# hardened-sources-3.11.1, 3.11.3 silently hang

## r_pns

I tried hardened-sources-3.10.1-r1 and 3.10.10 with not-yet-hardened userland (default/linux/amd64/13.0/desktop profile). With either kernel, system randomly hanged during booting up or under some load (while building packages).

Unfortunately, there were no useful error messages; neither could I catch any through netconsole. The most relevant events logged before crashes were "resource overstep" denials for various resources. However, as far as I can understand, Grsecurity only logs those events, while the kernel denies requests beyond the limits anyway.

```
kernel: grsec: denied resource overstep by requesting 4294967295 for RLIMIT_NOFILE against limit 1024

```

I would appreciate any help to debug and fix this issue.

```
# uname -mpi

x86_64 AMD Phenom(tm) II X4 940 Processor AuthenticAMD

```

Grsecurity config:

```
CONFIG_GRKERNSEC=y

CONFIG_GRKERNSEC_CONFIG_AUTO=y

# CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set

# CONFIG_GRKERNSEC_CONFIG_SERVER is not set

CONFIG_GRKERNSEC_CONFIG_DESKTOP=y

# CONFIG_GRKERNSEC_CONFIG_VIRT_NONE is not set

# CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST is not set

CONFIG_GRKERNSEC_CONFIG_VIRT_HOST=y

CONFIG_GRKERNSEC_CONFIG_VIRT_EPT=y

# CONFIG_GRKERNSEC_CONFIG_VIRT_SOFT is not set

# CONFIG_GRKERNSEC_CONFIG_VIRT_XEN is not set

# CONFIG_GRKERNSEC_CONFIG_VIRT_VMWARE is not set

CONFIG_GRKERNSEC_CONFIG_VIRT_KVM=y

# CONFIG_GRKERNSEC_CONFIG_VIRT_VIRTUALBOX is not set

CONFIG_GRKERNSEC_CONFIG_PRIORITY_PERF=y

# CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY is not set

CONFIG_GRKERNSEC_PROC_GID=0

CONFIG_GRKERNSEC_KMEM=y

# CONFIG_GRKERNSEC_IO is not set

CONFIG_GRKERNSEC_PERF_HARDEN=y

CONFIG_GRKERNSEC_RAND_THREADSTACK=y

CONFIG_GRKERNSEC_PROC_MEMMAP=y

CONFIG_GRKERNSEC_BRUTE=y

CONFIG_GRKERNSEC_MODHARDEN=y

CONFIG_GRKERNSEC_HIDESYM=y

# CONFIG_GRKERNSEC_KERN_LOCKOUT is not set

CONFIG_GRKERNSEC_NO_RBAC=y

# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set

CONFIG_GRKERNSEC_ACL_MAXTRIES=3

CONFIG_GRKERNSEC_ACL_TIMEOUT=30

CONFIG_GRKERNSEC_PROC=y

# CONFIG_GRKERNSEC_PROC_USER is not set

CONFIG_GRKERNSEC_PROC_USERGROUP=y

CONFIG_GRKERNSEC_PROC_ADD=y

CONFIG_GRKERNSEC_LINK=y

# CONFIG_GRKERNSEC_SYMLINKOWN is not set

CONFIG_GRKERNSEC_FIFO=y

# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set

# CONFIG_GRKERNSEC_ROFS is not set

CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y

CONFIG_GRKERNSEC_CHROOT=y

CONFIG_GRKERNSEC_CHROOT_MOUNT=y

CONFIG_GRKERNSEC_CHROOT_DOUBLE=y

CONFIG_GRKERNSEC_CHROOT_PIVOT=y

CONFIG_GRKERNSEC_CHROOT_CHDIR=y

CONFIG_GRKERNSEC_CHROOT_CHMOD=y

CONFIG_GRKERNSEC_CHROOT_FCHDIR=y

CONFIG_GRKERNSEC_CHROOT_MKNOD=y

CONFIG_GRKERNSEC_CHROOT_SHMAT=y

CONFIG_GRKERNSEC_CHROOT_UNIX=y

CONFIG_GRKERNSEC_CHROOT_FINDTASK=y

CONFIG_GRKERNSEC_CHROOT_NICE=y

CONFIG_GRKERNSEC_CHROOT_SYSCTL=y

CONFIG_GRKERNSEC_CHROOT_CAPS=y

# CONFIG_GRKERNSEC_AUDIT_GROUP is not set

# CONFIG_GRKERNSEC_EXECLOG is not set

CONFIG_GRKERNSEC_RESLOG=y

# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set

# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set

# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set

# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set

CONFIG_GRKERNSEC_SIGNAL=y

# CONFIG_GRKERNSEC_FORKFAIL is not set

CONFIG_GRKERNSEC_TIME=y

CONFIG_GRKERNSEC_PROC_IPADDR=y

CONFIG_GRKERNSEC_RWXMAP_LOG=y

CONFIG_GRKERNSEC_DMESG=y

CONFIG_GRKERNSEC_HARDEN_PTRACE=y

CONFIG_GRKERNSEC_PTRACE_READEXEC=y

CONFIG_GRKERNSEC_SETXID=y

# CONFIG_GRKERNSEC_TPE is not set

CONFIG_GRKERNSEC_RANDNET=y

CONFIG_GRKERNSEC_BLACKHOLE=y

CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y

# CONFIG_GRKERNSEC_SOCKET is not set

# CONFIG_GRKERNSEC_DENYUSB is not set

CONFIG_GRKERNSEC_SYSCTL=y

CONFIG_GRKERNSEC_SYSCTL_ON=y

CONFIG_GRKERNSEC_FLOODTIME=10

CONFIG_GRKERNSEC_FLOODBURST=6

CONFIG_PAX_KERNEXEC_PLUGIN=y

CONFIG_PAX_PER_CPU_PGD=y

CONFIG_PAX_USERCOPY_SLABS=y

# PaX

CONFIG_PAX=y

# PaX Control

# CONFIG_PAX_SOFTMODE is not set

# CONFIG_PAX_PT_PAX_FLAGS is not set

CONFIG_PAX_XATTR_PAX_FLAGS=y

CONFIG_PAX_NO_ACL_FLAGS=y

# CONFIG_PAX_HAVE_ACL_FLAGS is not set

# CONFIG_PAX_HOOK_ACL_FLAGS is not set

CONFIG_PAX_NOEXEC=y

CONFIG_PAX_PAGEEXEC=y

CONFIG_PAX_EMUTRAMP=y

CONFIG_PAX_MPROTECT=y

# CONFIG_PAX_MPROTECT_COMPAT is not set

# CONFIG_PAX_ELFRELOCS is not set

CONFIG_PAX_KERNEXEC=y

# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS is not set

CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR=y

CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="or"

CONFIG_PAX_ASLR=y

CONFIG_PAX_RANDKSTACK=y

CONFIG_PAX_RANDUSTACK=y

CONFIG_PAX_RANDMMAP=y

# CONFIG_PAX_MEMORY_SANITIZE is not set

# CONFIG_PAX_MEMORY_STACKLEAK is not set

# CONFIG_PAX_MEMORY_STRUCTLEAK is not set

# CONFIG_PAX_MEMORY_UDEREF is not set

CONFIG_PAX_REFCOUNT=y

CONFIG_PAX_CONSTIFY_PLUGIN=y

CONFIG_PAX_USERCOPY=y

# CONFIG_PAX_USERCOPY_DEBUG is not set

CONFIG_PAX_SIZE_OVERFLOW=y

CONFIG_PAX_LATENT_ENTROPY=y

