[grsec] PAX_REFCOUNT doesn't work

[Carlos Carvalho]

pageexec at freemail.hu (pageexec at freemail.hu) wrote on 2 September 2008 00:13:
 >On 1 Sep 2008 at 19:05, Carlos Carvalho wrote:
 >
 >> I tried the new PAX_REFCOUNT in our main server. After some hours of
 >> operation the dns server crashed and wouldn't restart, some firefox
 >> processes were stuck in D state and nfs didn't answer any more. I
 >> removed this option in the kernel and the machine is fine after 7
 >> hours.
 >> 
 >> If you need more details just ask. I'm not sure which info would be
 >> useful.
 >
 >could you check your kernel logs for any possibly related messages
 >(oops or a direct report from PaX)?

I should have checked myself... There are several invalid opcode ones.
I don't have the original kernel binary anymore but I recompiled it
with refcount enabled and used

ksymoops -v ./vmlinux -m ./System.map

to try to recover something. There's no /proc/ksyms in the machine.
The kernel is compiled without modules.

The result is 2,000 lines long, here are the first ones. If it makes
sense to you I can send the whole stuff.

ksymoops 2.4.11 on i686 2.6.26.3.  Options used
     -v vmlinux (specified)
     -k /proc/ksyms (default)
     -l /proc/modules (default)
     -o /lib/modules/2.6.26.3/ (default)
     -m System.map (specified)

Error (regular_file): read_ksyms stat /proc/ksyms failed
No modules in ksyms, skipping objects
No ksyms, skipping lsmod
Sep  1 07:15:53 hoggar Pid: 19096, comm: iceape-bin Not tainted (2.6.26.3 #1)
Sep  1 07:15:53 hoggar EIP: 0060:[<00193895>] EFLAGS: 00210297 CPU: 1
Using defaults from ksymoops -t elf32-i386 -a i386
Sep  1 07:15:53 hoggar EAX: 00000001 EBX: b132cde8 ECX: 00000001 EDX: f3be83f8
Sep  1 07:15:53 hoggar ESI: ae281000 EDI: 00000006 EBP: f1e0d0d0 ESP: f3a9ce8c
Sep  1 07:15:53 hoggar DS: 0068 ES: 0068 FS: 00d8 GS: 0033 SS: 0068
Sep  1 07:15:53 hoggar Stack: 0000fba6 f3a9cfb8 f3be83f8 f3be83c0 00000001 00000001 afbbc040 04000001 
Sep  1 07:15:53 hoggar 00000000 00000000 00000004 00000000 00000001 00000000 c0c717dc c0c717d8 
Sep  1 07:15:53 hoggar f3be83c0 f0a34ee4 00000000 c79e8404 00000001 00000000 00186000 00000186 
Sep  1 07:15:53 hoggar Call Trace:
Sep  1 07:15:53 hoggar [<0000fba6>] <0> [<00186000>] <0> [<00031089>] <0> [<00007c05>] <0> [<000adfd6>] <0> [<000025b1>] <0> [<00003db8>] <0> [<000025b1>] <0> [<0000fa10>] <0> [<001928b5>] <0> =======================
Sep  1 07:15:53 hoggar Code: 49 08 e9 43 67 e9 ff f0 ff 0d 00 b2 c1 c0 e9 41 67 e9 ff f0 ff 0d 00 b2 c1 c0 e9 47 6a e9 ff f0 ff 0d 00 b2 c1 c0 e9 da 6a e9 ff <f0> 83 e9 01 e9 8c 74 e9 ff 89 10 e9 ba 74 e9 ff 89 10 e9 c5 74 


>>EIP; 00193895 <_etext+bca/6d335>   <=====

>>EBX; b132cde8 <phys_startup_32+b0b2bde8/bfa00000>
>>EDX; f3be83f8 <pg0+32f3e3f8/3ed6b000>
>>ESI; ae281000 <phys_startup_32+ada80000/bfa00000>
>>EBP; f1e0d0d0 <pg0+311630d0/3ed6b000>
>>ESP; f3a9ce8c <pg0+32df2e8c/3ed6b000>

