Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Gentoo: Hardened

pthread_create problems on hardened x86

 

 

Gentoo hardened RSS feed   Index | Next | Previous | View Threaded


michael at orlitzky

Jul 31, 2012, 7:12 PM

Post #1 of 7 (842 views)
Permalink
pthread_create problems on hardened x86

I've got an old problem with clamd, which creates a bunch of threads.
Every so often the logs will show e.g.,

Jul 31 06:01:41 mx1 clamd[24070]: pthread_create failed
Jul 31 06:01:41 mx1 clamd[24070]: pthread_create failed
Jul 31 06:01:41 mx1 clamd[24070]: pthread_create failed
Jul 31 06:01:41 mx1 clamd[24070]: pthread_create failed

It doesn't cause any noticeable problems, so I've sort of left it alone
but tonight I dug in a little. The problem seems (somehow) related to
that box's hardening.

I'm using a test program that creates a bunch of threads and then just
kills them. On the box in question,

# uname -a
Linux mx1 3.4.2-hardened #1 SMP Wed Jul 11 13:41:57 EDT 2012 i686
Intel(R) Xeon(TM) CPU 3.06GHz GenuineIntel GNU/Linux
# ./pthread_test 25
Creating 25 threads
Created thread #0...
Created thread #1...
Created thread #2...
Created thread #3...
pthread_create failed: Resource temporarily unavailable

Disabling all paxctl protections helps, but doesn't allow me to get all
the way to 25. I tried doing the protections one-at-a-time; it doesn't
really help:

# paxctl -pemrxs pthread_test
# ./pthread_test 25
Creating 25 threads
Created thread #0...
Created thread #1...
Created thread #2...
Created thread #3...
Created thread #4...
Created thread #5...
Created thread #6...
Created thread #7...
Created thread #8...
Created thread #9...
pthread_create failed: Resource temporarily unavailable

I get nothing in my dmesg, which otherwise records most limit-based denials.

Is there some way I can troubleshoot this? It works on amd64 with the
same kernel hardening options.


pageexec at freemail

Aug 1, 2012, 3:56 AM

Post #2 of 7 (748 views)
Permalink
Re: pthread_create problems on hardened x86 [In reply to]

On 31 Jul 2012 at 22:12, Michael Orlitzky wrote:

> I get nothing in my dmesg, which otherwise records most limit-based denials.
>
> Is there some way I can troubleshoot this? It works on amd64 with the
> same kernel hardening options.

an strace -f may help to see what exactly fails.


michael at orlitzky

Aug 1, 2012, 5:41 AM

Post #3 of 7 (745 views)
Permalink
Re: pthread_create problems on hardened x86 [In reply to]

On 08/01/2012 06:56 AM, PaX Team wrote:
> On 31 Jul 2012 at 22:12, Michael Orlitzky wrote:
>
>> I get nothing in my dmesg, which otherwise records most limit-based denials.
>>
>> Is there some way I can troubleshoot this? It works on amd64 with the
>> same kernel hardening options.
>
> an strace -f may help to see what exactly fails.
>
>

Thanks, here are strace -f logs from both the hardened box (where it
fails) and a vanilla gentoo x86 VM (where it works).
Attachments: pthread-strace-hardened.log (6.00 KB)
  pthread-strace-vanilla.log (32.4 KB)


pageexec at freemail

Aug 1, 2012, 6:08 AM

Post #4 of 7 (748 views)
Permalink
Re: pthread_create problems on hardened x86 [In reply to]

On 1 Aug 2012 at 8:41, Michael Orlitzky wrote:

> Thanks, here are strace -f logs from both the hardened box (where it
> fails) and a vanilla gentoo x86 VM (where it works).

mmap2(NULL, 307200000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = -1 ENOMEM (Cannot allocate memory)

this can fail for several reasons, not enough RAM (depends on how overcommit is set),
not enough address space (hardened/PIE and ASLR together change how big the holes in
the address space end up, SEGMEXEC halves the address space), etc.


michael at orlitzky

Aug 1, 2012, 6:56 AM

Post #5 of 7 (750 views)
Permalink
Re: pthread_create problems on hardened x86 [In reply to]

On 08/01/12 09:08, PaX Team wrote:
> On 1 Aug 2012 at 8:41, Michael Orlitzky wrote:
>
>> Thanks, here are strace -f logs from both the hardened box (where it
>> fails) and a vanilla gentoo x86 VM (where it works).
>
> mmap2(NULL, 307200000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = -1 ENOMEM (Cannot allocate memory)
>
> this can fail for several reasons, not enough RAM (depends on how overcommit is set),
> not enough address space (hardened/PIE and ASLR together change how big the holes in
> the address space end up, SEGMEXEC halves the address space), etc.
>
>

Hmm.. I think this indirectly solves the problem. I've got,

# cat /etc/security/limits.d/50-clamd.conf
#<domain> <type> <item> <value>
clamav - stack 512000

But it isn't taking effect:

# cat /proc/25394/limits | grep stack
Max stack size 307200000 307200000 bytes

So, clamd is likely running out of stack just like the test program. I
can probably figure that one out.

But, I'd ruled out the stack size limitation because resource oversteps
are supposed to be reported:

# cat /proc/config.gz | gunzip | grep GRKERNSEC_RESLOG
CONFIG_GRKERNSEC_RESLOG=y

I've got nothing logged, even after the failures.


pageexec at freemail

Aug 1, 2012, 2:29 PM

Post #6 of 7 (746 views)
Permalink
Re: pthread_create problems on hardened x86 [In reply to]

On 1 Aug 2012 at 9:56, Michael Orlitzky wrote:

> But, I'd ruled out the stack size limitation because resource oversteps
> are supposed to be reported:

it's not a resource overstep but simply not enough virtual address space
(either because it's too fragmented to fit such a big allocation or the
free space is not enough itself).


michael at orlitzky

Aug 1, 2012, 2:55 PM

Post #7 of 7 (747 views)
Permalink
Re: pthread_create problems on hardened x86 [In reply to]

On 08/01/2012 05:29 PM, PaX Team wrote:
> On 1 Aug 2012 at 9:56, Michael Orlitzky wrote:
>
>> But, I'd ruled out the stack size limitation because resource oversteps
>> are supposed to be reported:
>
> it's not a resource overstep but simply not enough virtual address space
> (either because it's too fragmented to fit such a big allocation or the
> free space is not enough itself).
>

I don't completely understand, but I believe you =)

Setting `ulimit -s unlimited` in my global rc.conf cleared up the
problem. Thanks again for the help.

Gentoo hardened RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.