From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pablo Neira Ayuso Subject: Re: PaX killing conntrackd (strange "execution attempt") Date: Thu, 13 Nov 2008 15:42:13 +0100 Message-ID: <491C3CC5.8090402@netfilter.org> References: <20081113100309.GH26975@bla.fasel.org> <20081113132723.GK26975@bla.fasel.org> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20081113132723.GK26975@bla.fasel.org> Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="us-ascii" To: netfilter@vger.kernel.org Wolfram Schlich wrote: > Here's the answer from the PaX team, for those who might be interested: > > * pageexec@freemail.hu [2008-11-13 14:18]: >> On 13 Nov 2008 at 11:03, Wolfram Schlich wrote: >>> --8<-- >>> 2008-11-13 07:38:34 +01:00; hafw2; kern.notice; kernel: ip4t_FW DENY_IN: IN=eth1 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=XX.XXX.XX.XX DST=XX.XX.XXX.X LEN=48 TO >>> S=0x00 PREC=0x00 TTL=118 ID=23801 DF PROTO=TCP SPT=2608 DPT=21 WINDOW=65535 RES=0x00 SYN URGP=0 >>> 2008-11-13 07:38:34 +01:00; hafw2; kern.err; kernel: PAX: execution attempt in: , 00000000-00000000 00000000 >>> 2008-11-13 07:38:34 +01:00; hafw2; kern.err; kernel: PAX: terminating task: /usr/sbin/conntrackd(conntrackd):6562, uid/euid: 0/0, PC: 0000000000000000, SP: 0000797077f7ea48 >>> 2008-11-13 07:38:34 +01:00; hafw2; kern.err; kernel: PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? >>> 2008-11-13 07:38:34 +01:00; hafw2; kern.err; kernel: PAX: bytes at SP-8: >>> 2008-11-13 07:38:34 +01:00; hafw2; kern.alert; kernel: grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/sbin/conntrackd[conntrackd: >>> 6562] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 >>> --8<-- >>> >>> The log messages look somewhat strange, especially the 'NULL', >>> '000..' and '??' parts :) I've always only seen such messages >>> with a more meaningful content so far, thus I'm a bit confused. >>> >>> What might be the reason for that? >> this is a null function pointer dereference problem on the surface and you'll have to >> debug it to get more info. i wonder why nothing shows up in the stack dump however, >> maybe there's more corruption here behind the scenes. once you get the coredumps (and >> i hope you have debug info saved away ;) we can get a backtrace and other things. also >> disable randomization in /proc/sys/... so that results are comparable. best would be >> to find a way to directly trigger this crash, then you could have a live gdb session >> instead of coredump analysis. > > I'll take care of these suggestions now and let you know > about any news. Thank you. BTW, what version of conntrackd is triggering this problem? Is it latest 0.9.8? -- "Los honestos son inadaptados sociales" -- Les Luthiers