2 Torbjörn Svensson 2012-02-18 17:20:26 UTC

I've just tested sys-kernel/hardened-sources-3.2.2-r1 and it works.

In spender's changelog for stable I found this (probably related):

commit cf5731b0b8ac026402e004a62cc3b0c522b5d9d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Feb 7 17:21:00 2012 -0500

    Add current_is_single_threaded() fix I applied to the test branch but
    forgot to apply to stable when backporting GRKERNSEC_SETXID



I've just tested sys-kernel/hardened-sources-2.6.32-r89 with the "if(!mm) return true;" fix for current_is_single_threaded(void) and it boots! Have no idea what other impact it has though.

Just for the exercise, I also added a WARN_ON(!mm); and I got 38 hits during a normal boot up, so I'm quite surprised that no one else has run into this issue.

Comment 3 Anthony Basile gentoo-dev

2012-02-18 18:33:01 UTC

(In reply to comment #2)
> I've just tested sys-kernel/hardened-sources-3.2.2-r1 and it works.
> 
> In spender's changelog for stable I found this (probably related):
> 
> commit cf5731b0b8ac026402e004a62cc3b0c522b5d9d2
> Author: Brad Spengler <spender@grsecurity.net>
> Date:   Tue Feb 7 17:21:00 2012 -0500
> 
>     Add current_is_single_threaded() fix I applied to the test branch but
>     forgot to apply to stable when backporting GRKERNSEC_SETXID
> 
> 
> 
> I've just tested sys-kernel/hardened-sources-2.6.32-r89 with the "if(!mm)
> return true;" fix for current_is_single_threaded(void) and it boots! Have no
> idea what other impact it has though.
> 
> Just for the exercise, I also added a WARN_ON(!mm); and I got 38 hits during a
> normal boot up, so I'm quite surprised that no one else has run into this
> issue.


I'm surprised too! I do test these kernel, but I can't test every combination of feature and hardware.  Usually the community comes forward.

Okay I'm leaving 3.2.2-r1 alone, stabilizing 2.6.32-r90 and removing 2.6.32-r89.

Comment 4 Anthony Basile gentoo-dev

2012-02-18 18:42:56 UTC

> Okay I'm leaving 3.2.2-r1 alone, stabilizing 2.6.32-r90 and removing
> 2.6.32-r89.

Done.