[grsec] kdeinit causes scheduling while atomic
pageexec at freemail.hu
pageexec at freemail.hu
Sun Jul 23 08:08:09 EDT 2006
On 18 Jul 2006 at 9:58, Will Simoneau wrote:
> A scheduling while atomic just started showing up in the kernel log on
> my machine, which unfortunately is running an odd combination of
> non-vanilla patches. Maybe someone who knows at least some of the code
> can give me some hints tracking this down? Or maybe the grsecurity folks
> have an idea?
given that probably neither side is familiar with the other's patches,
you should try to reproduce this with only one patch first. in the meantime,
it'd help to find out what gets called at copy_process+0x614/0xdea, there's
probably a 'call' insn around copy_process+60f, you can use objdump to find
out who the target is.
> Patches applied on top of 2.6.17.6:
> grsecurity-2.1.9-2.6.17.4-200607120947
> suspend2-2.2.7-for-2.6.17 (without 9920-linus-basic-trace - that plus
> grsecurity gives rejects on vmlinux.lds.S)
from what i see, it's a trivial reject, you can apply it by hand after RODATA.
> ---cut here---
> PAX: execution attempt in: <NULL>, 00000000-00000000 00000000
> PAX: terminating task: /usr/kde/3.5/bin/konqueror(konqueror):21177, uid/euid: 1000/1000, PC: 00000010, SP: 5953cf80
> PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
> PAX: bytes at SP-4: 00000010 00000003 5953cfb0 00000000 0000000a 0000001c 40488ef8 0000001d 5618e6e0 40083d30 00000000 00000003 55efdb83 40189c00 56108d92 56b09377 5618e6e0 5953d000 00000006 404eadb8 55f2bef8
> ---end cut----
>
> Call of a null function pointer?
it's interesting that at esp-4 you have 0x10, which happens to be the
faulting eip value as well. this can occur if the fault occured not
due to a 'call' but rather a 'retn' insn, that is, a function was trying
to return to its caller, but the return address got overwritten on the
stack. now whether that happened due to some programming error or a
gcc/ssp bug is a good question. i'd first try to recompile it (and all
related libraries!) w/o ssp, it's known to have code generation bugs for
c++ code. if that cures the problem, you should enter it into the gentoo
bugzilla.
> Sometimes konqueror is killed by PaX, sometimes it dies on its own (I
> think with a segfault). I can reproduce this 100% of the time by firing
> up Konqueror and going to www.wikipedia.org, just before the front page
> loads the window dissapears and leave those traces behind. Other sites
> seem to work fine. The process either segfaults or is killed by PaX
> immediately after causing the scheduling while atomic.
you mean, the first mentioned schedule BUG triggered in kdeinit is related
to this crash in konqueror? or are you getting a schedule BUG in konqueror
as well? in any case, eliminating one variable at a time (like ssp) should
help you nail the bug(s) down.
More information about the grsecurity
mailing list