Trace; 0000fba6 <do_page_fault+1a6/6c4>

Code;  0019386a <_etext+b9f/6d335>
00000000 <_EIP>:
Code;  0019386a <_etext+b9f/6d335>
   0:   49                        dec    %ecx
Code;  0019386b <_etext+ba0/6d335>
   1:   08 e9                     or     %ch,%cl
Code;  0019386d <_etext+ba2/6d335>
   3:   43                        inc    %ebx
Code;  0019386e <_etext+ba3/6d335>
   4:   67 e9 ff f0 ff 0d         addr16 jmp dfff109 <_EIP+0xdfff109>
Code;  00193874 <_etext+ba9/6d335>
   a:   00 b2 c1 c0 e9 41         add    %dh,0x41e9c0c1(%edx)
Code;  0019387a <_etext+baf/6d335>
  10:   67 e9 ff f0 ff 0d         addr16 jmp dfff115 <_EIP+0xdfff115>
Code;  00193880 <_etext+bb5/6d335>
  16:   00 b2 c1 c0 e9 47         add    %dh,0x47e9c0c1(%edx)
Code;  00193886 <_etext+bbb/6d335>
  1c:   6a e9                     push   $0xffffffe9
Code;  00193888 <_etext+bbd/6d335>
  1e:   ff f0                     push   %eax
Code;  0019388a <_etext+bbf/6d335>
  20:   ff 0d 00 b2 c1 c0         decl   0xc0c1b200
Code;  00193890 <_etext+bc5/6d335>
  26:   e9 da 6a e9 ff            jmp    ffe96b05 <_EIP+0xffe96b05>
Code;  00193895 <_etext+bca/6d335>   <=====
  2b:   f0 83 e9 01               lock sub $0x1,%ecx   <=====
Code;  00193899 <_etext+bce/6d335>
  2f:   e9 8c 74 e9 ff            jmp    ffe974c0 <_EIP+0xffe974c0>
Code;  0019389e <_etext+bd3/6d335>
  34:   89 10                     mov    %edx,(%eax)
Code;  001938a0 <_etext+bd5/6d335>
  36:   e9 ba 74 e9 ff            jmp    ffe974f5 <_EIP+0xffe974f5>
Code;  001938a5 <_etext+bda/6d335>
  3b:   89 10                     mov    %edx,(%eax)
Code;  001938a7 <_etext+bdc/6d335>
  3d:   e9                        .byte 0xe9
Code;  001938a8 <_etext+bdd/6d335>
  3e:   c5                        .byte 0xc5
Code;  001938a9 <_etext+bde/6d335>
  3f:   74                        .byte 0x74

Sep  1 07:15:53 hoggar EIP: [<00193895>]  SS:ESP 0068:f3a9ce8c
Warning (Oops_read): Code line not seen, dumping what data is available


>>EIP; 00193895 <_etext+bca/6d335>   <=====

Sep  1 07:41:20 hoggar Pid: 19935, comm: firefox-bin Tainted: G      D   (2.6.26.3 #1)
Sep  1 07:41:20 hoggar EIP: 0060:[<00193895>] EFLAGS: 00210202 CPU: 1
Sep  1 07:41:20 hoggar EAX: 00000000 EBX: afae7de8 ECX: 00000002 EDX: e56cbaf8
Sep  1 07:41:20 hoggar ESI: aef6c010 EDI: 00000006 EBP: c7e29bb0 ESP: c7e24e74
Sep  1 07:41:20 hoggar DS: 0068 ES: 0068 FS: 00d8 GS: 0033 SS: 0068
Sep  1 07:41:20 hoggar Stack: 0000fba6 c7e24fa0 e56cbaf8 e56cbac0 00000000 00000001 ae37706c c7e24e30 
Sep  1 07:41:20 hoggar 00000000 c7e29bb0 00013c24 c7e24e40 00000000 ae377040 ffffffea c7e24ec8 
Sep  1 07:41:20 hoggar 00000000 c7e24ec8 0002f7e4 00000001 c0c7114c ae377000 e56cbac0 0000006c 
Sep  1 07:41:20 hoggar Call Trace:
Sep  1 07:41:20 hoggar [<0000fba6>] <0> [<00013c24>] <0> [<0002f7e4>] <0> [<0003078a>] <0> [<000025b1>] <0> [<00003db8>] <0> [<00031089>] <0> [<00031089>] <0> [<0000fa10>] <0> [<001928b5>] <0> =======================
Sep  1 07:41:20 hoggar Code: 49 08 e9 43 67 e9 ff f0 ff 0d 00 b2 c1 c0 e9 41 67 e9 ff f0 ff 0d 00 b2 c1 c0 e9 47 6a e9 ff f0 ff 0d 00 b2 c1 c0 e9 da 6a e9 ff <f0> 83 e9 01 e9 8c 74 e9 ff 89 10 e9 ba 74 e9 ff 89 10 e9 c5 74 


