[grsec] KERNEXEC^Vmware?
Angelo Dell'Aera
buffer at olografix.org
Wed Jan 11 06:56:20 EST 2006
This is the detailed analysis I did about the problem I found while
executing Vmware with KERNEXEC enabled we were talking about in the last
days. If needed I can provide even my .config and System.map files. So
let's start.
root at alnitak:~ # uname -a
Linux alnitak 2.6.14-hardened-r3 #3 Wed Jan 11 11:12:46 CET 2006 i686
Intel(R) Pentium(R) M processor 1.50GHz GenuineIntel GNU/Linux
[ 121.216820] kobject vmnet: registering. parent: <NULL>, set: module
[ 121.217071] kobject_hotplug
[ 121.217143] fill_kobj_path: path = '/module/vmnet'
[ 121.217148] kobject_hotplug: /sbin/udevsend module seq=1009 HOME=/
PATH=/sbin:/bin:/usr/sbin:/usr/bin ACTION=add DEVPATH=/module/vmnet
SUBSYSTEM=module
[ 122.824878] /dev/vmnet: open called by PID 3741(vmnet-bridge)
[ 122.825022] /dev/vmnet: hub 0 does not exist, allocating memory.
[ 122.825099] /dev/vmnet: port on hub 0 successfully opened
[ 122.825170] bridge-eth0: enabling the bridge
[ 122.825231] bridge-eth0: up
[ 122.825284] bridge-eth0: already up
[ 122.825341] bridge-eth0: attached
[ 122.932217] /dev/vmnet: open called by PID 32679 (vmnet-natd)
[ 122.932351] /dev/vmnet: hub 8 does not exist, allocating memory.
[ 122.932433] /dev/vmnet: port on hub 8 successfully opened
[ 125.851255] /dev/vmnet: open called by PID 245 (vmnet-netifup)
[ 125.851400] /dev/vmnet: port on hub 8 successfully opened
[ 125.851495] kobject vmnet8: registering. parent: net, set: class_obj
[ 125.851567] kobject_hotplug
[ 125.851630] fill_kobj_path: path ='/class/net/vmnet8'
[ 125.851635] kobject_hotplug: /sbin/udevsend net seq=1010 HOME=/
PATH=/sbin:/bin:/usr/sbin:/usr/bin ACTION=add DEVPATH=/class/net/vmnet8
SUBSYSTEM=net
[ 125.854714] /dev/vmnet: open called by PID 30279 (vmnet-netifup)
[ 125.854725] /dev/vmnet: hub 1 does not exist, allocating memory.
[ 125.854748] /dev/vmnet: port on hub 1 successfully opened
[ 125.854779] kobject vmnet1: registering. parent: net, set: class_obj
[ 125.854788] kobject_hotplug
[ 125.854796] fill_kobj_path: path ='/class/net/vmnet1' [ 125.854801]
kobject_hotplug: /sbin/udevsend net seq=1011 HOME=/
PATH=/sbin:/bin:/usr/sbin:/usr/bin ACTION=add
DEVPATH=/class/net/vmnet1 SUBSYSTEM=net
[ 125.939922] /dev/vmnet: open called by PID 2047 (vmnet-dhcpd)
[ 125.940000] /dev/vmnet: port on hub 8 successfully opened
[ 125.941337] /dev/vmnet: open called by PID 29744 (vmnet-dhcpd)
[ 125.941407] /dev/vmnet: port on hub 1 successfully opened
Now I tried starting a FreeBSD virtual machine....
buffer at alnitak:~$ Unexpected signal: 11.
Loop on signal 11 -- tid 30070 at 0xb7cfbb1a.
