From: Alex Efros <powerman@powerman.asdfgroup.com>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] 2.6.27-hardened-r8: assassination
Date: Fri, 6 Mar 2009 23:51:41 +0200 [thread overview]
Message-ID: <20090306215141.GA3005@home.power> (raw)
In-Reply-To: <49B16B41.31874.18849D3B@pageexec.freemail.hu>
Hi!
On Fri, Mar 06, 2009 at 07:28:17PM +0200, pageexec@freemail.hu wrote:
> it's always the latter ;), i need to make sure it's a PaX problem.
Ok. With this kernel, using pax-linux-2.6.28.7-test19.patch, I was able to
reproduce issues with apache/php/{ioncube,zendoptimizer} and perl module
Math::Pari. Amarok doesn't crash.
> i mentioned them quite a few times on the list and bugzilla and the grsec forums,
> here it is again. first, the coredump: you enable coredumps in your shell
thanks for instructions, here are results:
I've tried to recompile perl, apache and php with "debug" USE-flag enabled,
but looks like ioncube&zendoptimizer don't support php built this way.
So, only perl & apache was built with "debug" flag.
When I run apache for the first time after reboot - without strace/core,
just to see is it crash - I got this in kernel log:
2009-03-06_20:48:56.60108 kern.info: apache2[4621]: segfault at
4d554ed0 ip 4d541399 sp 594130d0 error 7 in ld-2.6.1.so[4d53a000+1a000]
I must note it looks very similar to errors I got previously with this
issue - segfault always was reported like "error 7 in ld-2.6.1.so".
But all next runs (under strace and with core dumps enabled) doesn't
produce any error messages in kernel log, which is quite unusual.
# strace -f apache2 -D NO_DETACH -k start -D MANUAL -D DEFLATE -D FASTCGI -D PHP5 -D SSL &>apache2.strace
# gdb
(gdb) core /core
(no debugging symbols found)
Core was generated by `apache2 -D NO_DETACH -k start -D MANUAL -D DEFLATE -D FASTCGI -D PHP5 -D SSL'.
Program terminated with signal 11, Segmentation fault.
[New process 11835]
#0 0x4ce14399 in ?? ()
(gdb) bt
#0 0x4ce14399 in ?? ()
#1 0x4ce27000 in ?? ()
#2 0x00000ed4 in ?? ()
#3 0x00000003 in ?? ()
#4 0x00000003 in ?? ()
#5 0x00000004 in ?? ()
#6 0x00000000 in ?? ()
(gdb) x/8i $pc
0x4ce14399: Cannot access memory at address 0x4ce14399
(gdb) x/8x $sp
0x5a681770: 0x4ce27000 0x00000ed4 0x00000003 0x00000003
0x5a681780: 0x00000004 0x00000000 0x00000001 0x4cb5a170
(gdb) info reg
eax 0xffffffff -1
ecx 0x4ce27fc4 1289912260
edx 0xd 13
ebx 0x4ce27fc4 1289912260
esp 0x5a681770 0x5a681770
ebp 0x5a681890 0x5a681890
esi 0x4ce27000 1289908224
edi 0xed4 3796
eip 0x4ce14399 0x4ce14399
eflags 0x10286 [ PF SF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
# vi /etc/php/apache2-php5/php.ini ### disable ioncube
# strace -f apache2 -D NO_DETACH -k start -D MANUAL -D DEFLATE -D FASTCGI -D PHP5 -D SSL &>apache2.strace_zend
# gdb /usr/sbin/apache2 /core
This GDB was configured as "i686-pc-linux-gnu"...
(no debugging symbols found)
warning: Can't read pathname for load map: Input/output error.
(no debugging symbols found)
Loaded symbols for /usr/sbin/apache2
...
Reading symbols from /usr/local/Zend/lib/ZendExtensionManager.so...(no debugging symbols found)...done.
Loaded symbols for /usr/local/Zend/lib/ZendExtensionManager.so
(no debugging symbols found)
Core was generated by `apache2 -D NO_DETACH -k start -D MANUAL -D DEFLATE -D FASTCGI -D PHP5 -D SSL'.
Program terminated with signal 11, Segmentation fault.
[New process 31217]
#0 0x51015399 in ?? () from /lib/ld-linux.so.2
(gdb) bt
#0 0x51015399 in ?? () from /lib/ld-linux.so.2
#1 0x51028000 in ?? ()
#2 0x00000ed4 in ?? ()
#3 0x00000003 in ?? ()
#4 0x5d5cf82c in ?? ()
#5 0x00000004 in ?? ()
#6 0x00000000 in ?? ()
(gdb) x/8i $pc
0x51015399 <free@plt+27445>: orl $0x7,-0xf4(%ebx)
0x510153a0 <free@plt+27452>: mov $0x1,%ecx
0x510153a5 <free@plt+27457>: mov %ecx,0x8(%esp)
0x510153a9 <free@plt+27461>: mov %edi,0x4(%esp)
0x510153ad <free@plt+27465>: mov %esi,(%esp)
0x510153b0 <free@plt+27468>: call 0x51022e80
0x510153b5 <free@plt+27473>: jmp 0x5101505c <free@plt+26616>
0x510153ba <free@plt+27478>: xor %ecx,%ecx
(gdb) x/8x $sp
0x5d5cf800: 0x51028000 0x00000ed4 0x00000003 0x5d5cf82c
0x5d5cf810: 0x00000004 0x00000000 0x00000001 0x50d5b170
(gdb) info reg
eax 0xffffffff -1
ecx 0x51028fc4 1359122372
edx 0xd 13
ebx 0x51028fc4 1359122372
esp 0x5d5cf800 0x5d5cf800
ebp 0x5d5cf920 0x5d5cf920
esi 0x51028000 1359118336
edi 0xed4 3796
eip 0x51015399 0x51015399 <free@plt+27445>
eflags 0x10286 [ PF SF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
# ACCEPT_KEYWORDS=~x86 emerge -a math-pari
if I run perl without strace - I got error message in kernel log:
# perl -e 'use Math::Pari;'
Segmentation fault (core dumped)
2009-03-06_21:31:02.23339 kern.info: perl[17676]: segfault at 4ebd7ed0
ip 4ebc4399 sp 58019490 error 7 in ld-2.6.1.so[4ebbd000+1a000]
if I run perl with strace - there will be no messages in kernel log
# strace -f perl -e 'use Math::Pari;' &>perl.strace
# gdb /usr/bin/perl core
This GDB was configured as "i686-pc-linux-gnu"...