>>EIP; 00193895 <_etext+bca/6d335>   <=====

>>EBX; afae7de8 <phys_startup_32+af2e6de8/bfa00000>
>>EDX; e56cbaf8 <pg0+24a21af8/3ed6b000>
>>ESI; aef6c010 <phys_startup_32+ae76b010/bfa00000>
>>EBP; c7e29bb0 <pg0+717fbb0/3ed6b000>
>>ESP; c7e24e74 <pg0+717ae74/3ed6b000>

Trace; 0000fba6 <do_page_fault+1a6/6c4>

Code;  0019386a <_etext+b9f/6d335>
00000000 <_EIP>:
Code;  0019386a <_etext+b9f/6d335>
   0:   49                        dec    %ecx
Code;  0019386b <_etext+ba0/6d335>
   1:   08 e9                     or     %ch,%cl
Code;  0019386d <_etext+ba2/6d335>
   3:   43                        inc    %ebx
Code;  0019386e <_etext+ba3/6d335>
   4:   67 e9 ff f0 ff 0d         addr16 jmp dfff109 <_EIP+0xdfff109>
Code;  00193874 <_etext+ba9/6d335>
   a:   00 b2 c1 c0 e9 41         add    %dh,0x41e9c0c1(%edx)
Code;  0019387a <_etext+baf/6d335>
  10:   67 e9 ff f0 ff 0d         addr16 jmp dfff115 <_EIP+0xdfff115>
Code;  00193880 <_etext+bb5/6d335>
  16:   00 b2 c1 c0 e9 47         add    %dh,0x47e9c0c1(%edx)
Code;  00193886 <_etext+bbb/6d335>
  1c:   6a e9                     push   $0xffffffe9
Code;  00193888 <_etext+bbd/6d335>
  1e:   ff f0                     push   %eax
Code;  0019388a <_etext+bbf/6d335>
  20:   ff 0d 00 b2 c1 c0         decl   0xc0c1b200
Code;  00193890 <_etext+bc5/6d335>
  26:   e9 da 6a e9 ff            jmp    ffe96b05 <_EIP+0xffe96b05>
Code;  00193895 <_etext+bca/6d335>   <=====
  2b:   f0 83 e9 01               lock sub $0x1,%ecx   <=====
Code;  00193899 <_etext+bce/6d335>
  2f:   e9 8c 74 e9 ff            jmp    ffe974c0 <_EIP+0xffe974c0>
Code;  0019389e <_etext+bd3/6d335>
  34:   89 10                     mov    %edx,(%eax)
Code;  001938a0 <_etext+bd5/6d335>
  36:   e9 ba 74 e9 ff            jmp    ffe974f5 <_EIP+0xffe974f5>
Code;  001938a5 <_etext+bda/6d335>
  3b:   89 10                     mov    %edx,(%eax)
Code;  001938a7 <_etext+bdc/6d335>
  3d:   e9                        .byte 0xe9
Code;  001938a8 <_etext+bdd/6d335>
  3e:   c5                        .byte 0xc5
Code;  001938a9 <_etext+bde/6d335>
  3f:   74                        .byte 0x74