Panic loop
[ 161.078921] PAX: vmware-vmx:19216, uid/euid: 1000/1000, attempted to
modify kernel code at virtual address c05bd085 [ 161.078926] printing
eip: [ 161.078928] 0032da06
[ 161.078930] *pgd = 4001e1
[ 161.078932] *pmd = 4001e1
[ 161.078934] Oops: 0003 [#1]
[ 161.078948] Modules linked in: vmnet parport_pc parport vmmon
ipt_state iptable_filter iptable_nat ip_nat ip_conntrack ip_tables nfsd
exportfs lockd sunrpc af_packet pcmcia firmware_class yenta_socket
rsrc_nonstatic pcmcia_core snd_pcm_oss snd_mixer_oss snd_seq_oss
snd_seq_midi_event snd_seq snd_seq_device snd_intel8x0m snd_intel8x0
snd_ac97_codec snd_ac97_bus snd_pcm snd_timer snd snd_page_alloc aes
tcp_westwood hdaps hwmon cpufreq_stats acpi_cpufreq freq_table ide_cd
cdrom uhci_hcd usbcore i915 drm intel_agp agpgart soundcore psmouse e100
[ 161.078995] CPU: 0
[ 161.078996] EIP: 0060:[<0032da06>] Tainted: P VLI
[ 161.078997] EFLAGS: 00213082 (2.6.14-hardened-r3)
[ 161.079007] eax: 00000089 ebx: 000006d0
ecx: c05bd080 edx:0000008b
[ 161.079014] esi: f06a8400 edi: f06a8000
ebp: dfd5fb1c esp:dfd5fabc
[ 161.079019] ds: 007b es: 007b ss: 0068
[ 161.079024] Process vmware-vmx (pid: 19216, threadinfo=dfd5e000
task=e4016030)
[ 161.079027] Stack: dfd5faee dfd5faef 5a5a5a5a 5a5a5a5a
b7f010d8 8005003b 00203246 00000088
[ 161.079037] 00000000 00000033 00000000 e7636000
00000000 d00000ff 5a5ac05b 5a5a5a5a
[ 161.079046] 5a5a5a5a d00000ff 5a5ac05b 5a5a5a5a
5a5a5a5a f06a8000 e7636000 00000000
[ 161.079056] Call Trace:
[ 161.079061] [<00002fca>]
[ 161.079065] [<00003149>]
[ 161.079069] [<0000333b>]
[ 161.079073] [<001b7ac7>]
[ 161.079076] [<00002cd3>]
[ 161.079080] [<00330167>]
[ 161.079084] [<00327ddf>]
[ 161.079088] [<0005f078>]
[ 161.079092] [<0005f1c9>]
[ 161.079095] [<0005f361>]
[ 161.079099] [<00002aa9>]
[ 161.079103] Code: 00 00 89 74 24 04 8d 4f 10 c7 44 24 0c 84 64 00 00
89 44 24 08 89 14 24 ff d1 83 ec 10 e9 54 f7 ff ff 8d 76 00 88 d0 24 f0
0c 09 <88> 41 05 e9 1d f7 ff ff b8 00 07 00 00 0f 23 f8 ba 00 07 00 00
[ 161.079136]
root at alnitak:~ # cat /proc/modules
vmnet 0 0 26070 868 13 - Live 0xc0740000 0xf06a6000
parport_pc 0 0 17048 4868 0 - Live 0xc073a000 0xf06a3000
parport 0 0 20688 1224 1 parport_pc, Live 0xc0733000 0xf06a1000
vmmon 0 0 42895 51244 2 - Live 0xc0727000 0xf0693000
ipt_state 0 0 140 448 2 - Live 0xc0725000 0xf0664000
iptable_filter 0 0 385 576 1 - Live 0xc0723000 0xf0656000
iptable_nat 0 0 3297 772 0 - Live 0xc0721000 0xf0652000
ip_nat 0 0 8422 1716 1 iptable_nat, Live 0xc071d000 0xf064e000
ip_conntrack 0 0 23048 5040 3 ipt_state,iptable_nat,ip_nat, Live
0xc0716000 0xf064b000 ip_tables 0 0 13192 1024 3
ipt_state,iptable_filter,iptable_nat, Live 0xc0711000 0xf0649000 nfsd 0
0 45364 4936 13 - Live 0xc0704000 0xf0646000 exportfs 0 0 2764 448 1
nfsd, Live 0xc0702000 0xf0644000 lockd 0 0 33000 3336 2 nfsd, Live
0xc06f8000 0xf0642000 sunrpc 0 0 80804 16828 8 nfsd,lockd, Live
0xc06e3000 0xf063c000 af_packet 0 0 9976 1032 0 - Live 0xc06df000
0xf063a000 pcmcia 0 0 19728 1188 2 - Live 0xc06d9000 0xf0638000
firmware_class 0 0 3536 704 1 pcmcia, Live 0xc06d7000 0xf0636000
yenta_socket 0 0 13669 2380 2 - Live 0xc06d2000 0xf0632000
rsrc_nonstatic 0 0 6992 576 1 yenta_socket, Live 0xc06cf000 0xf0630000
