Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
hardened-sources-3.11.1, 3.11.3 silently hang
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
r_pns
n00b
n00b


Joined: 02 Jul 2006
Posts: 25

PostPosted: Sun Sep 15, 2013 12:10 am    Post subject: hardened-sources-3.11.1, 3.11.3 silently hang Reply with quote

I tried hardened-sources-3.10.1-r1 and 3.10.10 with not-yet-hardened userland (default/linux/amd64/13.0/desktop profile). With either kernel, system randomly hanged during booting up or under some load (while building packages).

Unfortunately, there were no useful error messages; neither could I catch any through netconsole. The most relevant events logged before crashes were "resource overstep" denials for various resources. However, as far as I can understand, Grsecurity only logs those events, while the kernel denies requests beyond the limits anyway.
Code:
kernel: grsec: denied resource overstep by requesting 4294967295 for RLIMIT_NOFILE against limit 1024

I would appreciate any help to debug and fix this issue.
Code:
# uname -mpi
x86_64 AMD Phenom(tm) II X4 940 Processor AuthenticAMD

Grsecurity config:
Code:
CONFIG_GRKERNSEC=y
CONFIG_GRKERNSEC_CONFIG_AUTO=y
# CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set
# CONFIG_GRKERNSEC_CONFIG_SERVER is not set
CONFIG_GRKERNSEC_CONFIG_DESKTOP=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_NONE is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST is not set
CONFIG_GRKERNSEC_CONFIG_VIRT_HOST=y
CONFIG_GRKERNSEC_CONFIG_VIRT_EPT=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_SOFT is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_XEN is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_VMWARE is not set
CONFIG_GRKERNSEC_CONFIG_VIRT_KVM=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_VIRTUALBOX is not set
CONFIG_GRKERNSEC_CONFIG_PRIORITY_PERF=y
# CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY is not set
CONFIG_GRKERNSEC_PROC_GID=0
CONFIG_GRKERNSEC_KMEM=y
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_PERF_HARDEN=y
CONFIG_GRKERNSEC_RAND_THREADSTACK=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODHARDEN=y
CONFIG_GRKERNSEC_HIDESYM=y
# CONFIG_GRKERNSEC_KERN_LOCKOUT is not set
CONFIG_GRKERNSEC_NO_RBAC=y
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
# CONFIG_GRKERNSEC_SYMLINKOWN is not set
CONFIG_GRKERNSEC_FIFO=y
# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
# CONFIG_GRKERNSEC_ROFS is not set
CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
CONFIG_GRKERNSEC_SIGNAL=y
# CONFIG_GRKERNSEC_FORKFAIL is not set
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_RWXMAP_LOG=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_READEXEC=y
CONFIG_GRKERNSEC_SETXID=y
# CONFIG_GRKERNSEC_TPE is not set
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_BLACKHOLE=y
CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
# CONFIG_GRKERNSEC_SOCKET is not set
# CONFIG_GRKERNSEC_DENYUSB is not set
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=6

CONFIG_PAX_KERNEXEC_PLUGIN=y
CONFIG_PAX_PER_CPU_PGD=y
CONFIG_PAX_USERCOPY_SLABS=y
# PaX
CONFIG_PAX=y
# PaX Control
# CONFIG_PAX_SOFTMODE is not set
# CONFIG_PAX_PT_PAX_FLAGS is not set
CONFIG_PAX_XATTR_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_MPROTECT_COMPAT is not set
# CONFIG_PAX_ELFRELOCS is not set
CONFIG_PAX_KERNEXEC=y
# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS is not set
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR=y
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="or"
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
# CONFIG_PAX_MEMORY_SANITIZE is not set
# CONFIG_PAX_MEMORY_STACKLEAK is not set
# CONFIG_PAX_MEMORY_STRUCTLEAK is not set
# CONFIG_PAX_MEMORY_UDEREF is not set
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_CONSTIFY_PLUGIN=y
CONFIG_PAX_USERCOPY=y
# CONFIG_PAX_USERCOPY_DEBUG is not set
CONFIG_PAX_SIZE_OVERFLOW=y
CONFIG_PAX_LATENT_ENTROPY=y


Last edited by r_pns on Tue Oct 15, 2013 11:45 pm; edited 3 times in total
Back to top
View user's profile Send private message
Hu
Watchman
Watchman


Joined: 06 Mar 2007
Posts: 8597

PostPosted: Sun Sep 15, 2013 12:43 am    Post subject: Reply with quote

If you are seeing hangs, try enabling the various kernel debugging features for detecting deadlocks. These may enable the kernel to print some information when a hang occurs.
Back to top
View user's profile Send private message
r_pns
n00b
n00b


Joined: 02 Jul 2006
Posts: 25

PostPosted: Mon Sep 16, 2013 7:42 pm    Post subject: Reply with quote

Thank you for your advice, Hu!

