On 3 Nov 2007 at 19:02, Brian Kroth wrote:

> > i'm almost sure it's a bug somewhere in vma mirroring as that's the
> > only thing i changed in .22 and on and it does play with page locking
> > (the bad page state is triggered because a to-be-freed page is still
> > locked, that's means there's a missing unlock somewhere in the code,
> > but i couldn't figure it out from the code yet).
> 
> Where's the code for this?  I'm no kernel guru by any means, but I'd 
> still be interested to look at it and learn.

it's all of mm/memory.c:pax*mirror*pte() .

> So far this is only on that single machine, and only for nagios and 
> cacti.

based on the maps files, both cactid and nagios are PIEs. two questions:
are they the only PIEs on this system (that regularly run, that is) and
do you have PIEs on the other systems that don't show the symptomps?

> I rebuilt the kernel with the config that's attached.  I've 
> basically turned on a few more debug settings in the kernel and turned 
> off the randomization features of pax (CONFIG_PAX_ASLR) and the "remove 
> addresses" feature of grsec (CONFIG_GRKERNSEC_PROC_MEMMAP) like you 
> asked.  Tweaked my sec script to copy the maps files before killing the 
> offending processes.  Everything should be in the tar.  Let me know if 
> you need anything else.

ok, three more things please. first, 'echo 0 >| 
/proc/sys/kernel/randomize_va_space'
as well (in fact, you can re-enable ASLR in PaX, the sysctl controls it as
well), second, enable CONFIG_FRAME_POINTER (this will change memory.o so
i'll need it again), third, add the following patch on top of PaX (i think
it'll patch over grsec as well, maybe with offsets). note that it's most 
likely whitespace damaged, but should be easy to copy/paste by hand:

--- linux-2.6.23-pax/mm/memory.c        2007-10-23 00:27:08.000000000 +0200
+++ linux-2.6.23-pax-debug/mm/memory.c  2007-11-04 01:33:04.000000000 +0100
@@ -1960,6 +1960,8 @@ gotten:
        }
        if (new_page)
                page_cache_release(new_page);
+       if (old_page && (old_page->flags & PG_locked))
+               printk("PAX: %u %08lx %08lx-%08lx %08lx\n", current->pid, 
address, vma->vm_start, vma->vm_end, vma->vm_pgoff);
        if (old_page)
                page_cache_release(old_page);
 unlock:

i'll again need the logs (there will be more info in it because of the above)
and the maps file of the failing process.

> PS - would you like me to take this off list?

no need unless you don't want to leak any more of your host names
in kernel logs ;-). actually, attachments this big you can send me
directly and don't bother the list with it, but the discussion may
be interesting for others as well.

-- 
[EMAIL PROTECTED] mailing list

Reply via email to