# pos grsec program termination issue

## apryan

Hey-

Have an interesting issue with Flash Media Server 3 (FMS) version 3.0.1 and 3.0.2r210. Both seem to be blocked by something with in hardened Gentoo. I've been able to determine that it seems function properly with lib32's and etc with out hardened. Since I can't  run an x86_64 non-hardened vers in a chroot of a x86_64 hardened system I am looking for someone to see if they can verify weather it does in fact work correctly on non-hardened systems.

The problem occurs when starting the FMS via ./flashmgr server fms start. This appears in /var/log/everything:

```
May 3 21:09:15 [Service] Server starting...

May 3 21:09:15 [Service] Server started (/usr/local/fms/conf/Server.xml).

May 3 21:09:15 [Adaptor] Listener started ( _defaultRoot__edge1 ) : localhost:19350/v4

May 3 21:09:15 [Adaptor] Listener started ( _defaultRoot__edge1 ) : 1935/v4

May 3 21:09:15 [kernel] fmscore[1018]: segfault at e6554004 rip ee9d704f rsp e28f81fc error 7

May 3 21:09:15 [kernel] grsec: From 192.168.2.2: signal 11 sent to /usr/local/fms/fmscore[fmscore:1018] uid/euid:44/44 gid/egid:44/44, parent /usr/local/fms/fmsmaster[fmsmaster:875] uid/euid:0/0 gid/egid:0/0

May 3 21:09:20 [kernel] fmscore[1047]: segfault at dc3c1004 rip e304104f rsp d6ef51fc error 7

May 3 21:09:20 [kernel] grsec: From 192.168.2.2: signal 11 sent to /usr/local/fms/fmscore[fmscore:1047] uid/euid:44/44 gid/egid:44/44, parent /usr/local/fms/fmsmaster[fmsmaster:896] uid/euid:0/0 gid/egid:0/0

May 3 21:09:25 [kernel] fmscore[1075]: segfault at db9f5004 rip e6fa804f rsp dacfe1fc error 6

May 3 21:09:30 [kernel] fmscore[1110]: segfault at d8ef3004 rip e44af04f rsp d81fe1fc error 6

May 3 21:09:30 [kernel] grsec: From 192.168.2.2: signal 11 sent to /usr/local/fms/fmscore[fmscore:1110] uid/euid:44/44 gid/egid:44/44, parent /usr/local/fms/fmsmaster[fmsmaster:896] uid/euid:0/0 gid/egid:0/0

```

192.168.2.2 is the local IP from which I am executing the start up script which in turn starts the binary. There are four binaries with in Flash Media Server. fmsmaster, fmsedge, fmscore, fmsadmin. The first three require eachother to function. fmsadmin runs by itself and seems to work fine with no errors. I verified the same issues on a second x86_amd64 boxen with Gentoo Hardened. 

I get this by FMS logs:

```
2008-05-03 21:09:15 875 (i)2571111 Server started (/usr/local/fms/conf/Server.xml). -

2008-05-03 21:09:20 875 (i)2581223 Core (897) is no longer active. -

2008-05-03 21:09:20 875 (i)2581221 Core (1020) started, arguments : -adaptor "_defaultRoot_" -vhost "_defaultVHost_" -app "registry" -inst "registry" -tag -console -conf "/usr/local/fms/conf/Server.xml" -name "_defaultRoot_:_defaultVHost_:registry:registry:". -

2008-05-03 21:09:25 875 (i)2581223 Core (1020) is no longer active. -

2008-05-03 21:09:25 875 (i)2581221 Core (1048) started, arguments : -adaptor "_defaultRoot_" -vhost "_defaultVHost_" -app "registry" -inst "registry" -tag -console -conf "/usr/local/fms/conf/Server.xml" -name "_defaultRoot_:_defaultVHost_:registry:registry:". -

