[grsec] Pax killing off Xorg, even with chpax -spmr and /dev/{mem, kmem} restrictions off

Ned Ludd solar at gentoo.org
Fri Aug 20 03:52:02 EDT 2004 

On Thu, 2004-08-12 at 19:22, fire-eyes wrote:
> I'm using grsecurity with kernel 2.6.7, with gradm 2.0.1. It keeps
> catching Xorg, even though i chpax -spmr Xorg bin, ideas? 
> 
> This is what I see:
> 
> PAX: execution attempt in: <anonymous mapping>, 081f4000-08254000
> 081f4000
> PAX: terminating task: /usr/X11R6/bin/Xorg(X):7129, uid/euid: 1007/0,
> PC: 08251d48, SP: 5f7974dc
> 
> What bothers me is that this all worked fine at work, on a system with
> the same distro etc.

Sounds like you need to paxctl the binary in question.

One way to tell if your distribution supports paxctl/PT_PAX_FLAGS is to
look at the elf header of the Xorg binary. If was compiled with
PT_PAX_FLAGS it should look something like so.

Xserver # readelf -l Xorg

Elf file type is DYN (Shared object file)
Entry point 0x300d0
There are 10 program headers, starting at offset 52

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg
Align
  PHDR           0x000034 0x00000034 0x00000034 0x00140 0x00140 R E 0x4
  INTERP         0x000174 0x00000174 0x00000174 0x00013 0x00013 R   0x1
      [Requesting program interpreter: /lib/ld-linux.so.2]
  LOAD           0x000000 0x00000000 0x00000000 0x202934 0x202934 R E
0x1000
  LOAD           0x20311c 0x0020311c 0x0020311c 0x31760 0x43364 RW 
0x1000
  DYNAMIC        0x2031f8 0x002031f8 0x002031f8 0x000f8 0x000f8 RW  0x4
  NOTE           0x000188 0x00000188 0x00000188 0x00020 0x00020 R   0x4
  GNU_EH_FRAME   0x2028e4 0x002028e4 0x002028e4 0x00014 0x00014 R   0x4
  STACK          0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4
  GNU_RELRO      0x20311c 0x0020311c 0x0020311c 0x00edc 0x00edc R   0x1
  PAX_FLAGS      0x000000 0x00000000 0x00000000 0x00000 0x00000     0x4

------------------------------------------------------------------------------------------
As we can see this binary supports PAX_FLAGS and we need to set them.
Or you can do something like this.
readelf -l Xorg | grep PAX >/dev/null && echo I probably need to use
paxctl || echo I probably need to use chpax

Of course if you did not compile your kernel with one or the other 
support then everything above is moot.


> 
> _______________________________________________
> grsecurity mailing list
> grsecurity at grsecurity.net
> http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity
-- 
Ned Ludd <solar at gentoo.org>
Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://grsecurity.net/pipermail/grsecurity/attachments/20040820/55bbd94b/attachment.pgp

More information about the grsecurity mailing list