```

Last edited by r_pns on Tue Oct 15, 2013 11:45 pm; edited 3 times in total

----------

## Hu

If you are seeing hangs, try enabling the various kernel debugging features for detecting deadlocks.  These may enable the kernel to print some information when a hang occurs.

----------

## r_pns

Thank you for your advice, Hu!

I have enabled the following, which seems appropriate to me:

```
CONFIG_DEFAULT_MESSAGE_LOGLEVEL=7

CONFIG_MAGIC_SYSRQ=y

CONFIG_DEBUG_KERNEL=y

CONFIG_LOCKUP_DETECTOR=y

CONFIG_BOOTPARAM_HARDLOCKUP_PANIC=y

CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y

CONFIG_PANIC_ON_OOPS=y

CONFIG_DETECT_HUNG_TASK=y

CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120

CONFIG_BOOTPARAM_HUNG_TASK_PANIC=y

CONFIG_DEBUG_RT_MUTEXES=y

CONFIG_DEBUG_SPINLOCK=y

CONFIG_DEBUG_MUTEXES=y

CONFIG_FRAME_POINTER=y

CONFIG_EARLY_PRINTK=y

CONFIG_DEBUG_NMI_SELFTEST=y

```

Yet there was no success. The system hanged during compilation without any message. SysRq mechanism did not help either---there was no reaction to keystrokes.

----------

## Hu

That sounds more like a panic than a hang.  Please test with non-hardened sources to determine whether the problem is a fundamental issue with this kernel series or is a problem introduced by the hardening patches.

----------

## r_pns

I can reproduce the issue with both hardened-sources-3.10.1-r1 and 3.10.10, while I have not seen any problem using gentoo-sources-3.10.7 (currently stable) for some time.

It's my fault I did not mention that earlier.

Now I'm going to try hardened-sources-3.11.Last edited by r_pns on Tue Sep 17, 2013 5:51 am; edited 1 time in total

----------

## 666threesixes666

ive 1 noted load hang on 3.10.10  loading firefox did it for me.  it was strange, just video off, no monitor, system hanging in the background as far as i can tell, i don't have ssh setup or the other computer running right now to determine if it was going in the background still.  ugg @ 3.9-11.x

----------

## r_pns

So, I have tested hardened-sources-3.11.1. The issue persisted.

666threesixes666, did you use hardened sources?

----------

## r_pns

The testing was quite limited, but I have not been able to reproduce this with hardened-sources-3.11.3 so far.

----------

## r_pns

Unfortunately, the issue has come back with 3.11.3. During usual desktop activity and apparently under some disk load the system got totally unresponsive. Still, no messages in netconsole nor elsewhere.

----------

