Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 351899 - sys-kernel/hardened-sources: ksysguardd segfaults constantly
Summary: sys-kernel/hardened-sources: ksysguardd segfaults constantly
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] KDE (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo KDE team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: Hardened_Docs
  Show dependency tree
 
Reported: 2011-01-17 12:31 UTC by Vincent de Phily
Modified: 2011-03-18 16:55 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
emerge --info (emerge.info,4.87 KB, text/plain)
2011-01-17 12:33 UTC, Vincent de Phily
Details
Core dump (core,784.00 KB, application/octet-stream)
2011-01-17 14:22 UTC, Francisco Blas Izquierdo Riera
Details
kernel .config (.config,68.95 KB, text/plain)
2011-01-17 20:04 UTC, Vincent de Phily
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Vincent de Phily 2011-01-17 12:31:04 UTC
KDE's ksysguardd segfaults all the time on my machine. Booting a non-hardened kernel seems to fix things. The logs simply state

an 17 13:06:47 moltowork kernel: [10721.503401] grsec: Segmentation fault occurred at 0000000000000018 in /usr/bin/ksysguardd[ksysguardd:31307] uid/euid:1000/1000 gid/egid:1019/1019, paren\
t /usr/bin/kdeinit4[plasma-desktop:6085] uid/euid:1000/1000 gid/egid:1019/1019
Jan 17 13:06:47 moltowork kernel: [10721.503430] grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/bin/ksysguardd[ksysguardd:31307] uid/euid:1000/1\
000 gid/egid:1019/1019, parent /usr/bin/kdeinit4[plasma-desktop:6085] uid/euid:1000/1000 gid/egid:1019/1019


In ksysguard itself, the process list works but the graphs (CPU usage, etc) don't. I tried running ksysguardd manually and querying various stuff on its stdin, but couldn't get it to crash this way.

I know I should raise RLIMIT_CORE and examine the resulting corefile, but I do not have much time available for this (I also delayed reporting this bug due to time constraints). I want to dig a little deeper when I have time, but in the meantime I'd be delighted to know if others can reproduce the bug.
Comment 1 Vincent de Phily 2011-01-17 12:33:44 UTC
Created attachment 260042 [details]
emerge --info
Comment 2 Francisco Blas Izquierdo Riera gentoo-dev 2011-01-17 14:22:30 UTC
Created attachment 260050 [details]
Core dump

The empty graphs looks reasonable to me as I'm sure grsec won't allow ksysguard to get this information.

But the segfaults...

Well I reproduced it so here is a nice core :D
Comment 3 Francisco Blas Izquierdo Riera gentoo-dev 2011-01-17 14:25:22 UTC
The bt for your viewing pleasure:
#0  0x0000003007ca989a in updateCPULoad ()
#1  0x0000003007caac5f in processStat ()
#2  0x0000003007cabca9 in printCPUxTotalLoad ()
#3  0x0000003007c969e6 in executeCommand ()
#4  0x0000003007c97e62 in main ()

I'm going to try getting the arguments in executeCommand so I can try reproducing it inside of gdb. 
Comment 4 Francisco Blas Izquierdo Riera gentoo-dev 2011-01-17 14:39:23 UTC
More info:
$ ksysguardd 
ksysguardd 4
(c) 1999, 2000, 2001, 2002 Chris Schlaeger <cs@kde.org>
(c) 2001 Tobias Koenig <tokoe@kde.org>
(c) 2006-2008 Greg Martyn <greg.martyn@gmail.com>
This program is part of the KDE Project and licensed under
the GNU GPL version 2. See http://www.kde.org for details.
ksysguardd> cpu/cpu0/TotalLoad
Violación de segmento (`core' generado)

As you can see the sefault is made by the TotalLoad set of commands, can the KDE techies tell me what is it supposed to do?
Comment 5 Francisco Blas Izquierdo Riera gentoo-dev 2011-01-17 15:54:41 UTC
Ok tracked down the bug:

The problem is that on hardened systems /proc/vmstat is not readable by non root users, this makes initStat to return without initialising SMPLoad.

As ksysguardd is not aware of this and the error message is oddly not printed out any further commands making use of the non initialized structures will kill the program.

