Lua hardening issues?
5 views
Skip to first unread message
Dustin Marquess
Mar 29, 2022, 8:21:05 PM3/29/22
to HardenedBSD Users
I have 2 -CURRENT machines that I believe have the same hardening
settings, except the working one hasn't been upgraded/rebooted in 6
months.
On the brand new one, both dnsdist is crashing (with a SIGBUS) and
knot-resolver's kresd is crashing (with a SIGSEGV). The only thing I
can think of is that they both use Lua?
I tried turning off all pax protections that I could think of:
[2083] [HBSD INTERNAL] the process started with non-default hardening settings
[2083] -> fname: /usr/local/sbin/dnsdist
[2083] -> pid: 20679 ppid: 17299 p_pax:
0xaaa<NOPAGEEXEC,NOMPROTECT,NOSEGVGUARD,NOASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
[2083] [HBSD INTERNAL] dnsdist (jid 0, uid 0) exited on signal 10
[2083] -> pid: 20679 ppid: 17299 p_pax:
0xaaa<NOPAGEEXEC,NOMPROTECT,NOSEGVGUARD,NOASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
And that didn't seem to work.
kresd says:
kresd[94758]: PANIC: unprotected error in call to Lua API (runtime
code generation failed, restricted kernel?)
So I'm guessing something is restricted. I'm trying to ktrace it.
Other than comparing sysctl values between the two hosts, does anybody
else have any ideas?
Thanks!
-Dustin
settings, except the working one hasn't been upgraded/rebooted in 6
months.
On the brand new one, both dnsdist is crashing (with a SIGBUS) and
knot-resolver's kresd is crashing (with a SIGSEGV). The only thing I
can think of is that they both use Lua?
I tried turning off all pax protections that I could think of:
[2083] [HBSD INTERNAL] the process started with non-default hardening settings
[2083] -> fname: /usr/local/sbin/dnsdist
[2083] -> pid: 20679 ppid: 17299 p_pax:
0xaaa<NOPAGEEXEC,NOMPROTECT,NOSEGVGUARD,NOASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
[2083] [HBSD INTERNAL] dnsdist (jid 0, uid 0) exited on signal 10
[2083] -> pid: 20679 ppid: 17299 p_pax:
0xaaa<NOPAGEEXEC,NOMPROTECT,NOSEGVGUARD,NOASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
And that didn't seem to work.
kresd says:
kresd[94758]: PANIC: unprotected error in call to Lua API (runtime
code generation failed, restricted kernel?)
So I'm guessing something is restricted. I'm trying to ktrace it.
Other than comparing sysctl values between the two hosts, does anybody
else have any ideas?
Thanks!
-Dustin
Loic
Mar 30, 2022, 1:31:25 PM3/30/22
to Dustin Marquess, HardenedBSD Users
Le Tue, 29 Mar 2022 19:20:53 -0500,
Dustin Marquess <dmar...@gmail.com> a écrit :
Hi Dustin,
Can you please execute the following commands and start over?
sysctl hardening.pax.segvguard.status=1
sysctl hardening.pax.pageexec.status=1
sysctl hardening.pax.mprotect.status=1
sysctl hardening.pax.aslr.status=1
sysctl hardening.pax.disallow_map32bit.status=1
sysctl security.bsd.unprivileged_proc_debug=1
sysctl security.bsd.allow_ptrace=1
And if that doesn't work, give us feedback from:
# truss /usr/local/sbin/dnsdist
--
Loic
dev team
HardenedBSD
Dustin Marquess <dmar...@gmail.com> a écrit :
Can you please execute the following commands and start over?
sysctl hardening.pax.segvguard.status=1
sysctl hardening.pax.pageexec.status=1
sysctl hardening.pax.mprotect.status=1
sysctl hardening.pax.aslr.status=1
sysctl hardening.pax.disallow_map32bit.status=1
sysctl security.bsd.unprivileged_proc_debug=1
sysctl security.bsd.allow_ptrace=1
And if that doesn't work, give us feedback from:
# truss /usr/local/sbin/dnsdist
--
Loic
dev team
HardenedBSD
Dustin Marquess
Apr 1, 2022, 12:02:42 AM4/1/22
to Loic, HardenedBSD Users
Thanks Loic!
That didn't seem to work. To keep from spamming the list, I've
uploaded the truss output to https://fdf.net/dnsdist.txt
I guess my next step would be to build dnsdist myself with -g3 and run
it under lldb?
On a side note, I noticed under the latest -CURRENT builds, a fresh
install has things like /etc/networks and /etc/nsswitch.conf not world
readable. I ran into some other daemons acting strange because of
this. I fixed that on this install, but that didn't fix the dnsdist
issue :(.
-Dustin
That didn't seem to work. To keep from spamming the list, I've
uploaded the truss output to https://fdf.net/dnsdist.txt
I guess my next step would be to build dnsdist myself with -g3 and run
it under lldb?
On a side note, I noticed under the latest -CURRENT builds, a fresh
install has things like /etc/networks and /etc/nsswitch.conf not world
readable. I ran into some other daemons acting strange because of
this. I fixed that on this install, but that didn't fix the dnsdist
issue :(.