pcmcia_core 0 0 21247 1104 3 pcmcia,yenta_socket,rsrc_nonstatic, Live
0xc06c8000 0xf062e000 snd_pcm_oss 0 0 32878 2400 0 - Live 0xc06be000
0xf062c000 snd_mixer_oss 0 0 10572 1088 1 snd_pcm_oss, Live 0xc06ba000
0xf062a000 snd_seq_oss 0 0 20108 1152 0 - Live 0xc06b4000 0xf0628000
snd_seq_midi_event 0 0 2148 832 1 snd_seq_oss, Live 0xc06b2000
0xf0650000 snd_seq 0 0 28843 2512 4 snd_seq_oss,snd_seq_midi_event, Live
0xc06a9000 0xf0626000 snd_seq_device 0 0 3616 460 2 snd_seq_oss,snd_seq,
Live 0xc06a7000 0xf0659000 snd_intel8x0m 0 0 6986 1796 0 - Live
0xc06a4000 0xf0662000 snd_intel8x0 0 0 14478 4768 0 - Live 0xc069f000
0xf0667000 snd_ac97_codec 0 0 66156 2684 2 snd_intel8x0m,snd_intel8x0,
Live 0xc068d000 0xf047c000 snd_ac97_bus 0 0 172 704 1 snd_ac97_codec,
Live 0xc068b000 0xf047a000 snd_pcm 0 0 52336 2504 4
snd_pcm_oss,snd_intel8x0m,snd_intel8x0,snd_ac97_codec, Live 0xc067d000
0xf0478000 snd_timer 0 0 12612 708 2 snd_seq,snd_pcm, Live 0xc0678000
0xf0476000 snd 0 0 27272 1508 10
snd_pcm_oss,snd_mixer_oss,snd_seq_oss,snd_seq,snd_seq_device,snd_intel8
x0m,snd_intel8x0,snd_ac97_codec,snd_pcm,snd_timer, Live 0xc0670000
0xf0474000 snd_page_alloc 0 0 4700 456 3
snd_intel8x0m,snd_intel8x0,snd_pcm, Live 0xc066d000 0xf007e000 aes 0 0
11583 16960 1 - Live 0xc0669000 0xf005d000 tcp_westwood 0 0 867 512 0 -
Live 0xc0667000 0xf0054000 hdaps 0 0 3768 2480 0 - Live 0xc0665000
0xf0052000 hwmon 0 0 392 404 0 - Live 0xc0663000 0xf0050000
cpufreq_stats 0 0 1236 516 0 - Live 0xc0661000 0xf004e000
acpi_cpufreq 0 0 2040 520 1 - Live 0xc065f000 0xf004c000
freq_table 0 0 1212 452 2 cpufreq_stats,acpi_cpufreq, Live 0xc065d000
0xf006c000 ide_cd 0 0 29000 1796 0 - Live 0xc0654000 0xf004a000
cdrom 0 0 27992 2080 1 ide_cd, Live 0xc064c000 0xf0048000
uhci_hcd 0 0 23203 848 0 - Live 0xc0645000 0xf0046000
usbcore 0 0 72653 4480 2 uhci_hcd, Live 0xc0632000 0xf0043000
i915 0 0 11544 1216 1 - Live 0xc062e000 0xf0041000
drm 0 0 46268 1492 2 i915, Live 0xc0621000 0xf003f000
intel_agp 0 0 10132 2972 1 - Live 0xc061d000 0xf0070000
agpgart 0 0 17469 1032 3 drm,intel_agp, Live 0xc0617000 0xf0038000
soundcore 0 0 2979 608 1 snd, Live 0xc0615000 0xf0078000
psmouse 0 0 22293 2820 0 - Live 0xc060e000 0xf0036000
e100 0 0 23854 1984 0 - Live 0xc0607000 0xf0412000
buffer at alnitak:/boot$ grep 00002f System.map-2.6.14-grsec
00002f50 T show_stack
00002fe0 T dump_stack
buffer at alnitak:/boot$ grep 000031 System.map-2.6.14-grsec
000031c0 t handle_BUG
buffer at alnitak:/boot$ grep 000033 System.map-2.6.14-grsec
000033b0 T do_divide_error
buffer at alnitak:/boot$ grep 000032 System.map-2.6.14-grsec
00003280 T die
buffer at alnitak:/boot$ grep 001b7 System.map-2.6.14-grsec
0001b7b0 T ptrace_readdata
001b7110 T rwsem_down_write_failed
001b7270 T __down
001b7340 T __down_interruptible
001b743c T __sched_text_end
001b7440 T __kprobes_text_start
001b7440 T __lock_text_end
001b7440 T __lock_text_start
001b7440 T debug
001b7451 t debug_esp_fix_insn
001b7460 t debug_stack_correct
001b7484 T int3
001b74a8 T general_protection
001b74b4 T page_fault
001b74c0 t do_trap
001b7570 T do_general_protection
001b76f0 T do_debug
001b77c0 T do_page_fault
001b7e04 T __kprobes_text_end
buffer at alnitak:/boot$ grep 00002c System.map-2.6.14-grsec
