FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 01-08-2011, 03:57 AM
Michael Orlitzky
 
Default UDEREF vs. Apache MMAP

I was able to figure out my new apache problem. It seems that
PAX_MEMORY_UDEREF and apache's EnableMMAP directive don't get along
sometimes:

http://httpd.apache.org/docs/2.2/mod/core.html#enablemmap

With UDEREF enabled and MMAP on, I get random inappropriate 206 response
codes everywhere causing headers, images, and CSS files to fail to
transfer properly.

This is sufficiently into the realm of what I consider voodoo. Is there
anything I can do to help narrow down the problem, or should I just
disable MMAP and be happy?
 
Old 01-08-2011, 11:09 AM
 
Default UDEREF vs. Apache MMAP

On 7 Jan 2011 at 23:57, Michael Orlitzky wrote:

> I was able to figure out my new apache problem. It seems that
> PAX_MEMORY_UDEREF and apache's EnableMMAP directive don't get along
> sometimes:

this one should have already been fixed in one of this week's patches,
but i'm not sure if it's in any hardened release yet. you could try the
latest grsec patch directly and see if it actually resolves the issue.
 
Old 01-08-2011, 12:12 PM
"Anthony G. Basile"
 
Default UDEREF vs. Apache MMAP

On 01/07/2011 11:57 PM, Michael Orlitzky wrote:
> I was able to figure out my new apache problem. It seems that
> PAX_MEMORY_UDEREF and apache's EnableMMAP directive don't get along
> sometimes:
>
> http://httpd.apache.org/docs/2.2/mod/core.html#enablemmap
>
> With UDEREF enabled and MMAP on, I get random inappropriate 206 response
> codes everywhere causing headers, images, and CSS files to fail to
> transfer properly.
>
> This is sufficiently into the realm of what I consider voodoo. Is there
> anything I can do to help narrow down the problem, or should I just
> disable MMAP and be happy?

It sounds like a problem in the way apache is doing the mmap and PaX is
killing it. The new stricter PaX rules don't allow the permission of
allocated pages to be changed, eg RW -> RX, or to be RWX. This has come
up elsewhere, see

http://bugs.gentoo.org/show_bug.cgi?id=329499

To verify my suspicion, an strace would be helpful. If you don't mind,
open up a bug with your findings, give your emerge --info, the flags you
used with apache, and an strace of apache going bad. This will be a
start for us.

--
Anthony G. Basile, Ph.D.
Gentoo Developer
 
Old 01-08-2011, 05:22 PM
"Anthony G. Basile"
 
Default UDEREF vs. Apache MMAP

On 01/08/2011 07:09 AM, pageexec@freemail.hu wrote:
> On 7 Jan 2011 at 23:57, Michael Orlitzky wrote:
>
>> I was able to figure out my new apache problem. It seems that
>> PAX_MEMORY_UDEREF and apache's EnableMMAP directive don't get along
>> sometimes:
>
> this one should have already been fixed in one of this week's patches,
> but i'm not sure if it's in any hardened release yet. you could try the
> latest grsec patch directly and see if it actually resolves the issue.
>

Okay Michael, can you try:

hardened-sources-2.6.32-r33

and/or

hardened-sources-2.6.36-r8

Both are based on the latest grsecurity-*-201101052002.patch

pipacs, was this the same as the python bug?

http://bugs.gentoo.org/show_bug.cgi?id=329499

--
Anthony G. Basile, Ph.D.
Gentoo Developer
 
Old 01-08-2011, 07:21 PM
Michael Orlitzky
 
Default UDEREF vs. Apache MMAP

On 01/08/2011 01:22 PM, Anthony G. Basile wrote:
> On 01/08/2011 07:09 AM, pageexec@freemail.hu wrote:
>> On 7 Jan 2011 at 23:57, Michael Orlitzky wrote:
>>
>>> I was able to figure out my new apache problem. It seems that
>>> PAX_MEMORY_UDEREF and apache's EnableMMAP directive don't get along
>>> sometimes:
>>
>> this one should have already been fixed in one of this week's patches,
>> but i'm not sure if it's in any hardened release yet. you could try the
>> latest grsec patch directly and see if it actually resolves the issue.
>>
>
> Okay Michael, can you try:
>
> hardened-sources-2.6.32-r33
>
> and/or
>
> hardened-sources-2.6.36-r8
>
> Both are based on the latest grsecurity-*-201101052002.patch

Back to normal with hardened-sources-2.6.36-r8. Thanks again guys.
 
Old 01-10-2011, 10:16 AM
 
Default UDEREF vs. Apache MMAP

On 8 Jan 2011 at 13:22, Anthony G. Basile wrote:

> pipacs, was this the same as the python bug?
>
> http://bugs.gentoo.org/show_bug.cgi?id=329499

no, the python bug is due MPROTECT having become more strict,
the net related issues were due to the recent tightening of
UDEREF/i386 and a small oversight in it.
 

Thread Tools




All times are GMT. The time now is 09:56 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org