All current in tree hardened-sources greater than version 3.5.4-r1 generate RLIMT_AS resources overstep events for net-mail/dovecot processes (observed for 2.1.13/2.1.15). Searching the web for this shows that this already has a history. I don´t know exactly who is to blame, dovecot for the way it is managing resources or grsec patches for false triggering. Since stepping down the kernel version solve the issue, I file this bug for hardened-sources. Observed at multiple x86 hardened boxes with log entries like these: [kernel] grsec: denied resource overstep by requesting 268464128 for RLIMIT_AS against limit 268435456 for /usr/libexec/dovecot/lmtp As well as for other dovecot components like the auth-worker. Reproducible: Always Steps to Reproduce: 1. run a hardened x86 box with dovecot 2. watch log events coming up during dovecot usage Actual Results: dovecot processes failing due to false detected RLIMIT_AS resource oversteps and crashing Expected Results: proper resource allocation for dovecot processes Portage 2.1.11.50 (hardened/linux/x86, gcc-4.6.3, glibc-2.15-r3, 3.8.0-hardened i686) ================================================================= System uname: Linux-3.8.0-hardened-i686-AMD_Athlon-tm-_64_Processor_3200+-with-gentoo-2.1 KiB Mem: 1032616 total, 500900 free KiB Swap: 391148 total, 391148 free Timestamp of tree: Tue, 26 Feb 2013 09:00:01 +0000 ld GNU ld (GNU Binutils) 2.22 app-shells/bash: 4.2_p37 dev-lang/python: 2.7.3-r2, 3.2.3 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.1-r1 sys-apps/openrc: 0.11.8 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.69 sys-devel/automake: 1.11.6 sys-devel/binutils: 2.22-r1 sys-devel/gcc: 4.6.3 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.6 (virtual/os-headers) sys-libs/glibc: 2.15-r3 Repositories: gentoo ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="* -@EULA" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -mtune=athlon64 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -mtune=athlon64 -pipe" DISTDIR="/usr/portage/distfiles" FCFLAGS="-march=i686 -O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch protect-owned sandbox sfperms s trict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FFLAGS="-march=i686 -O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="de_DE.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/ distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="acl activefilter berkdb bzip2 cli cracklib crypt ctype cxx dbm dovecot-sasl dri epoll flatfile ftp gdbm gnutls hardened iconv ipv6 maildir mbox memlimit mh ash mime mmap mmx modules mudflap mysqli ncurses nls nptl openmp pam pax_kernel pcntl pcre perl pic posix readline recode sasl session sharedmem sockets socks5 spamassassin sse ssl sysvipc szip tcpd unicode urandom x86 zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 en s1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dsha re dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn _core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include i nfo log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi word s flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PR OTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf su perstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="de en" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGE TS="python2_7 python3_2" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 intel mach64 mga nsc nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa via vmware nouveau" XTABLES_ADDONS="quota2 psd pknock lscan le ngth2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, MAKEOPTS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC _EXTRA_OPTS, USE_PYTHON
(In reply to comment #0) > All current in tree hardened-sources greater than version 3.5.4-r1 generate > RLIMT_AS resources overstep events for net-mail/dovecot processes (observed > for 2.1.13/2.1.15). Searching the web for this shows that this already has a > history. I don´t know exactly who is to blame, dovecot for the way it is > managing resources or grsec patches for false triggering. > Since stepping down the kernel version solve the issue, I file this bug for > hardened-sources. Observed at multiple x86 hardened boxes with log entries > like these: > [kernel] grsec: denied resource overstep by requesting 268464128 for > RLIMIT_AS against limit 268435456 for /usr/libexec/dovecot/lmtp > > As well as for other dovecot components like the auth-worker. > grsec is reporting a resource overstep. The problem is in dovecot trying to overstep the limit, not in grsec reporting it. However, I'm not sure why the earlier kernels are not complaining. I'll pass this by upstream to see what they think.
I got the same issue. Was fixed increasing /etc/docevot/conf.d/10-master.conf:default_vsz_limit
(In reply to comment #2) > I got the same issue. Was fixed increasing > > /etc/docevot/conf.d/10-master.conf:default_vsz_limit This is something the dovecot maintainers may want to tweak. I'll pass it their way. @eras: please not, as stated above, the hardened-sources kernel reports the resource overstep but is not the cause of it. You may want to push out dovecot with a higher default_vsz_limit. @cyberbat: can you tell us what you set the value to?
