Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 457194 - dev-libs/libffi-3.0.12 - test killed by PaX
Summary: dev-libs/libffi-3.0.12 - test killed by PaX
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Core system (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Toolchain Maintainers
URL: https://github.com/atgreen/libffi/iss...
Whiteboard:
Keywords:
: 457146 469758 (view as bug list)
Depends on:
Blocks: 464070
  Show dependency tree
 
Reported: 2013-02-14 02:39 UTC by iGentoo
Modified: 2017-06-21 21:45 UTC (History)
10 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
libffi-3.0.12-build.log (libffi-3.0.12-build.log.tar.xz,34.31 KB, application/x-xz-compressed-tar)
2013-02-14 02:40 UTC, iGentoo
Details
the difference between libffi-3.0.11-r1 and libffi-3.0.12 (libffi-3.0.12-emutramp.patch,1.04 KB, patch)
2013-02-14 02:47 UTC, iGentoo
Details | Diff
the difference between libffi-3.0.11-r1 and libffi-3.0.12 (libffi-3.0.12-emutramp.patch,1.05 KB, patch)
2013-02-15 05:24 UTC, iGentoo
Details | Diff
libffi-3.0.13 emutramp pax patch (libffi-3.0.13-emutramp_pax.patch,1.71 KB, patch)
2013-03-24 05:26 UTC, Charles Svitlik
Details | Diff
syslog output from 3.0.13-r1 (syslog-output-txt,38.85 KB, text/plain)
2013-04-01 21:08 UTC, Markus Walter
Details
Patch that use /proc for pax check (libffi-3.0.13-emutramp_pax_log.patch,1.52 KB, patch)
2013-04-25 22:51 UTC, Magnus Granberg
Details | Diff
New patch from vapier's input (libffi-3.0.13-emutramp_pax_log.patch,1.41 KB, patch)
2013-04-28 22:15 UTC, Magnus Granberg
Details | Diff
use /proc for pax mark check (libffi-3.0.13-emutramp_pax_log.patch,1.41 KB, patch)
2013-04-29 01:01 UTC, Magnus Granberg
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description iGentoo 2013-02-14 02:39:04 UTC
# dmesg:
...
[11363.001593] PAX: From 127.0.0.6: execution attempt in: <anonymous mapping>, 2f49fbdf000-2f49fbe1000 2f49fbdf000
[11363.001598] PAX: terminating task: /var/tmp/portage/dev-libs/libffi-3.0.12/work/libffi-3.0.12/x86_64-pc-linux-gnu/testsuite/unwindtest.exe(unwindtest.exe):32497, uid/euid: 250/250, PC: 000002f49fbdf010, SP: 000003f063d0ae18
[11363.001600] PAX: bytes at PC: 49 bb b2 f7 a2 9f f4 02 00 00 49 ba 10 f0 bd 9f f4 02 00 00 
[11363.001610] PAX: bytes at SP-8: 0000000000000009 0000001cf1fd5119 00000000ffffffff 000002f49fbe1259 000002f49fbe1228 000002f49fbdf010 0000000000000002 000003f063d0ae60 000002f49fa2fa80 0000000000000000 00000000f63d4e2e 
...


