[trustees] trustees 3.0 crashes

[Kamil K. <ka...@ka...>]

Hello.
I'm experiencing trustees related oopses on 2.6.14.3 with grsecurity and
trustees 3.0(compiled as module).
OS: Debian 3.1
Hardware: SMP i386(Dual Xeon)
The crash happens during rules update.
I've "Trustees: Building new trustee hash" message right in the middle of
the oops report in dmesg.
I'm attaching oops below.
After the crash, I'm getting "VFS: file-max limit 65536 reached" messages
all the time and it's impossible to open any file until reboot.
Can anyone shed any light on this?
If I'm unable to solve this, I'll have to go back to 2.4
Thanks in advance.

Oops:
Unable to handle kernel NULL pointer dereference at virtual address
00000b18
f8a49985
*pgd =    0
Oops: 0000 [#1]
CPU:    3
EIP:    0060:[<f8a49985>]    Not tainted VLI
Using defaults from ksymoops -t elf32-i386 -a i386
EFLAGS: 00010206   (2.6.14.3-grsec-probe)
eax: 00000b18   ebx: 0000008e   ecx: 00000000   edx: 0000008e
esi: 00000280   edi: 0000080e   ebp: f0974000   esp: daf63d4c
ds: 007b   es: 007b   ss: 0068
Stack: 00000000 f88e134d 00000020 00000000 f8a49f3b daf63d88 00000000
f88e134d
daf63d88 00000001 f8a4a0ef daf63d88 00000020 00000000 00000020 00800021
f0386cc0 f7c23700 f0386cc0 00000001 00000001 f7c84b00 f7c07dc0 f8a49151
Call Trace:
[<f8a49f3b>]
[<f8a4a0ef>]
[<f8a49151>]
[<c01781a6>]
[<c019a351>]
[<c016d270>]
[<c016d270>]
[<c0168d2d>]
[<c019a3f9>]
[<c019a754>]
[<c019a9f3>]
[<c0188495>]
[<c0134c99>]
[<c013007b>]
[<c013007b>]
Code: 41 8d 1c 02 0f b6 01 84 c0 88 c2 75 e9 89 d8 8b 35 04 17 8e f8 31 c7
31 d2 89 f8 8b 0d 00 17 8e f8 f7 f6 8d 04 92 89 d3 c1 e0 02 <8b> 3c 01 85
ff 0f 84 9e 00 00 00 83 3c 01 01 74 7e 8d 04 08 8d
>>EIP; f8a49985 <pg0+38645985/3fbfa400>   <=====

>>ebp; f0974000 <pg0+30570000/3fbfa400>
>>esp; daf63d4c <pg0+1ab5fd4c/3fbfa400>

Trace; f8a49f3b <pg0+38645f3b/3fbfa400>
Trace; f8a4a0ef <pg0+386460ef/3fbfa400>
Trace; f8a49151 <pg0+38645151/3fbfa400>
Trace; c01781a6 <unmap_vmas+f6/250>
Trace; c019a351 <__link_path_walk+ea1/f00>
Trace; c016d270 <prep_new_page+50/70>
Trace; c016d270 <prep_new_page+50/70>
Trace; c0168d2d <find_get_page+3d/50>
Trace; c019a3f9 <link_path_walk+49/e0>
Trace; c019a754 <path_lookup+94/170>
Trace; c019a9f3 <__user_walk+33/60>
Trace; c0188495 <sys_access+85/180>
Trace; c0134c99 <syscall_call+7/b>
Trace; c013007b <igmp_mc_proc_init+2b/60>
Trace; c013007b <igmp_mc_proc_init+2b/60>

This architecture has variable length instructions, decoding before eip
is unreliable, take these instructions with a pinch of salt.

Code;  f8a4995a <pg0+3864595a/3fbfa400>
00000000 <_EIP>:
Code;  f8a4995a <pg0+3864595a/3fbfa400>
   0:   41                        inc    %ecx
Code;  f8a4995b <pg0+3864595b/3fbfa400>
   1:   8d 1c 02                  lea    (%edx,%eax,1),%ebx
Code;  f8a4995e <pg0+3864595e/3fbfa400>
   4:   0f b6 01                  movzbl (%ecx),%eax
Code;  f8a49961 <pg0+38645961/3fbfa400>
   7:   84 c0                     test   %al,%al
Code;  f8a49963 <pg0+38645963/3fbfa400>
   9:   88 c2                     mov    %al,%dl
Code;  f8a49965 <pg0+38645965/3fbfa400>
Code;  f8a49967 <pg0+38645967/3fbfa400>
   d:   89 d8                     mov    %ebx,%eax
Code;  f8a49969 <pg0+38645969/3fbfa400>
   f:   8b 35 04 17 8e f8         mov    0xf88e1704,%esi
Code;  f8a4996f <pg0+3864596f/3fbfa400>
  15:   31 c7                     xor    %eax,%edi
Code;  f8a49971 <pg0+38645971/3fbfa400>
  17:   31 d2                     xor    %edx,%edx
Code;  f8a49973 <pg0+38645973/3fbfa400>
  19:   89 f8                     mov    %edi,%eax
Code;  f8a49975 <pg0+38645975/3fbfa400>
  1b:   8b 0d 00 17 8e f8         mov    0xf88e1700,%ecx
Code;  f8a4997b <pg0+3864597b/3fbfa400>
  21:   f7 f6                     div    %esi
Code;  f8a4997d <pg0+3864597d/3fbfa400>
  23:   8d 04 92                  lea    (%edx,%edx,4),%eax
Code;  f8a49980 <pg0+38645980/3fbfa400>
  26:   89 d3                     mov    %edx,%ebx
Code;  f8a49982 <pg0+38645982/3fbfa400>
  28:   c1 e0 02                  shl    $0x2,%eax

This decode from eip onwards should be reliable

Code;  f8a49985 <pg0+38645985/3fbfa400>
00000000 <_EIP>:
Code;  f8a49985 <pg0+38645985/3fbfa400>   <=====
   0:   8b 3c 01                  mov    (%ecx,%eax,1),%edi   <=====
Code;  f8a49988 <pg0+38645988/3fbfa400>
   3:   85 ff                     test   %edi,%edi
Code;  f8a4998a <pg0+3864598a/3fbfa400>
   5:   0f 84 9e 00 00 00         je     a9 <_EIP+0xa9>
Code;  f8a49990 <pg0+38645990/3fbfa400>
   b:   83 3c 01 01               cmpl   $0x1,(%ecx,%eax,1)
Code;  f8a49994 <pg0+38645994/3fbfa400>
   f:   74 7e                     je     8f <_EIP+0x8f>
Code;  f8a49996 <pg0+38645996/3fbfa400>
  11:   8d 04 08                  lea    (%eax,%ecx,1),%eax
Code;  f8a49999 <pg0+38645999/3fbfa400>
  14:   8d                        .byte 0x8d



--
Kamil Kaczkowski
ka...@ka...