Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Gentoo: Hardened

UDEREF vs. Apache MMAP

 

 

Gentoo hardened RSS feed   Index | Next | Previous | View Threaded


michael at orlitzky

Jan 7, 2011, 8:57 PM

Post #1 of 6 (835 views)
Permalink
UDEREF vs. Apache MMAP

I was able to figure out my new apache problem. It seems that
PAX_MEMORY_UDEREF and apache's EnableMMAP directive don't get along
sometimes:

http://httpd.apache.org/docs/2.2/mod/core.html#enablemmap

With UDEREF enabled and MMAP on, I get random inappropriate 206 response
codes everywhere causing headers, images, and CSS files to fail to
transfer properly.

This is sufficiently into the realm of what I consider voodoo. Is there
anything I can do to help narrow down the problem, or should I just
disable MMAP and be happy?


pageexec at freemail

Jan 8, 2011, 4:09 AM

Post #2 of 6 (796 views)
Permalink
Re: UDEREF vs. Apache MMAP [In reply to]

On 7 Jan 2011 at 23:57, Michael Orlitzky wrote:

> I was able to figure out my new apache problem. It seems that
> PAX_MEMORY_UDEREF and apache's EnableMMAP directive don't get along
> sometimes:

this one should have already been fixed in one of this week's patches,
but i'm not sure if it's in any hardened release yet. you could try the
latest grsec patch directly and see if it actually resolves the issue.


blueness at gentoo

Jan 8, 2011, 5:12 AM

Post #3 of 6 (806 views)
Permalink
Re: UDEREF vs. Apache MMAP [In reply to]

On 01/07/2011 11:57 PM, Michael Orlitzky wrote:
> I was able to figure out my new apache problem. It seems that
> PAX_MEMORY_UDEREF and apache's EnableMMAP directive don't get along
> sometimes:
>
> http://httpd.apache.org/docs/2.2/mod/core.html#enablemmap
>
> With UDEREF enabled and MMAP on, I get random inappropriate 206 response
> codes everywhere causing headers, images, and CSS files to fail to
> transfer properly.
>
> This is sufficiently into the realm of what I consider voodoo. Is there
> anything I can do to help narrow down the problem, or should I just
> disable MMAP and be happy?

It sounds like a problem in the way apache is doing the mmap and PaX is
killing it. The new stricter PaX rules don't allow the permission of
allocated pages to be changed, eg RW -> RX, or to be RWX. This has come
up elsewhere, see

http://bugs.gentoo.org/show_bug.cgi?id=329499

To verify my suspicion, an strace would be helpful. If you don't mind,
open up a bug with your findings, give your emerge --info, the flags you
used with apache, and an strace of apache going bad. This will be a
start for us.

--
Anthony G. Basile, Ph.D.
Gentoo Developer


blueness at gentoo

Jan 8, 2011, 10:22 AM

Post #4 of 6 (788 views)
Permalink
Re: UDEREF vs. Apache MMAP [In reply to]

On 01/08/2011 07:09 AM, pageexec [at] freemail wrote:
> On 7 Jan 2011 at 23:57, Michael Orlitzky wrote:
>
>> I was able to figure out my new apache problem. It seems that
>> PAX_MEMORY_UDEREF and apache's EnableMMAP directive don't get along
>> sometimes:
>
> this one should have already been fixed in one of this week's patches,
> but i'm not sure if it's in any hardened release yet. you could try the
> latest grsec patch directly and see if it actually resolves the issue.
>

Okay Michael, can you try:

hardened-sources-2.6.32-r33

and/or

hardened-sources-2.6.36-r8

Both are based on the latest grsecurity-*-201101052002.patch

pipacs, was this the same as the python bug?

http://bugs.gentoo.org/show_bug.cgi?id=329499

--
Anthony G. Basile, Ph.D.
Gentoo Developer


michael at orlitzky

Jan 8, 2011, 12:21 PM

Post #5 of 6 (792 views)
Permalink
Re: UDEREF vs. Apache MMAP [In reply to]

On 01/08/2011 01:22 PM, Anthony G. Basile wrote:
> On 01/08/2011 07:09 AM, pageexec [at] freemail wrote:
>> On 7 Jan 2011 at 23:57, Michael Orlitzky wrote:
>>
>>> I was able to figure out my new apache problem. It seems that
>>> PAX_MEMORY_UDEREF and apache's EnableMMAP directive don't get along
>>> sometimes:
>>
>> this one should have already been fixed in one of this week's patches,
>> but i'm not sure if it's in any hardened release yet. you could try the
>> latest grsec patch directly and see if it actually resolves the issue.
>>
>
> Okay Michael, can you try:
>
> hardened-sources-2.6.32-r33
>
> and/or
>
> hardened-sources-2.6.36-r8
>
> Both are based on the latest grsecurity-*-201101052002.patch

Back to normal with hardened-sources-2.6.36-r8. Thanks again guys.


pageexec at freemail

Jan 10, 2011, 3:16 AM

Post #6 of 6 (792 views)
Permalink
Re: UDEREF vs. Apache MMAP [In reply to]

On 8 Jan 2011 at 13:22, Anthony G. Basile wrote:

> pipacs, was this the same as the python bug?
>
> http://bugs.gentoo.org/show_bug.cgi?id=329499

no, the python bug is due MPROTECT having become more strict,
the net related issues were due to the recent tightening of
UDEREF/i386 and a small oversight in it.

Gentoo hardened RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.