[grsec] shutting down grsecurity acl causes a kernel panic (free_variables slab issue, i think)

Andrew Griffiths andrewg at felinemenace.org
Sat Apr 22 00:40:33 EDT 2006 

Hello,

I'm using the gentoo hardened sources (specifically, 2.6.14-hardened-r7)
and I'm getting a reproducable kernel panic everytime I disable the acl
system. I've had this iss on 2.6.14-hardened-r5 before, however, it
hasn't been an issue up till now (as now I want to use the acl interface
properly)

dmesg gives the following:

<6>grsec: (admin:S:/) exec of /sbin/gradm (/sbin/gradm -D ) by
bin/bash[bash:
20173] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:18492]
uid/euid:0/0 gid/
egid:0/0
<1>grsec: shutdown auth success for /sbin/gradm[gradm:20173]
uid/euid:0/0 gid/
egid:0/0, parent /bin/bash[bash:18492] uid/euid:0/0 gid/egid:0/0
<1>Unable to handle kernel paging request at virtual address 6b6b6c37
<1> printing eip:
<4>000f01c0
<1>*pgd =    0
<1>*pmd =    0
<1>Oops: 0000 [#1]
<4>Modules linked in:
<4>CPU:    0
<4>EIP:    0060:[<000f01c0>]    Not tainted VLI
<4>EFLAGS: 00010202   (2.6.14-hardened-r7-y0) 
<4>EIP is at free_variables+0x24e/0x2b8
<4>eax: cba8c2fc   ebx: cf1c9b00   ecx: 00000007   edx: 00000007
<4>esi: 00000000   edi: 6b6b6b6b   ebp: cb6f5f2c   esp: cb6f5f10
<4>ds: 007b   es: 007b   ss: 0068
<4>Process gradm (pid: 20173, threadinfo=cb6f4000 task=cfcfb570)
<4>Stack: 7e9143b5 8c875d91 72b80524 00000007 0000000c 00000000
00000000 cb6f5
f6c 
<4>       000f32ac 00000002 c069b034 00000007 cb648d00 ce981000
17509d50 17509
d50 
<4>       1751ca38 00000218 0000011c 00000001 c0c0ef00 cb648d00
1751cb58 cb6f5
f8c 
<4>Call Trace:
<4> [<000033a7>] show_stack+0x7a/0x90
<4> [<0000352d>] show_registers+0x157/0x1d9
<4> [<00003706>] die+0xc6/0x152
<4> [<0026b7ea>] do_page_fault+0x580/0x860
<4> [<0000305f>] error_code+0x4f/0x60
<4> [<000f32ac>] write_grsec_handler+0x74c/0x7d6
<4> [<0004d2a9>] vfs_write+0x165/0x16a
<4> [<0004d34f>] sys_write+0x3d/0x64
<4> [<00002d89>] syscall_call+0x7/0xb
<4>Code: 3d 00 10 00 00 77 57 8b 43 30 e8 63 95 f4 ff 83 45 f0 01 8b 15 b4 a7 
cb c0 3b 55 f0 e9 7b fe ff ff 8b 43 30 8b 3c b0 85 ff 74 60 
<8b> 8f cc 00 00 00 
85 c9 2e 0f 84 73 ff ff ff 8b 87 d0 00 00 00 
<4> 

Disassembling the free_variables gives:

0x000f01c0 <free_variables+590>:        mov    0xcc(%edi),%ecx

and edi is 6b6b6b6b (ascii 'k', which is #define POISON_FREE     0x6b
/* for use-after-free poisoning */))

The gcc version is 3.4.5 (gentoo hardened 3.4.5-r1, ssp-3.4.5-1.0,
pie-8.7.9).

To reproduce this issue, I generally do:

gradm -E -L blah3
su - andrewg
/sbin/gradm -a admin
su - 
/sbin/gradm -D 
(which then prompts me for the password, then goes b00m):

I've been talking to a guy about debugging this, who recommended I
enable slab debugging (i also enabled other debugging stuff such as ebp
/ extra info). When slab debugging is turned off, it dies inside the
a kernel thread, to quote "that thread is used to free unused slab pages back
to the main buddy allocator". After turning on slab debugging, it dies
in free_variables.

The vmlinux image, system.map, .config and acl rules I'm using can be 
downloaded from http://felinemenace.org/~andrewg/acl-crash.tgz, or
alternatively individually from
http://felinemenace.org/~andrewg/acl-crash/ 

I'm using kdb on the kernel, and can use that to further debug if need
be. 

Not sure which list this message is best suited towards, so I've cross
posted, though I suspect a lot of people will be reading the message
twice, so sorry about that.

Thanks,
Andrew Griffiths

More information about the grsecurity mailing list