-Dustin
Loic
Apr 1, 2022, 9:43:09 AM4/1/22
to Dustin Marquess, HardenedBSD Users
Le Thu, 31 Mar 2022 23:02:29 -0500,
information but at first sight you are not alone to have problems
(freebsd seems impacted):
https://pastebin.com/j5MVZSQP
Your problems seem to be specific to version 1.7.0, can you reverse the
commit below in your ports an test with old version?
https://git.hardenedbsd.org/hardenedbsd/ports/-/commit/04a3a75163ddd989a63637e3950133fd3697146d
> On a side note, I noticed under the latest -CURRENT builds, a fresh
> install has things like /etc/networks and /etc/nsswitch.conf not world
> readable. I ran into some other daemons acting strange because of
> this.
The CURRENT build are more strict, many folder an files are not
world-readable anymore:
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/merge_requests/38
Which daemons are they please?
If it is necessary I will make a reverse of the commit:
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/commit/41e7f987087555775f030f8e4f56455f25de45f4
Thanks.
Dustin Marquess <dmar...@gmail.com> a écrit :
> Thanks Loic!
>
> That didn't seem to work. To keep from spamming the list, I've
> uploaded the truss output to https://fdf.net/dnsdist.txt
>
> I guess my next step would be to build dnsdist myself with -g3 and run
> it under lldb?
Yes, it would be necessary to succeed in obtaining a maximum of
>
> That didn't seem to work. To keep from spamming the list, I've
> uploaded the truss output to https://fdf.net/dnsdist.txt
>
> I guess my next step would be to build dnsdist myself with -g3 and run
> it under lldb?
information but at first sight you are not alone to have problems
(freebsd seems impacted):
https://pastebin.com/j5MVZSQP
Your problems seem to be specific to version 1.7.0, can you reverse the
commit below in your ports an test with old version?
https://git.hardenedbsd.org/hardenedbsd/ports/-/commit/04a3a75163ddd989a63637e3950133fd3697146d
> On a side note, I noticed under the latest -CURRENT builds, a fresh
> install has things like /etc/networks and /etc/nsswitch.conf not world
> readable. I ran into some other daemons acting strange because of
> this.
world-readable anymore:
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/merge_requests/38
Which daemons are they please?
If it is necessary I will make a reverse of the commit:
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/commit/41e7f987087555775f030f8e4f56455f25de45f4
Thanks.
Dustin Marquess
Apr 1, 2022, 7:08:47 PM4/1/22
to Loic, HardenedBSD Users
On Fri, Apr 1, 2022 at 8:43 AM Loic <loi...@hardenedbsd.org> wrote:
>
> Le Thu, 31 Mar 2022 23:02:29 -0500,
> Dustin Marquess <dmar...@gmail.com> a écrit :
> > Thanks Loic!
> >
> > That didn't seem to work. To keep from spamming the list, I've
> > uploaded the truss output to https://fdf.net/dnsdist.txt
> >
> > I guess my next step would be to build dnsdist myself with -g3 and run
> > it under lldb?
>
> Yes, it would be necessary to succeed in obtaining a maximum of
> information but at first sight you are not alone to have problems
> (freebsd seems impacted):
> https://pastebin.com/j5MVZSQP
>
> Your problems seem to be specific to version 1.7.0, can you reverse the
> commit below in your ports an test with old version?
> https://git.hardenedbsd.org/hardenedbsd/ports/-/commit/04a3a75163ddd989a63637e3950133fd3697146d
Your Googgle-fu is better than mine :). I'll give that a shot!
>
> Le Thu, 31 Mar 2022 23:02:29 -0500,
> Dustin Marquess <dmar...@gmail.com> a écrit :
> > Thanks Loic!
> >
> > That didn't seem to work. To keep from spamming the list, I've
> > uploaded the truss output to https://fdf.net/dnsdist.txt
> >
> > I guess my next step would be to build dnsdist myself with -g3 and run
> > it under lldb?
>
> Yes, it would be necessary to succeed in obtaining a maximum of
> information but at first sight you are not alone to have problems
> (freebsd seems impacted):
> https://pastebin.com/j5MVZSQP
>
> Your problems seem to be specific to version 1.7.0, can you reverse the
> commit below in your ports an test with old version?
> https://git.hardenedbsd.org/hardenedbsd/ports/-/commit/04a3a75163ddd989a63637e3950133fd3697146d
> > On a side note, I noticed under the latest -CURRENT builds, a fresh
> > install has things like /etc/networks and /etc/nsswitch.conf not world
> > readable. I ran into some other daemons acting strange because of
> > this.
>
> The CURRENT build are more strict, many folder an files are not
> world-readable anymore:
> https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/merge_requests/38
>
> Which daemons are they please?
It was having issues with its DNS resolver function. I want to say it
was /etc/nsswitch.conf and /etc/networks that it was bombing out on,
but let me double check that before you reverse anything.
Thanks for the help!
-Dustin
Shawn Webb
Apr 1, 2022, 8:08:41 PM4/1/22
to Loic, Dustin Marquess, HardenedBSD Users
it in a bit more detail, perhaps scaling back some of the changes (but
going forward with some of them.)
Next week, I'll take a deeper look at the originally reported issue.
Thanks for the report, and thanks for the patience!
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
Reply all
Reply to author
Forward
0 new messages