000002c0 t init
00002c5c t common_interrupt
00002c7c T divide_error
00002c84 t error_code
00002cd8 T coprocessor_error
00002ce4 T simd_coprocessor_error
00002cf0 T device_not_available
buffer at alnitak:/boot$ grep 0005f0 System.map-2.6.14-grsec
0005f010 T kill_fasync
0005f030 t do_ioctl
0005f0a0 t file_ioctl
buffer at alnitak:/boot$ grep 0005f1 System.map-2.6.14-grsec
0005f170 T vfs_ioctl
buffer at alnitak:/boot$ grep 0005f3 System.map-2.6.14-grsec
0005f310 T sys_ioctl
0005f390 T vfs_readdir
buffer at alnitak:/boot$ grep 00002a System.map-2.6.14-grsec
00002a70 T system_call
00002aa2 t syscall_call
00002aad t syscall_exit
00002abc t restore_all
00002ad4 t restore_nocheck
00002ae1 t ldt_ss
root at alnitak:/boot # grep 0032 System.map-2.6.14-grsec
00003280 T die
00032090 t page_cache_read
00032160 T filemap_nopage
000324b0 t filemap_getpage
00032630 T filemap_populate
00032760 T generic_file_mmap
000327b0 T generic_file_readonly_mmap
000327e0 T read_cache_page
00032a20 T remove_suid
00032aa0 T __filemap_copy_from_user_iovec
00032b50 T generic_file_direct_write
00032c80 T generic_file_buffered_write
c0600327 r __kstrtab_match_strdup
root at alnitak:/boot # grep 0033 System.map-2.6.14-grsec
000033b0 T do_divide_error
00033250 t __generic_file_aio_write_nolock
00033710 T generic_file_aio_write_nolock
000337a0 t __generic_file_write_nolock
00033840 T generic_file_write_nolock
000338e0 T generic_file_aio_write
000339c0 T generic_file_write
00033a70 T generic_file_readv
00033b10 T generic_file_writev
00033bc0 t generic_file_direct_IO
00033cf0 T generic_write_checks
00033f7d t .text.lock.filemap
00033ff0 t add_element
c0600334 r __kstrtab_half_md4_transform
root at alnitak:/boot # grep lock_kernel System.map-2.6.14-grsec
root at alnitak:/boot # grep unlock_kernel System.map-2.6.14-grsec
[ 161.078921] PAX: vmware-vmx:19216, uid/euid: 1000/1000, attempted to
modify kernel code at virtual address c05bd085 [ 161.078926] printing
eip: [ 161.078928] 0032da06
[ 161.078930] *pgd = 4001e1
[ 161.078932] *pmd = 4001e1
[ 161.078934] Oops: 0003 [#1]
[ 161.078948] Modules linked in: vmnet parport_pc parport vmmon
ipt_state iptable_filter iptable_nat ip_nat ip_conntrack ip_tables nfsd
exportfs lockd sunrpc af_packet pcmcia firmware_class yenta_socket
rsrc_nonstatic pcmcia_core snd_pcm_oss snd_mixer_oss snd_seq_oss
snd_seq_midi_event snd_seq snd_seq_device snd_intel8x0m snd_intel8x0
snd_ac97_codec snd_ac97_bus snd_pcm snd_timer snd snd_page_alloc aes
tcp_westwood hdaps hwmon cpufreq_stats acpi_cpufreq freq_table ide_cd
cdrom uhci_hcd usbcore i915 drm intel_agp agpgart soundcore psmouse e100
[ 161.078995] CPU: 0
[ 161.078996] EIP: 0060:[<0032da06>] Tainted: P VLI
[ 161.078997] EFLAGS: 00213082 (2.6.14-hardened-r3)
[ 161.079007] eax: 00000089 ebx: 000006d0
ecx: c05bd080 edx: 0000008b
[ 161.079014] esi: f06a8400 edi: f06a8000
ebp: dfd5fb1c esp: dfd5fabc
[ 161.079019] ds: 007b es: 007b ss: 0068
[ 161.079024] Process vmware-vmx (pid: 19216, threadinfo=dfd5e000
task=e4016030)
[ 161.079027] Stack: dfd5faee dfd5faef 5a5a5a5a 5a5a5a5a
b7f010d8 8005003b 00203246 00000088
[ 161.079037] 00000000 00000033 00000000 e7636000
00000000 d00000ff 5a5ac05b 5a5a5a5a