This is not a hardened problem. Vanilla kernel would have killed the process when it reaches the vsz_limit as well. There is no way to calculate a good default_vsz_limit at installation. A good approximation is to find your largest dovecot.index.cache file and have vsz_limit at least 3 times that value. Default is 256M. For a busy server, 1GB (or even higher) is a reasonable choice. You can also set it to 0 to disable the limit at the cost of a memory leak eating all your memory. If you have a busy server, you need to adjust your config appropriately. I am inclined to close this as WONTFIX. Setting a default_vsz_limit of 1GB for all dovecot users is not a good choice. No idea why earlier hardened kernels did not give an error. Please let me know if increasing default_vsz_limit does not solve your problem.
please don't remove me (or anyone else) from CC unless explicitly asked for (and one can do it themselves should one feel so inclined). the particular reason i want to be on this bug is because the brk randomization in PaX does increase vsize but should not increase rss, so it's a potential problem i'd like to look into just in case i missed something in vma accounting (this code did change around that kernel version, but i don't know if it's correlated yet). and of course i agree that apps shouldn't try to second guess their address space usage, but that's a discussion for another time ;).
(In reply to comment #5) > please don't remove me (or anyone else) from CC unless explicitly asked for Sorry I just didn't want you to get a bunch of unrelated bug reports.
Hi, Can you try the following patch: http://grsecurity.net/~spender/rlimit_as.diff It should resolve this issue. Thanks, -Brad
What issue should this patch resolve? Should I try it if I've fixed problem increasing dovecot's vsz_limit? (In reply to comment #7) > Hi, > > Can you try the following patch: > http://grsecurity.net/~spender/rlimit_as.diff > > It should resolve this issue. > > Thanks, > -Brad
I got exactly the same thing with vsftpd working in ssl only mode. I run my VPS with 256 MB of RAM and swap and I have no errors with dovecot or vsftpd before upgrading hardened-sources-3.7.0 to hardened-sources-3.8.0-r1. I have few (< 5) users on my VPS and rather small mailboxes. So there is no reasons for vsftpd or dovecot to overstep limits. So the issue seems to be with hardened-sources and not with userspace software as described in comment 5.
(In reply to comment #7) > Hi, > > Can you try the following patch: > http://grsecurity.net/~spender/rlimit_as.diff > > It should resolve this issue. > > Thanks, > -Brad Tested with patching hardened-sources-3.8.2, patch applied cleanly, not usable, kernel panic while loading kernel...
the next PaX patch should fix this.
(In reply to comment #11) > the next PaX patch should fix this. @reporter. is this fixed in the latest hardened-sources?
(In reply to comment #12) > (In reply to comment #11) > > the next PaX patch should fix this. > > @reporter. is this fixed in the latest hardened-sources? Testbox looking good, will roll out to affected boxes and verify. Please stand by for confirmation.
I have tried vsftpd and dovecot with default_vsz_limit reverted back to 64 on my VPS with hardened-sources-3.8.4. Seems to be running normally. May be it's time to edit summary of this bug cause it's not dovecot issue?
(In reply to comment #14) > I have tried vsftpd and dovecot with default_vsz_limit reverted back to 64 > on my VPS with hardened-sources-3.8.4. Seems to be running normally. May be > it's time to edit summary of this bug cause it's not dovecot issue? Actually its time to just close it.
This bug isn't fixed in hardened-sources-3.8.3, only in 3.8.4. I'm really confused why is hardned-sources-3.8.3 stable and 3.8.4 has gone away from portage.
(In reply to comment #16) > This bug isn't fixed in hardened-sources-3.8.3, only in 3.8.4. I'm really > confused why is hardned-sources-3.8.3 stable and 3.8.4 has gone away from > portage. My bad. Can you try hardened-sources-3.8.6 and I'll stabilize.
(In reply to comment #17) > (In reply to comment #16) > > This bug isn't fixed in hardened-sources-3.8.3, only in 3.8.4. I'm really > > confused why is hardned-sources-3.8.3 stable and 3.8.4 has gone away from > > portage. > > My bad. Can you try hardened-sources-3.8.6 and I'll stabilize. 3.8.6 seems to be ok.