(no debugging symbols found)
warning: Can't read pathname for load map: Input/output error.
(no debugging symbols found)
Loaded symbols for /usr/bin/perl
Reading symbols from /lib/libpthread.so.0...(no debugging symbols found)...done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /lib/libnsl.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/libdl.so.2...
(no debugging symbols found)...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/libm.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib/libcrypt.so.1...
(no debugging symbols found)...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /lib/libutil.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libutil.so.1
Reading symbols from /lib/libc.so.6...
(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Math/Pari/Pari.so...
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Math/Pari/Pari.so
(no debugging symbols found)
Core was generated by `perl -e use Math::Pari;'.
Program terminated with signal 11, Segmentation fault.
[New process 30393]
#0 0x4fa55399 in ?? () from /lib/ld-linux.so.2
(gdb) bt
#0 0x4fa55399 in ?? () from /lib/ld-linux.so.2
#1 0x4fa68000 in ?? ()
#2 0x00000ed4 in ?? ()
#3 0x00000003 in ?? ()
#4 0x17364a75 in ?? () from /usr/bin/perl
#5 0x00000145 in ?? ()
#6 0x17426824 in ?? ()
#7 0x5a96a6a8 in ?? ()
#8 0x17301567 in ?? () from /usr/bin/perl
#9 0x17426824 in ?? ()
#10 0x00000050 in ?? ()
#11 0x173040d8 in Perl_av_undef () from /usr/bin/perl
#12 0x4fa55f4e in ?? () from /lib/ld-linux.so.2
#13 0x5a96a79c in ?? ()
#14 0x17443df8 in ?? ()
#15 0x00000000 in ?? ()
(gdb) x/8i $pc
0x4fa55399 <free@plt+27445>: orl $0x7,-0xf4(%ebx)
0x4fa553a0 <free@plt+27452>: mov $0x1,%ecx
0x4fa553a5 <free@plt+27457>: mov %ecx,0x8(%esp)
0x4fa553a9 <free@plt+27461>: mov %edi,0x4(%esp)
0x4fa553ad <free@plt+27465>: mov %esi,(%esp)
0x4fa553b0 <free@plt+27468>: call 0x4fa62e80
0x4fa553b5 <free@plt+27473>: jmp 0x4fa5505c <free@plt+26616>
0x4fa553ba <free@plt+27478>: xor %ecx,%ecx
(gdb) x/8x $sp
0x5a96a600: 0x4fa68000 0x00000ed4 0x00000003 0x17364a75
0x5a96a610: 0x00000145 0x17426824 0x5a96a6a8 0x17301567
(gdb) info reg
eax 0xffffffff -1
ecx 0x4fa68fc4 1336315844
edx 0xd 13
ebx 0x4fa68fc4 1336315844
esp 0x5a96a600 0x5a96a600
ebp 0x5a96a720 0x5a96a720
esi 0x4fa68000 1336311808
edi 0xed4 3796
eip 0x4fa55399 0x4fa55399 <free@plt+27445>
eflags 0x10286 [ PF SF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
> on a second thought, i'd need the strace output regardless of the gdb analysis,
> just to see how text relocations went as that's where the problem is probably.
http://powerman.name/tmp/apache2.strace
http://powerman.name/tmp/apache2.strace_zend
http://powerman.name/tmp/perl.strace
--
WBR, Alex.
next prev parent reply other threads:[~2009-03-06 21:51 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-06 3:57 [gentoo-hardened] 2.6.27-hardened-r8: assassination Alex Efros
2009-03-06 7:11 ` Alex Efros
2009-03-06 7:15 ` pageexec
2009-03-06 15:13 ` Alex Efros
2009-03-06 17:28 ` pageexec
2009-03-06 21:51 ` Alex Efros [this message]
2009-03-06 21:12 ` pageexec
2009-03-06 22:57 ` Alex Efros
2009-03-06 23:25 ` Ned Ludd
2009-03-06 23:46 ` Alex Efros
2009-03-19 14:50 ` pageexec
2009-03-19 16:46 ` John Eckhart
2009-03-20 22:31 ` pageexec
2009-03-21 15:12 ` atoth
2011-03-08 18:40 ` Alex Efros
2011-03-08 19:05 ` Mike Frysinger
2011-03-08 19:52 ` Alex Efros
2011-03-08 20:01 ` Mike Frysinger
2011-03-08 20:48 ` klondike
2011-03-08 20:49 ` Anthony G. Basile
2011-03-08 20:55 ` Mike Frysinger
2011-03-09 9:03 ` pageexec
2011-03-10 20:30 ` Anthony G. Basile
2011-03-10 20:39 ` Anthony G. Basile
2011-03-08 21:07 ` Alex Efros
2011-03-09 13:07 ` med
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090306215141.GA3005@home.power \
--to=powerman@powerman.asdfgroup.com \
--cc=gentoo-hardened@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox