[gentoo-hardened] UDEREF vs. Apache MMAP

[gentoo-hardened] UDEREF vs. Apache MMAP

[Michael Orlitzky]

I was able to figure out my new apache problem. It seems that
PAX_MEMORY_UDEREF and apache's EnableMMAP directive don't get along
sometimes:

  http://httpd.apache.org/docs/2.2/mod/core.html#enablemmap

With UDEREF enabled and MMAP on, I get random inappropriate 206 response
codes everywhere causing headers, images, and CSS files to fail to
transfer properly.

This is sufficiently into the realm of what I consider voodoo. Is there
anything I can do to help narrow down the problem, or should I just
disable MMAP and be happy?

Re: [gentoo-hardened] UDEREF vs. Apache MMAP

[pageexec]

On 7 Jan 2011 at 23:57, Michael Orlitzky wrote:

> I was able to figure out my new apache problem. It seems that
> PAX_MEMORY_UDEREF and apache's EnableMMAP directive don't get along
> sometimes:

this one should have already been fixed in one of this week's patches,
but i'm not sure if it's in any hardened release yet. you could try the
latest grsec patch directly and see if it actually resolves the issue.

Re: [gentoo-hardened] UDEREF vs. Apache MMAP

[Anthony G. Basile]

On 01/07/2011 11:57 PM, Michael Orlitzky wrote:
> I was able to figure out my new apache problem. It seems that
> PAX_MEMORY_UDEREF and apache's EnableMMAP directive don't get along
> sometimes:
> 
>   http://httpd.apache.org/docs/2.2/mod/core.html#enablemmap
> 
> With UDEREF enabled and MMAP on, I get random inappropriate 206 response
> codes everywhere causing headers, images, and CSS files to fail to
> transfer properly.
> 
> This is sufficiently into the realm of what I consider voodoo. Is there
> anything I can do to help narrow down the problem, or should I just
> disable MMAP and be happy?

It sounds like a problem in the way apache is doing the mmap and PaX is
killing it.  The new stricter PaX rules don't allow the permission of
allocated pages to be changed, eg RW -> RX, or to be RWX.  This has come
up elsewhere, see

   http://bugs.gentoo.org/show_bug.cgi?id=329499

To verify my suspicion, an strace would be helpful.  If you don't mind,
open up a bug with your findings, give your emerge --info, the flags you
used with apache, and an strace of apache going bad.  This will be a
start for us.

-- 
Anthony G. Basile, Ph.D.
Gentoo Developer

Re: [gentoo-hardened] UDEREF vs. Apache MMAP

[Anthony G. Basile]

On 01/08/2011 07:09 AM, pageexec@freemail.hu wrote:
> On 7 Jan 2011 at 23:57, Michael Orlitzky wrote:
> 
>> I was able to figure out my new apache problem. It seems that
>> PAX_MEMORY_UDEREF and apache's EnableMMAP directive don't get along
>> sometimes:
> 
> this one should have already been fixed in one of this week's patches,
> but i'm not sure if it's in any hardened release yet. you could try the
> latest grsec patch directly and see if it actually resolves the issue.
> 

Okay Michael, can you try:

   hardened-sources-2.6.32-r33

and/or

   hardened-sources-2.6.36-r8

Both are based on the latest grsecurity-*-201101052002.patch

pipacs, was this the same as the python bug?

   http://bugs.gentoo.org/show_bug.cgi?id=329499

-- 
Anthony G. Basile, Ph.D.
Gentoo Developer

Re: [gentoo-hardened] UDEREF vs. Apache MMAP

[Michael Orlitzky]

On 01/08/2011 01:22 PM, Anthony G. Basile wrote:
> On 01/08/2011 07:09 AM, pageexec@freemail.hu wrote:
>> On 7 Jan 2011 at 23:57, Michael Orlitzky wrote:
>>
>>> I was able to figure out my new apache problem. It seems that
>>> PAX_MEMORY_UDEREF and apache's EnableMMAP directive don't get along
>>> sometimes:
>>
>> this one should have already been fixed in one of this week's patches,
>> but i'm not sure if it's in any hardened release yet. you could try the
>> latest grsec patch directly and see if it actually resolves the issue.
>>
> 
> Okay Michael, can you try:
> 
>    hardened-sources-2.6.32-r33
> 
> and/or
> 
>    hardened-sources-2.6.36-r8
> 
> Both are based on the latest grsecurity-*-201101052002.patch

Back to normal with hardened-sources-2.6.36-r8. Thanks again guys.

Re: [gentoo-hardened] UDEREF vs. Apache MMAP

[pageexec]

On 8 Jan 2011 at 13:22, Anthony G. Basile wrote:

> pipacs, was this the same as the python bug?
> 
>    http://bugs.gentoo.org/show_bug.cgi?id=329499

no, the python bug is due MPROTECT having become more strict,
the net related issues were due to the recent tightening of
UDEREF/i386 and a small oversight in it.