The funny thing is that this bad usage of return appears in ALL the checks for /proc/vmstat and /proc/stat  in the stat.c file so not having access to either may open a nice window for a privilege scalation although this happening would be odd.

To the user, running chmod o+r /proc/vmstat should solve the issue although if that file is readable only by root is for something (I don't know why now, sorry).

To the KDE team, this should be reported to upstream as it can be a security problem and is clearly a non correct behaviour.
Comment 6 Theo Chatzimichos (RETIRED) archtester gentoo-dev Security 2011-01-17 18:46:21 UTC
i'll report it upstream
bug is non-public now
Comment 7 Anthony Basile gentoo-dev 2011-01-17 19:36:51 UTC
Can you please post your kernel.config and emerge --info.

I think the following will solve your problem:

1) Recompile your kernel with Security Level set to CONFIG_GRKERNSEC_HARDENED_WORKSTATION (or any other method that makes sure that CONFIG_GRKERNSEC_PROC and CONFIG_GRKERNSEC_PROC_USERGROUP and GRKERNSEC_PROC_GID =10 are set)

2) Add your user to the wheel group

3) Run ksysguardd

While adding yourself to wheel may not be the ideal situation, the above will allow you to view /proc/vmstat.

Although, it should not seg fault on not being able to read vmstat, but fail with some warning.
Comment 8 Anthony Basile gentoo-dev 2011-01-17 19:39:06 UTC
(In reply to comment #7)
> Can you please post your kernel.config and emerge --info.
> 
> I think the following will solve your problem:
> 
> 1) Recompile your kernel with Security Level set to
> CONFIG_GRKERNSEC_HARDENED_WORKSTATION (or any other method that makes sure that
> CONFIG_GRKERNSEC_PROC and CONFIG_GRKERNSEC_PROC_USERGROUP and
> GRKERNSEC_PROC_GID =10 are set)
> 
> 2) Add your user to the wheel group
> 
> 3) Run ksysguardd
> 
> While adding yourself to wheel may not be the ideal situation, the above will
> allow you to view /proc/vmstat.
> 
> Although, it should not seg fault on not being able to read vmstat, but fail
> with some warning.
> 

I'm sorry, addendum: I forgot about recent changes.  You do not need to be in the wheel group since the permissions/ownership are 444 root/wheel
Comment 9 Vincent de Phily 2011-01-17 20:04:41 UTC
Created attachment 260069 [details]
kernel .config

.config - Linux Kernel v2.6.36-hardened-r6

Base grsec config is workstation-no-rbac.
The options mentioned in comment #7 are set as suggested.
Comment 10 Vincent de Phily 2011-01-17 20:12:56 UTC
My kernel config (see attachment) already matched your requirement.
This user is already member of the wheel group (GID 10).
Should I also enable CONFIG_GRKERNSEC_PROC_USER ? This option is actually a big PITA at runtime.

-r-------- 1 root wheel 0 Jan 17 21:07 /proc/vmstat

"chmod g+r /proc/vmstat" does solve the problem (no more segfaults), but is not a very tempting workaround.
Comment 11 Anthony Basile gentoo-dev 2011-01-17 21:21:19 UTC
(In reply to comment #10)
> My kernel config (see attachment) already matched your requirement.
> This user is already member of the wheel group (GID 10).
> Should I also enable CONFIG_GRKERNSEC_PROC_USER ? This option is actually a big
> PITA at runtime.
> 
> -r-------- 1 root wheel 0 Jan 17 21:07 /proc/vmstat
> 
> "chmod g+r /proc/vmstat" does solve the problem (no more segfaults), but is not
> a very tempting workaround.
> 

I'm sorry I rushed too fast when I posted and forgot one more item.  You need to set CONFIG_GRKERNSEC_PROC_ADD=n to get

   -r--r--r-- 1 root wheel 0 Jan 17 16:08 /proc/vmstat

Looking at your kernel config I see that you have it on.  Turning it off will fix the problem.

We had to make a choice regarding this option: on the SERVER security levels we force it on for added security.  On the WORKSTATION levels, we give the user a choice allowing them to revert to the restricted permissions, breaking certain system monitors for non root users, but adding security.

@klondike, please add this ^^^ to the documentation.