Portage 2.2.0_alpha162 (hardened/linux/amd64/selinux, gcc-4.7.2, glibc-2.17, 3.7.7-pax.x86_64 x86_64)
=================================================================
                        System Settings
=================================================================
System uname: Linux-3.7.7-pax.x86_64-x86_64-Intel-R-_Core-TM-2_Quad_CPU_Q9300_@_2.50GHz-with-gentoo-2.2
KiB Mem:     6114292 total,   1113564 free
KiB Swap:   10484724 total,  10268332 free
Timestamp of tree: Thu, 14 Feb 2013 01:15:01 +0000
ld GNU gold (GNU Binutils 2.23.1) 1.11
ccache version 3.1.9 [disabled]
app-shells/bash:          4.2_p42
dev-java/java-config:     2.1.12-r1
dev-lang/python:          2.5.4-r5, 2.6.8-r1, 2.7.3-r3, 3.1.5-r1, 3.2.3-r2, 3.3.0-r1
dev-util/ccache:          3.1.9
dev-util/cmake:           2.8.10.2-r1
dev-util/pkgconfig:       0.28
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.11.8
sys-apps/sandbox:         2.6
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.12.6, 1.13.1
sys-devel/binutils:       2.23.1
sys-devel/gcc:            4.6.3, 4.7.2
sys-devel/gcc-config:     1.8
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.7 (virtual/os-headers)
sys-libs/glibc:           2.17
Repositories: gentoo systemd hardened-dev gnome custom
Installed sets: @local
ACCEPT_KEYWORDS="amd64 x86 ~amd64 ~x86"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-Wall -Wextra -gdwarf-4 -ggdb -march=native -pipe -O3 -fno-tree-vectorize -frecord-gcc-switches"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/polkit-1/actions /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo"
CXXFLAGS="-Wall -Wextra -gdwarf-4 -ggdb -march=native -pipe -O3 -fno-tree-vectorize -frecord-gcc-switches"
DISTDIR="/usr/local/portage/distfiles"
FCFLAGS="-Wall -Wextra -gdwarf-4 -ggdb -march=native -pipe -O3 -fno-tree-vectorize -frecord-gcc-switches"
FEATURES="assume-digests binpkg-logs buildpkg collision-protect compressdebug config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch preserve-libs protect-owned sandbox selinux sesandbox sfperms split-elog split-log splitdebug strict test test-fail-continue unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync webrsync-gpg xattr"
FFLAGS="-Wall -Wextra -gdwarf-4 -ggdb -march=native -pipe -O3 -fno-tree-vectorize -frecord-gcc-switches"
GENTOO_MIRRORS="http://mirrors.163.com/gentoo http://distfiles.gentoo.org"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu -Wl,--icf=safe"
MAKEOPTS="V=1 -j6"
PKGDIR="/usr/local/portage/packages-amd64"
PORTAGE_BZIP2_COMMAND="lbzip2"
PORTAGE_COMPRESS="xz"
PORTAGE_COMPRESS_FLAGS="-9ef"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_EXTRA_OPTS="--ipv4"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/systemd /var/lib/layman/hardened-development /var/lib/layman/gnome /usr/local/portage"
SYNC="rsync://mirrors.ustc.edu.cn/gentoo-portage"
USE="X acl alsa amd64 audit bash-completion berkdb bzip2 c++0x cairo caps cli cracklib crypt custom-cflags cxx dbus dri ffmpeg gdbm gmp gnome gpm gtk gtk3 hardened iconv icu ipv6 jit jpeg jpeg2k justify lzma mmx modules mudflap multilib ncurses nls nptl open_perms opengl openmp orc pam pax_kernel pcre png pulseaudio qt4 readline selinux session sse sse2 ssl svg systemd tcpd threads tiff udev unicode urandom vim-syntax xattr xinetd zlib" ABI_X86="64" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" DRACUT_MODULES="bootchart btrfs caps dmsquash-live gensplash livenet lvm nfs ssh-client syslog systemd" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en en_US zh zh_CN" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2 python3_3" QEMU_SOFTMMU_TARGETS="x86_64 arm mips64el ppc64" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="nouveau nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
USE_PYTHON="2.7 3.2 3.3"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND

=================================================================
                        Package Settings
=================================================================

dev-libs/libffi-3.0.12 was built with the following:
USE="pax_kernel test -debug -static-libs"
Comment 1 iGentoo 2013-02-14 02:40:41 UTC
Created attachment 338826 [details]
libffi-3.0.12-build.log
Comment 2 iGentoo 2013-02-14 02:47:14 UTC
Created attachment 338828 [details, diff]
the difference between libffi-3.0.11-r1 and libffi-3.0.12
Comment 3 Anthony Basile gentoo-dev 2013-02-14 11:43:41 UTC
(In reply to comment #2)
> Created attachment 338828 [details, diff] [details, diff]
> the difference between libffi-3.0.11-r1 and libffi-3.0.12

Alphat-PC, in that code you quote, can you change:

    strcmp( first, "PaX" )

to

    strcmp( first, "PaX:" )

Note the ":" at the end of PaX.  If you need a proper patch, I can provide, but that should be a simple fix to just apply and test.
Comment 4 iGentoo 2013-02-15 05:24:25 UTC
Created attachment 338946 [details, diff]
the difference between libffi-3.0.11-r1 and libffi-3.0.12
Comment 5 Anthony Basile gentoo-dev 2013-02-15 11:45:38 UTC
(In reply to comment #4)
> Created attachment 338946 [details, diff] [details, diff]
> the difference between libffi-3.0.11-r1 and libffi-3.0.12

Does it fix the problem?
Comment 6 iGentoo 2013-02-16 03:30:09 UTC
(In reply to comment #5)
> (In reply to comment #4)
> > Created attachment 338946 [details, diff] [details, diff] [details, diff]
> > the difference between libffi-3.0.11-r1 and libffi-3.0.12
> 
> Does it fix the problem?

