From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-hardened+bounces-2941-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1OCdpy-0004BM-3l
	for garchives@archives.gentoo.org; Thu, 13 May 2010 19:12:50 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 5D2CBE0794;
	Thu, 13 May 2010 19:10:48 +0000 (UTC)
Received: from mail-yx0-f181.google.com (mail-yx0-f181.google.com [209.85.210.181])
	by pigeon.gentoo.org (Postfix) with ESMTP id 363F8E0794
	for <gentoo-hardened@lists.gentoo.org>; Thu, 13 May 2010 19:10:48 +0000 (UTC)
Received: by yxe11 with SMTP id 11so536361yxe.10
        for <gentoo-hardened@lists.gentoo.org>; Thu, 13 May 2010 12:10:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:received:received:in-reply-to
         :references:date:message-id:subject:from:to:content-type
         :content-transfer-encoding;
        bh=55oAh20jrdsGErPKCPwHAE/Ee89gnQ4+YmzolwvyV7c=;
        b=tV4QJjqGlOgTY1nuV2Kg/hS0H/J7t+5gT/6JKV67Z8V0mEBOdf3gkfxO/B/zQc1+XO
         34x7Dw5MU7VwMuKUt7N0A2vXVKjufsHsKp/hp93SPhFYIO+FuXFj68HRwhGrSX3Z0Hm7
         LX9wf6PzmEgJa7qVQEDu8Co1hzIDwcRdXG6nY=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type:content-transfer-encoding;
        b=Qk0uay0q/t0W63fptoewKLgNIczwOMsLNKB25xt7pDXYpXGeIN89PR8yOuqSaIgxlL
         bINfnyT2agP4xycwVhtQwuUv5825DLaVnP48F1U6ORwTI66uWUEWg1squwWHhdjXfUyW
         EfYgVzQP/fOPxjv/v7fb+HEKcpIEPmzf3mkJk=
Precedence: bulk
List-Post: <mailto:gentoo-hardened@lists.gentoo.org>
List-Help: <mailto:gentoo-hardened+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-hardened+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-hardened+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-hardened.gentoo.org>
X-BeenThere: gentoo-hardened@lists.gentoo.org
Reply-to: gentoo-hardened@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.101.129.7 with SMTP id g7mr6809829ann.84.1273777847839; Thu, 
	13 May 2010 12:10:47 -0700 (PDT)
Received: by 10.100.206.10 with HTTP; Thu, 13 May 2010 12:10:47 -0700 (PDT)
In-Reply-To: <20100512215509.GD1987@home.power>
References: <20100512215509.GD1987@home.power>
Date: Thu, 13 May 2010 21:10:47 +0200
Message-ID: <AANLkTikK2-ehzybs6tKU3hHHs27yqyR_OLeh5hPXLCeK@mail.gmail.com>
Subject: Re: [gentoo-hardened] PAX bug?
From: =?ISO-8859-1?Q?Javier_Juan_Mart=EDnez_Cabez=F3n?= <tazok.id0@gmail.com>
To: gentoo-hardened@lists.gentoo.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Archives-Salt: 25b7f0e4-747f-4470-8132-cbe89d5eb07a
X-Archives-Hash: 2aed9fd2ca0b8040986cb7be0d241a7c

Why do you think is a PaX bug? It seems that PaX REFCOUNT is doing his
homeworks.

Maybe I'm wrong (to the boss, please correct me) but seems that the
bug is in the perl fastcgi script.

The wrong fix to this is disabling PaX_REFCOUNT in your .config that
is nothing mode than disabling a security PaX feature.



2010/5/12 Alex Efros <powerman@powerman.name>:
> Hi!
>
> Today I found server nearly unresponsible (loadavg around 30, ssh type sp=
eed
> around few chars per second). It looks like nearly all processes (very
> different ones) eat each 3-5% CPU, with top's report about 95% CPU spend
> in "system" (i.e. not "user" or "wait"). At a glance it looks like kernel
> issue, so I checked kernel error log and found this, reported few hours a=
go:
>
> 2010-05-12_03:51:29.90675 kern.err: PAX: refcount overflow detected in: f=
astcgi:32201, uid/euid: 1067/1067
> 2010-05-12_03:51:29.93807 kern.err: PAX: refcount overflow occured at: ir=
et_exc+0x1d3e/0x4565
> 2010-05-12_03:51:29.93813 kern.warn:
> 2010-05-12_03:51:29.94129 kern.warn: Pid: 32201, comm: fastcgi Tainted: G=
 =A0 =A0 =A0 =A0W =A0(2.6.28-hardened-r9 #1) ProLiant DL140 G3
> 2010-05-12_03:51:29.94137 kern.warn: EIP: 0060:[<c06d95ee>] EFLAGS: 00000=
a96 CPU: 1
> 2010-05-12_03:51:29.94140 kern.warn: EIP is at iret_exc+0x1d3e/0x4565
> 2010-05-12_03:51:29.94143 kern.warn: EAX: 00000004 EBX: f756b080 ECX: df0=
37a54 EDX: 00000070
> 2010-05-12_03:51:29.94145 kern.warn: ESI: f6ce1c00 EDI: df03781c EBP: df0=
377fc ESP: df0377a8
> 2010-05-12_03:51:29.94147 kern.warn: =A0DS: 0068 ES: 0068 FS: 00d8 GS: 00=
33 SS: 0068
> 2010-05-12_03:51:29.94150 <0>Process fastcgi (pid: 32201, ti=3Ddf036000 t=
ask=3Dc3c46e10 task.ti=3Ddf036000)
> 2010-05-12_03:51:29.94152 <0>Stack:
> 2010-05-12_03:51:29.94154 kern.warn: =A0c04d35fb 00000000 00000000 000000=
00 00000000 df0377fc c04d39f7 00000000
> 2010-05-12_03:51:29.94156 <0> 000001f8 00000000 df037a54 df037940 0000000=
4 00000001 000001f8 00000000
> 2010-05-12_03:51:29.94159 <0> 00000000 00000070 00000000 df037a80 effd838=
0 df0379d8 c04df769 00000070
>
> The fastcgi process mentioned in report is perl script (but it uses C
> libraries libev and libadns for accessing epoll(2) and doing async dns
> resolving (it's event-based fastcgi implementation, not usual forked one)=
.
>
> Server was rebooted, now everything is fine. Server software is nearly
> up-to-date x86 Gentoo (last update was 2-3 weeks ago), kernel is
> sys-kernel/hardened-sources-2.6.28-r9.
>
> --
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0WBR, Alex.
>
>