[ 161.079046] 5a5a5a5a d00000ff 5a5ac05b 5a5a5a5a
5a5a5a5a f06a8000 e7636000 00000000
[ 161.079056] Call Trace:
[ 161.079061] [<00002fca>] [show_stack]
[ 161.079065] [<00003149>] [handle_BUG]
[ 161.079069] [<0000333b>] [die]
[ 161.079073] [<001b7ac7>] [do_page_fault]
[ 161.079076] [<00002cd3>] [error_code]
[ 161.079080] [<00330167>] [NOT FOUND]
[ 161.079084] [<00327ddf>] [NOT FOUND]
[ 161.079088] [<0005f078>] [do_ioctl]
[ 161.079092] [<0005f1c9>] [vfs_ioctl]
[ 161.079095] [<0005f361>] [sys_ioctl]
[ 161.079099] [<00002aa9>] [syscall_call]
[ 161.079103] Code: 00 00 89 74 24 04 8d 4f 10 c7 44 24 0c 84 64 00 00
89 44 24 08 89 14 24 ff d1 83 ec 10 e9 54 f7 ff ff 8d 76 00 88 d0 24 f0
0c 09 <88> 41 05 e9 1d f7 ff ff b8 00 07 00 00 0f 23 f8 ba 00 07 00 00 [
161.079136]
I was not able to found the two entries in System.map after do_ioctl in
the call trace. After these two calls it seems we fall in a page fault
and we subsequently die. Taking a look at the source code and the Oops
message I can see that this happens here in the code labeled no_context.
I removed the code compiled if it's defined CONFIG_X86_PAE and
CONFIG_GRKERNSEC_PROC_IPADDR since here they are not defined (see
.config). Moreover I added few comments.
no_context:
/* Are we prepared to handle this kernel fault? */
if (fixup_exception(regs))
return; <-- NOTE
the exception is NOT fixed so we are not here
because of a copy_from_user maybe needed by the
ioctl. In this case in fact the fixup code
would be executed and we'll see a nice -EFAULT and
nothing more.
/*
* Valid to do another page fault here, because if this fault
* had been triggered by is_prefetch fixup_exception would have
* handled it.
*/
if (is_prefetch(regs, address, error_code))
return; <-- Not important finally
/*
* Oops. The kernel tried to access some bad page. We'll have to
* terminate things with extreme prejudice.
*/
bust_spinlocks(1);
if (address < PAGE_SIZE)
printk(KERN_ALERT "Unable to handle kernel NULL pointer
dereference");
^
|
--------------- This printk is NOT executed so we are falling in
kernel space virtual memory
else if (init_mm.start_code <= address &&
address < (unsigned long)MODULES_END) {
printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to
modify kernel code", tsk->comm, tsk->pid, tsk->uid,
tsk->euid);
}
^
|
------------------- So this is what's happening! We are deep inside
kernel code and vmware-vmx is trying
to modify the kernel text...
root at alnitak:/boot # grep c05bd0 System.map-2.6.14-grsec
c05bd000 R cpu_gdt_table
Well it seems vmware tried to modify the GDT causing a
page fault due to the not writability enforced by KERNEXEC!
else
printk(KERN_ALERT "Unable to handle kernel paging
request");
printk(" at virtual address %08lx\n",address);
printk(KERN_ALERT " printing eip:\n");
printk("%08lx\n", regs->eip);
[..]
This leads to the conclusion that KERNEXEC^Vmware?(c) Theo De Raadt
:PPPPPP
Regards,
--
Angelo Dell'Aera 'buffer'
Antifork Research, Inc. http://buffer.antifork.org
Metro Olografix
PGP information in e-mail header
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://grsecurity.net/pipermail/grsecurity/attachments/20060111/aa3f65a7/attachment-0001.pgp
More information about the grsecurity
mailing list