grsecurity forums

[BlitzKrieg]

Hi guys.
I am not a developer so can't read kernel source code. I need to check if CONFIG_PAX_MEMORY_SANITIZE=y is working or not.
For example i can write a simple program to allocate buffer in memory and put something to it. Program execute free(buffer) when it stops. Run this prog, and than dump its memory through /proc/self/pagemap, translate virt. memory addressing to physical, stop that program and dump it again but with physical addresses. With kernel without PaX i will see the content of that buffer in dump those was dumped after program stops. And with kernel with Pax is will see nothing. Is it possible?

[PaX Team]

sure, you can access physical memory via /dev/mem (you'll have to disable GRKERNSEC_KMEM though).

[BlitzKrieg]

I used fmem project https://github.com/NateBrune/fmem to access the physical memory through /dev/fmem dev without /dev/mem restrictions.
I tried this but i don't see any difference with PaX or without it in real working.
This my real plan of testing^
1. Load kernel without PaX
2. Load this program

Code: Select all

#include <stdio.h>      /* printf, scanf, NULL */
#include <stdlib.h>     /* malloc, free, rand */

int main ()
{
    int i,n;
    char * buffer;
    i = 8192;

    buffer = (char*) malloc (i+1);
    if (buffer==NULL) exit (1);

    for (n=0; n<i; n++)
        buffer[n]=rand()%26+'a';
    buffer[i]='\0';
    sleep(30);
    printf("END\n");
    return 0;
}


3. Dump process memory with py script through /proc/pid/pagemap and /proc/pid/maps to file.
4. Translate virtual memory addresses from /proc/pid/maps to physical offset of /dev/fmem device and dump it to another file with py script.
(3 and 4 output files are the same at this time). At this step i see content of the buffer in "[heap]" section of the maps file. This script makes file with offsets too.
5. Wait while 2. program will end.
6. Dump memory from /dev/fmem with offset file 4. in another file. There is no buffer content in that dump contrary to my expectations.

I repeat this step for PaX kernel and there is no any principal differences between dumps.
What iam doing wrong?

[PaX Team]

i think the buffer size in your litmus test is too small; chances are that the kernel will have reused those freed process pages by the time you look at them. in other words, you're racing against kernel memory allocations (and thus page reuse) and you should probably use much larger buffers for your testing approach.

[BlitzKrieg]

Just right after then i send my last message just in case I tried to use a different buffer size. And then it was grow about 1Mb i find a little part of common strings in dumps. About 10-15%. If i use buffer about 10Mb common strings is about 70-80%.
Thansk a lot, you have confirmed that I did everything right.