I have enabled the following, which seems appropriate to me:
Code:
CONFIG_DEFAULT_MESSAGE_LOGLEVEL=7
CONFIG_MAGIC_SYSRQ=y
CONFIG_DEBUG_KERNEL=y
CONFIG_LOCKUP_DETECTOR=y
CONFIG_BOOTPARAM_HARDLOCKUP_PANIC=y
CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y
CONFIG_PANIC_ON_OOPS=y
CONFIG_DETECT_HUNG_TASK=y
CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
CONFIG_BOOTPARAM_HUNG_TASK_PANIC=y
CONFIG_DEBUG_RT_MUTEXES=y
CONFIG_DEBUG_SPINLOCK=y
CONFIG_DEBUG_MUTEXES=y
CONFIG_FRAME_POINTER=y
CONFIG_EARLY_PRINTK=y
CONFIG_DEBUG_NMI_SELFTEST=y

Yet there was no success. The system hanged during compilation without any message. SysRq mechanism did not help either---there was no reaction to keystrokes.
Back to top
View user's profile Send private message
Hu
Watchman
Watchman


Joined: 06 Mar 2007
Posts: 8597

PostPosted: Mon Sep 16, 2013 9:06 pm    Post subject: Reply with quote

That sounds more like a panic than a hang. Please test with non-hardened sources to determine whether the problem is a fundamental issue with this kernel series or is a problem introduced by the hardening patches.
Back to top
View user's profile Send private message
r_pns
n00b
n00b


Joined: 02 Jul 2006
Posts: 25

PostPosted: Mon Sep 16, 2013 9:41 pm    Post subject: Reply with quote

I can reproduce the issue with both hardened-sources-3.10.1-r1 and 3.10.10, while I have not seen any problem using gentoo-sources-3.10.7 (currently stable) for some time.

It's my fault I did not mention that earlier.

Now I'm going to try hardened-sources-3.11.


Last edited by r_pns on Tue Sep 17, 2013 5:51 am; edited 1 time in total
Back to top
View user's profile Send private message
666threesixes666
Veteran
Veteran


Joined: 31 May 2011
Posts: 1223
Location: 42.68n 85.41w

PostPosted: Tue Sep 17, 2013 2:57 am    Post subject: Reply with quote

ive 1 noted load hang on 3.10.10 loading firefox did it for me. it was strange, just video off, no monitor, system hanging in the background as far as i can tell, i don't have ssh setup or the other computer running right now to determine if it was going in the background still. ugg @ 3.9-11.x
_________________
cat /etc/*-release
Funtoo Linux - baselayout 2.2.0
consider this warning no. 1
http://ecx.images-amazon.com/images/I/81Ku-vxIb3L._SL1500_.jpg
http://wiki.gentoo.org/wiki/Special:Contributions/666threesixes666
Back to top
View user's profile Send private message
r_pns
n00b
n00b


Joined: 02 Jul 2006
Posts: 25

PostPosted: Wed Sep 18, 2013 8:27 pm    Post subject: Reply with quote

So, I have tested hardened-sources-3.11.1. The issue persisted.

666threesixes666, did you use hardened sources?
Back to top
View user's profile Send private message
r_pns
n00b
n00b


Joined: 02 Jul 2006
Posts: 25

PostPosted: Sat Oct 12, 2013 10:24 pm    Post subject: Reply with quote

The testing was quite limited, but I have not been able to reproduce this with hardened-sources-3.11.3 so far.
Back to top
View user's profile Send private message
r_pns
n00b
n00b


Joined: 02 Jul 2006
Posts: 25

PostPosted: Tue Oct 15, 2013 11:44 pm    Post subject: Reply with quote

Unfortunately, the issue has come back with 3.11.3. During usual desktop activity and apparently under some disk load the system got totally unresponsive. Still, no messages in netconsole nor elsewhere.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum