grsecurity forums

[kolargol]

Hi,

Since few days i am running on patch 4.9.9 (test) and today after server reboot i started to notice that python segfaults, example:

Code: Select all

grsec: From XX.XX.XX.XX: Segmentation fault occurred at            (nil) in /usr/bin/python2.7[bash:3388] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3241] uid/euid:0/0 gid/egid:0/0


running from bash:

Code: Select all

python
Segmentation fault


note that python was running fine on exactly same kernel for last few days. Any idea?

[kolargol]

ok I found more details about that, and here is weird behavior:

Code: Select all

root@xxx:~/gr# paxctl -v ./python2.7
PaX control v0.9
Copyright 2004,2005,2006,2007,2009,2010,2011,2012,2014 PaX Team <[email protected]>

file ./python2.7 does not have a PT_PAX_FLAGS program header, try conversion
root@xxx:~/gr# ./python2.7 -c 'print "PAX"'
PAX
root@xxx:~/gr# paxctl -cm python2.7
file python2.7 had a PT_GNU_STACK program header, converted
root@xxx:~/gr# paxctl -v ./python2.7
PaX control v0.9
Copyright 2004,2005,2006,2007,2009,2010,2011,2012,2014 PaX Team <[email protected]>

- PaX flags: -----m-x-e-- [./python2.7]
        MPROTECT is disabled
        RANDEXEC is disabled
        EMUTRAMP is disabled
root@xxx:~/gr# ./python2.7 -c 'print "PAX"'
PAX
root@xxx:~/gr# cp python2.7 /usr/bin/python2.7
root@xxx:~/gr# /usr/bin/python2.7 -c 'print "PAX"'
Segmentation fault
root@xxx:~/gr# paxctl -v /usr/bin/python2.7
PaX control v0.9
Copyright 2004,2005,2006,2007,2009,2010,2011,2012,2014 PaX Team <[email protected]>

- PaX flags: -----m-x-e-- [/usr/bin/python2.7]
        MPROTECT is disabled
        RANDEXEC is disabled
        EMUTRAMP is disabled


and in dmesg:

Code: Select all

grsec: From 10.0.100.104: Segmentation fault occurred at            (nil) in /usr/bin/python2.7[bash:4658] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:5931] uid/euid:0/0 gid/egid:0/0


kernel 4.9.10 with corresponding grsec patch. grsec have almost all options enabled.

When i enable EMUTRAP:

Code: Select all

- PaX flags: -------xE--- [/usr/bin/python2.7]
        RANDEXEC is disabled
        EMUTRAMP is enabled


python works, but with that error in dmesg

Code: Select all

grsec: From 10.0.100.104: denied RWX mmap of <anonymous mapping> by /usr/bin/python2.7[python:5260] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:5931] uid/euid:0/0 gid/egid:0/0


what is that problem when copying binary with "-cm" flags? I have no occur that before.

[PaX Team]

do you have the xattr based PaX flag control mechanism enabled in the kernel and on your binaries? are there any xattr flags on the python binaries (both the original and the copy)? other than this, i can't think of a reason why a copy would behave differently.

[kolargol]

i do not use any additional attributes (flags are clean) on that binary. I have also tried gdb but it SIGSEGV with no stack. strace gives some clue:

Code: Select all

strace /usr/bin/python2.7
execve("/usr/bin/python2.7", ["/usr/bin/python2.7"], [/* 12 vars */]) = -1 EINVAL (Invalid argument)
--- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=0} ---
+++ killed by SIGSEGV +++
Segmentation fault


but i dont know what's that "Invalid argument" is and why only in that path...