"HBSD SEGVGUARD... Suspension expired" - Please explain!

[fraenki]

Hi,

I've seen a service crashing (HAProxy) and was wondering: What's the meaning of these HBSD messages?

Code: [Select]

Dec 30 11:08:05 kernel: pid 53076 (haproxy), uid 80: exited on signal 11
Dec 30 11:08:05 kernel: [HBSD SEGVGUARD] [haproxy (53076)] Suspension expired.
Dec 30 11:08:05 kernel: -> pid: 53076 ppid: 1 p_pax: 0x850<SEGVGUARD,ASLR,NODISALLOWMAP32BIT>

Is this crash related to one of these HBSD security features? Is there a way to disable them during runtime?


Thanks
- Frank

[lattera]

PaX SEGVGUARD protects against ASLR bruteforce attempts. It slows down execution of a continuously-crashing process in order to make bruteforce attacks take more time.

We should figure out why haproxy is segfaulting.

[fraenki]

We should figure out why haproxy is segfaulting.

Agreed.
Can HSDB security features lead to those crashes?


Regards
- Frank

[lattera]

We should figure out why haproxy is segfaulting.

Agreed.
Can HSDB security features lead to those crashes?


Regards
- Frank

The ones that OPNsense has: nope. There is PaX NOEXEC, which prohibits applications from creating memory mappings that are both writable and executable (and toggling between the two). NOEXEC causes issues with Just-In-Time (JIT) compilers. However, OPNSense does not currently have NOEXEC in its src tree for 18.7. It does for 19.1, but NOEXEC is disabled due to PHP 7 using a JIT.

For more info about HardenedBSD's features, take a look at our wiki: https://github.com/HardenedBSD/hardenedBSD/wiki