From: Alex Efros <powerman@powerman.asdfgroup.com>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] 2.6.28-hardened-r7 hangs before starting /sbin/init
Date: Fri, 3 Apr 2009 02:04:31 +0300 [thread overview]
Message-ID: <20090402230431.GN32102@home.power> (raw)
In-Reply-To: <49D53F8E.16661.386BDA57@pageexec.freemail.hu>
Hi!
On Fri, Apr 03, 2009 at 12:43:26AM +0200, pageexec@freemail.hu wrote:
> hmm, i don't get it. are you saying that with MPROTECT enabled in the
> kernel, bash fails to start when run as init, but works otherwise?
>
> hmm, so nothing stands out, and only pid=1 is ever affected? i've never seen
> such a failure mode ;).
Yep. Me too. I can try other application, but if both bash and runit-init
affected I think there little sense in trying other.
So, yeah, the question is, how to debug PaX while kernel starting process N1?
Or how to prove process N1 has nothing with this bug?
To resume, what we've now:
Fact 1: previous kernel (2.6.27-hardened-r8) doesn't hangs
Fact 2: kernel hang after "Freeing unused kernel memory:"
* so I suppose it failed to start process N1
Fact 3: kernel compiled without MPROTECT doesn't hangs
* so I suppose it's something related to PaX ...
* or some very unique hardware issue
Fact 4: kernel loaded with init=/bin/bash hangs in same way
* so it's unlikely issue with runit-init
Fact 5: paxctl -m for init command (/sbin/runit-init or /bin/bash) fix issue
* so there workaround exists which doesn't lower overall server security
Fact 6: /bin/bash works just fine without paxctl -m after boot
* so it has nothing with usual PaX work
Fact 7: this issue happens on one of several similar (if no equal) servers
* buggy hardware or some conflict (there IRQ differences between servers)?
I think best way to find out what happens - add debug prints into PaX code
which executes while starting process N1.
--
WBR, Alex.
next prev parent reply other threads:[~2009-04-02 23:04 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-04-02 14:05 [gentoo-hardened] 2.6.28-hardened-r7 hangs before starting /sbin/init Alex Efros
2009-04-02 15:29 ` Alex Efros
2009-04-02 15:37 ` RB
2009-04-02 16:09 ` Alex Efros
2009-04-02 16:36 ` Alex Efros
2009-04-02 16:45 ` Alex Efros
2009-04-02 18:54 ` RB
2009-04-02 19:06 ` Alex Efros
2009-04-02 21:17 ` pageexec
2009-04-02 22:22 ` Alex Efros
2009-04-02 22:25 ` klondike
2009-04-02 22:43 ` pageexec
2009-04-02 23:04 ` Alex Efros [this message]
2009-04-03 6:50 ` pageexec
2009-04-03 13:27 ` Alex Efros
2010-10-23 12:21 ` Alex Efros
2010-10-23 15:31 ` Alex Efros
2010-10-23 17:15 ` pageexec
2010-10-23 21:44 ` Alex Efros
2010-10-23 22:07 ` [gentoo-hardened] 2.6.32-hardened-r9 to -r22 upgrade issue with PaX Alex Efros
2010-10-23 23:24 ` klondike
2010-10-24 10:02 ` Anthony G. Basile
2010-10-25 2:14 ` Pavel Labushev
2010-10-26 9:37 ` Alex Efros
2010-10-26 22:30 ` Pavel Labushev
2010-10-24 10:18 ` "Tóth Attila"
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090402230431.GN32102@home.power \
--to=powerman@powerman.asdfgroup.com \
--cc=gentoo-hardened@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox