Bug#503173: grub-common: Segmentation fault in grub-probe when using grsecurity

[Robert Millan]

On Thu, Oct 23, 2008 at 09:34:19AM +0200, Frederic VANNIERE wrote:
> 
> When using grub-probe on a custom 2.6.26.5-em64t-grsec kernel it creates a
> segmentation fault :
> 
> Oct 20 11:39:14 foo kernel: PAX: terminating task:
> /usr/sbin/grub-probe(grub-probe):14498, uid/euid: 0/0, PC:
> 00007fffffffdf18, SP: 00007fffffffdec8
> Oct 20 11:39:14 foo kernel: grsec: From 88.177.xxx.xxx: denied resource
> overstep by requesting 4096 for RLIMIT_CORE against limit 0 for
> /usr/sbin/grub-probe[grub-probe:14498] uid/euid:0/0 gid/egid:0/0, parent
> /bin/bash[bash:14245] uid/euid:0/0 gid/egid:0/0

Running GRUB requires an executable stack.  I assume this is what triggered
this alarm in your security application?

> The solution was to use chpax on /usr/sbin/grub-probe and put the 
> following flags : 
> 
> ----[ chpax 0.7 : Current flags for /usr/sbin/grub-probe (pemrxs) ]---- 
> 
>  * Paging based PAGE_EXEC       : disabled 
>  * Trampolines                  : not emulated 
>  * mprotect()                   : not restricted 
>  * mmap() base                  : not randomized 
>  * ET_EXEC base                 : not randomized 
>  * Segmentation based PAGE_EXEC : disabled 

The description for chpax reads:

 Please note chpax is
 DEPRECATED upstream, and only works with PaX patches released between
 2003.02.03 and 2004.02.04. Users are encouraged switching to paxctl.

Could you:

  - Provide an equivalent, tested command for use with paxctl

  - Find which are the flags that need to be modified in that list
    (I don't think GRUB triggers all of them)

  ?

Thanks!

-- 
Robert Millan

  The DRM opt-in fallacy: "Your data belongs to us. We will decide when (and
  how) you may access your data; but nobody's threatening your freedom: we
  still allow you to remove your data and not access it at all."