```

I ran a strace on the binary 'fmscore' and had the following termination:

```
mmap2(0xde5a5000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 21, 0x12) = 0xffffffffde5a5000

close(21) = 0

getdents64(20, /* 0 entries */, 4096) = 0

close(20) = 0

flock(4, LOCK_EX) = 0

flock(4, LOCK_UN) = 0

mmap2(NULL, 8392704, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xffffffffda8f9000

mprotect(0xda8f9000, 4096, PROT_NONE) = 0

clone(child_stack=0xdb0f94b4, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0xdb0f9bd8, tls=0xdb0f9bd8, child_tidptr=0xfc58ab50) = 1773

+++ killed by SIGSEGV +++ 
```

At this point I am still trying to figure out what in grsec or pax is causing the server to be denied. 

If anyone has a second to test you can download a free developers version of Flash Media Interactive Server from:

https://www.adobe.com/cfusion/tdrc/index.cfm?loc=en%5Fus&product=flashmediaserver

Any suggestions?[/profile]

----------

## wyv3rn

 *apryan wrote:*   

> Hey-
> 
> Have an interesting issue with Flash Media Server 3 (FMS) version 3.0.1 and 3.0.2r210. Both seem to be blocked by something with in hardened Gentoo. I've been able to determine that it seems function properly with lib32's and etc with out hardened. Since I can't  run an x86_64 non-hardened vers in a chroot of a x86_64 hardened system I am looking for someone to see if they can verify weather it does in fact work correctly on non-hardened systems.
> 
> The problem occurs when starting the FMS via ./flashmgr server fms start. This appears in /var/log/everything:
> ...

 

Unless the grsec signal 11 messages were accompanied by PaX kill messages in pax.log or kern.log, this is simply grsec informing you of this system event, NOT doing the killing itself.

 *Quote:*   

> I get this by FMS logs:
> 
> ```
> 2008-05-03 21:09:15 875 (i)2571111 Server started (/usr/local/fms/conf/Server.xml). -
> 
> ...

 

Do you have PaX's restrict mprotect() feature enabled?  Looks like it could be the problem to me.  Try paxctl -m /path/to/offending/binary.

----------

## apryan

 *wyv3rn wrote:*   

> 
> 
> Do you have PaX's restrict mprotect() feature enabled?  Looks like it could be the problem to me.  Try paxctl -m /path/to/offending/binary.

 

paxctl -m returned 'file fmscore does not have a PT_PAX_FLAGS program header, try conversion'. I was able to issue a chpax -m fmscore with no issue... same issue however.

----------

## wyv3rn

The sig11 may not even be caused by PaX, did you check your pax.log or kern.log for PaX termination messages?

For future reference you can inject the PT_PAX_FLAGS header with paxctl -C rather than use chpax.

----------

## apryan

I was able to get FMS to start with no futher errors by doing the following:

```
echo 0 > /proc/sys/kernel/grsecurity/audit_mount

echo 0 > /proc/sys/kernel/grsecurity/linking_restrictions

echo 0 > /proc/sys/kernel/grsecurity/fifo_restrictions   

echo 0 > /proc/sys/kernel/grsecurity/grsec_lock       

```

I am going to go through each of those to find out exactly which one it is. I would like an alternative to disabling grsec on the entire system at some point. 

*edit then again, maybe not. I killed the processes and tried to track down which one it was but it wouldnt start again  :Sad:  The only thing I did before was leave the processes off for a few hours.Last edited by apryan on Mon Jun 02, 2008 3:46 pm; edited 1 time in total

----------

## wyv3rn

 *apryan wrote:*   

> I was able to get FMS to start with no futher errors by doing the following:
> 
> ```
> echo 0 > /proc/sys/kernel/grsecurity/audit_mount
> 
> ...

 

It's most likely the linking or fifo restrictions then.  There may be a way to work around it, but you might end up just having to disable one or both those options in your kernel config.  You should not have to disable all of grsec/pax.

----------

