HBSD SEGVGUARD errors on filterdns

[Stefan]

Shortly after startup, restart or service bounces I get a HBSD SEGVGUARD error as follows:

[HBSD SEGVGUARD] [filterdns (14248)] Supension expired -> pid: 14248 ppid: p_pax: 0x50<SEGVGUARD, ASLR>

Though I have not discoveed any obvious operational problems associated with this error it is consttant and repeatable.  (version i86 17.7. Any ideas or recommendations?

Edit: Please note the pid: ##### changes with each instance of the error.

[lattera]

That message would happen because filterdns is crashing often. Can you provide a core dump or steps to reproduce your issue?

[Stefan]

The steps to it are pretty straight away. If I do a reload of services (option 11 on the console) the error occurs at: "Configuring WAN interface ..." Likewise on a restart. At any change make in the GUI that has any DNS selection made. For Example, if I am on
   
System: Settings: General

and toggle the setting; "Allow DNS server list to be overridden by DHCP/PPP on WAN" on or off I get the filter DNS error. Though with that on it will occur seemingly randomly during normal operation (Web browsing, music/video streaming, etc).


I do not have the WAN used in the IDS/IPS. I am not using Unbound DNS.

[lattera]

When you said you are running the i86 version, does that mean i386 (aka, 32-bit)?

[Stefan]

At this time, yes I am running at 32 bits. I just downloaded the 64 bit earlier today. But wanted to get past some of this first before upgrading to 64 bits.

[lattera]

It's possible our ASLR is a bit too aggressive on 32-bit. I would suggest trying 64-bit. Below is a more detailed explanation as to why. If you don't understand, no worries. However, I'd just like to take the opportunity to document why it might be an issue.

The VDSO must lie between the top of the stack and the kernel virtual address space. Given that the 32-bit address space is extremely limited, it's possible that trying to find a mapping for the VDSO is failing, causing issues and resulting in crashes. Our SEGVGUARD implementation is a deterrent for ASLR bruteforcing, preventing frequently-crashing applications from being restarted too quickly (similar in concept to adding a delay each time someone enters the wrong password on a login prompt.)

In general, ASLR on 32-bit is rather weak. Like mentioned above, there simply isn't enough bits to randomize effectively. This isn't a problem with HardenedBSD's implementation; rather, it's a weakness inherent in the architecture. This isn't an issue with 64-bit systems as the virtual address space is sufficiently large.

To see if ASLR is the issue, you could add the following line to /boot/loader.conf.local:

hardening.pax.aslr.status=1

That will effectively disable ASLR on your system. If you still see the issue, please let me know and I'll spin up a virtualized 32-bit OPNsense installation to see if I can reproduce the issue.

[Stefan]

Thank you. I will be setting up a 64 bit install, hopefully this weekend. If that cures it , great. If not I will let you know.

Regards,
Stefan

[lattera]

Cool. By switching to 64-bit, you'll also gain SafeStack, an exploit mitigation that helps with buffer overflows. OPNsense is the first and currently only firewall shipping with SafeStack.

Edited to add: Like I said in my previous post, if you have issues with 64-bit, I'd be happy to help find the underlying issue and fix it. ASLR simply is rather limited on 32-bit systems and frankly not worth it on 32-bit systems.

[Stefan]

.

[Stefan]

Upgrade to 64 did not go well. The install failed after it could not create the local user.

[franco]

What hardware are we talking about?

[Stefan]

HP Pavilion CPU: Intel(R) Pentium(R) CPU G620 @ 2.60GHz (2594.16-MHz 686-class CPU), 2 CPUs,
1 package(s) x 2 core(s).

4 Gb RAM

Intel Dual Port Pro/1000

500 GB Segate Drive

One other issue I found was that installing the amd64 did not wipe the boot sector and the i386 Bootloader is still there. Even after aggressive formatting of the drive, the amd64 can't overwrite the i386 bootloader. I have since tried to reinstall the i386 version and it too fails.

I tried cleaning the drive with the FreeBSD installer, didn't work. Then gave the Debian installer a try, same problem. I am borrowing a Windows 10 installer later today and will try that (I do not have any Windows products so I needed borrow some).

[Stefan]

So the good news is that I have an amd64 install. Abet via a MBR setup.

A giant step forward. Thank you.

[Stefan]

After a reboot this morning the filterdns issue again reared it's ugly head. But, confirmed it is a 32 bit issue.

At the login prompt:

[HBSD SEGVGUARD] [filterdns (79625)] Suspension expired.
->pid: 79652 ppid: 1 p_pax: 0x450<SEGVGUARD,ASLR,DISALLOWMAP32BIT>

During the reboot there were huge filterlog dumps to the console screen.

 

[Stefan]

After second reboot. NTP and Suricata service starts are "deferred" requiring manual start.

"Starting NTP Service...deferred"

"Starting suricata...deferred"