users and developpers discussion about Grsecurity

Carlos Carvalho | 21 Apr 2011 22:17

problems with latest 38.3 patch

With 2.2.2-2.6.38.3-201104201821.patch and Debian I'm getting nasty
errors from web browsers.

First, with FF 3.5 in Debian, it gets stuck in an infinite loop at
startup consuming 100% cpu. strace of some seconds produced 600,000+
lines of which almost all are:

 150049 mmap2(0xad000000, 1048576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xad057000
 150049 mmap2(NULL, 2097152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xacf57000
 150049 munmap(0xacf57000, 2097152)             = 0
 150051 munmap(0xad057000, 1048576)             = 0

Next I tried vanilla FF 3.5 and 3.6. Both give

./firefox-bin: error while loading shared libraries: ./libxul.so: cannot make segment writable for
relocation: Permission denied

Then I tried Debian chromium, which produces

/usr/lib/chromium-browser/chromium-browser: error while loading shared libraries: libGL.so.1:
failed to map segment from shared object: Operation not permitted

Without grsec 38.3 works as usual. This is without KERN_LOCKOUT.

Is it possible to get the browsers running with the new grsec?

headers

Brad Spengler | 21 Apr 2011 23:43

Re: problems with latest 38.3 patch

You're seeing these messages now because up until now you didn't read 
the configuration help ;)  See this post:
http://forums.grsecurity.net/viewtopic.php?f=3&t=2603

You may also need to run execstack -c (from the prelink package) on the 
libraries that cause errors when loading.  The firefox issue is a known
upstream bug:
https://secure.wikimedia.org/wikibooks/en/wiki/Grsecurity/Application-specific_Settings#Firefox_.28or_Iceweasel_with_Debian.29
"Firefox >= 3.5 may need RANDMMAP to be disabled, if not it will enter 
in an infinite loop during startup. To disable, execute paxctl -r 
/firefox_binary. Usually the binary is somewhere in 
/usr/lib64/*firefox*. See http://bugs.gentoo.org/show_bug.cgi?id=278698 
for more details."

-Brad

On Thu, Apr 21, 2011 at 05:17:50PM -0300, Carlos Carvalho wrote:
> With 2.2.2-2.6.38.3-201104201821.patch and Debian I'm getting nasty
> errors from web browsers.
> 
> First, with FF 3.5 in Debian, it gets stuck in an infinite loop at
> startup consuming 100% cpu. strace of some seconds produced 600,000+
> lines of which almost all are:
> 
>  150049 mmap2(0xad000000, 1048576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xad057000
>  150049 mmap2(NULL, 2097152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xacf57000
>  150049 munmap(0xacf57000, 2097152)             = 0
>  150051 munmap(0xad057000, 1048576)             = 0
> 
> Next I tried vanilla FF 3.5 and 3.6. Both give

(Continue reading)

headers

Carlos Carvalho | 24 Apr 2011 00:19

Re: problems with latest 38.3 patch

Brad Spengler (spender@...) wrote on 21 April 2011 17:43:
 >You're seeing these messages now because up until now you didn't read 
 >the configuration help ;)  See this post:
 >http://forums.grsecurity.net/viewtopic.php?f=3&t=2603

I've been looking at it for eons. Understanding a word of it is
another story  Besides, some of your quotes in that post don't
match the current patch...

So it seems that PaX is now turned on. And it strongly recommends
PT_PAX_FLAGS, which seems to be possible only with a patched binutils
like gentoo does, right?

Since it seems only few apps need fiddling with I tried to use
PAX_PT_PAX_FLAGS but not PAX_EI_PAX. My problem right now is that
firefox and chromium-browser don't run. java may also be a problem,
didn't try it yet. Starting with chromium, I get

/usr/lib/chromium-browser/chromium-browser: error while loading shared libraries: libGL.so.1:
failed to map segment from shared object: Operation not permitted

 >You may also need to run execstack -c (from the prelink package) on the 
 >libraries that cause errors when loading.

I used strace -eopen and checked all libs called. execstack -q shows
none of them require an executable stack. In fact no lib in /usr/lib
and /lib need it. Then I tried to use paxctl:

# paxctl -c /usr/lib/chromium/chromium 
file /usr/lib/chromium/chromium had a PT_GNU_STACK program header, converted

(Continue reading)