I'll leave this bug open for further discussion before closing it INVALID.  Although the fact that ksysguardd seg faults rather than exiting more gracefully is a problem that upstream on their side needs to fix.  If need be, open a bug regarding that.
Comment 12 Vincent de Phily 2011-01-17 23:20:31 UTC
(In reply to comment #11)
> I'm sorry I rushed too fast when I posted and forgot one more item.  You need
> to set CONFIG_GRKERNSEC_PROC_ADD=n

Thanks that does the trick, even for a non-wheel user.

> We had to make a choice regarding this option: on the SERVER security levels we
> force it on for added security.  On the WORKSTATION levels, we give the user a
> choice allowing them to revert to the restricted permissions, breaking certain
> system monitors for non root users, but adding security.

Fair enough. Most of those options are compromises anyway. I do not recall ever manually touching this option though, so I believe the current default is CONFIG_GRKERNSEC_PROC_ADD=y ? If so you might want to change it for the WORKSTATION level, as a lot of users will be running into the issue.

> I'll leave this bug open for further discussion before closing it INVALID. 
> Although the fact that ksysguardd seg faults rather than exiting more
> gracefully is a problem that upstream on their side needs to fix.  If need be,
> open a bug regarding that.

I agree this is invalid for the kernel, and should be reported upstream. Did I understand correctly that I can describe the bug as "ksysguardd segfaults when /proc/vmstat is not readable (grsec-enforced permission)" upstream ?

A link to the gentoo bug should probably be provided in the upstream bug; can the gentoo bug be made public again or do the security implications complicate the procedure (how ?) ?


And to finish: kudos Kondike and Anthony for the quick diagnostic, you rock :)
Comment 13 Theo Chatzimichos (RETIRED) archtester gentoo-dev Security 2011-01-17 23:39:23 UTC
for the record, i reported the problem in kde security team, they also agreed that it is a casual bug and not a security issue. Bug is public again.
So, please file an upstream bug report about the crash. I'll close that as invalid
@hardened, thanks a lot for your help
Comment 14 Theo Chatzimichos (RETIRED) archtester gentoo-dev Security 2011-01-17 23:39:36 UTC
sorry wrong resolution
Comment 15 Francisco Blas Izquierdo Riera gentoo-dev 2011-01-17 23:48:47 UTC
I'm glad this is not more important than a casual bug :D

On the presence of the vmstat (and the stats) files they can be disabled in certain embedded systems-

The problems are that there is no warning for some odd reason and the usage of unitialised data structures in a known address (NULL) may be exploitable (can't find a POC though), as data seems to be written before read and no buffers are involved.

Of course this can trigger a DOS over the ksysguardd service on systems with this bugs, but I doubt this can be triggered at will and go undiscovered before.

On a related note, ksysguard should check if the monitor being used is available before trying to query it and show a warning instead of a white graphic in that case.
Comment 16 Anthony Basile gentoo-dev 2011-01-18 00:27:23 UTC
> > to set CONFIG_GRKERNSEC_PROC_ADD=n
> 
> Thanks that does the trick, even for a non-wheel user.
> 

Yep, this is the new behavior as of 2.6.32-r10 and above.

> I believe the current default is
> CONFIG_GRKERNSEC_PROC_ADD=y ? 

The default is off.  I just checked.

>  Did I
> understand correctly that I can describe the bug as "ksysguardd segfaults when
> /proc/vmstat is not readable (grsec-enforced permission)" upstream ?

This would convey the idea.

> A link to the gentoo bug should probably be provided in the upstream bug; can
> the gentoo bug be made public again or do the security implications complicate
> the procedure (how ?) ?

I don't see much in the way of security implications.  Sounds to me like an ordinary bug where it is just assumed that /proc/vmstat is readable and no sanity check is made when open() fails.  Tsk tsk!

Comment 17 Vincent de Phily 2011-01-21 11:09:17 UTC
Created upstream bug:

https://bugs.kde.org/show_bug.cgi?id=263853
Comment 18 Steve Dibb (RETIRED) gentoo-dev 2011-03-18 16:55:19 UTC
(In reply to comment #17)
> Created upstream bug:
> 
> https://bugs.kde.org/show_bug.cgi?id=263853

And fixed upstream