Yes, it does.

emutramp_enabled_check() { return 0; } -> fine.
emutramp_enabled_check() { return 1; } -> test killed by PaX.
Comment 7 SpanKY gentoo-dev 2013-02-18 06:16:00 UTC
*** Bug 457146 has been marked as a duplicate of this bug. ***
Comment 8 Magnus Granberg gentoo-dev 2013-02-26 00:30:29 UTC
Is some one willing to test libffi-3.12-r1 in the hardened-dev overlay to
se if it fix the problem?
You need to have Emutramp enable on the binarys that use the libffi lib.
The hard part is to fix the testsute for we need to enable Emutramp on the testbins before thay is run.
Comment 9 Markus Walter 2013-02-28 12:37:23 UTC
For me the dev-libs/libffi-3.0.12-r1::hardened-development solved the problem on ~amd64. :)
Comment 10 Charles Svitlik 2013-02-28 15:35:16 UTC
dev-libs/libffi-3.0.12-r1 from hardened-dev overlay fixed this issue for me as well. GNOME shell still has the same problem with `paxctl -E /usr/bin/gnome-shell` as well as `paxctl-ng -E /usr/bin/gnome-shell` (emutramp enabled).
Comment 11 Charles Svitlik 2013-03-24 05:26:30 UTC
Created attachment 343064 [details, diff]
libffi-3.0.13 emutramp pax patch

Hi, I updated the libffi-3.0.12-r1 patch from hardened-dev overlay to libffi-3.0.13, I'm using it right now, things are working well.
Comment 12 Magnus Granberg gentoo-dev 2013-04-01 20:29:22 UTC
Can some one test the libffi 3.013-r1 on the hardened-dev overlay?
Have added loging stuff and test will still fail.
Comment 13 Markus Walter 2013-04-01 20:41:35 UTC
I just tried to merge 3.0.13-r1 from hardened-dev. First, there is a typo, since the patch is named slightly different, this needs to be adjusted in the ebuild.

However the build log, didn't show any significant differences in comparison to a build from 3.0.13 from the main tree. What exactly should I be looking for?
Comment 14 Magnus Granberg gentoo-dev 2013-04-01 20:59:04 UTC
(In reply to comment #13)
> I just tried to merge 3.0.13-r1 from hardened-dev. First, there is a typo,
> since the patch is named slightly different, this needs to be adjusted in
> the ebuild.
> 
> However the build log, didn't show any significant differences in comparison
> to a build from 3.0.13 from the main tree. What exactly should I be looking
> for?
Fixed the typo
It will log to syslog if it can read /proc/self/status and
the binary don't have pax emutramp enable.
Comment 15 Markus Walter 2013-04-01 21:08:59 UTC
Created attachment 344008 [details]
syslog output from 3.0.13-r1

This is the output I sifted out from the syslog. I think I got everything in there.
Comment 16 Charles Svitlik 2013-04-11 01:43:03 UTC
The patch in hardened-dev doesn´t work for me.
Comment 17 Charles Svitlik 2013-04-20 16:10:29 UTC
Whoops, nevermind about that last comment. Things seem to be working now.
Comment 18 Magnus Granberg gentoo-dev 2013-04-25 22:51:12 UTC
Created attachment 346610 [details, diff]
Patch that use /proc for pax check

This patch use /proc to see if pax is enable and emutramp.
it is from libffi-3.0.13-r2 in the hardened-dev overlay.
Comment 19 SpanKY gentoo-dev 2013-04-26 03:19:08 UTC
Comment on attachment 346610 [details, diff]
Patch that use /proc for pax check

pretty sure this version has bugs.  certainly the style is off.  do this instead (the 'E' check might need to be changed to 'e' ... not sure):

static int
emutramp_enabled_check (void)
{
  char *line;
  size_t len;
  FILE *fp;
  int ret;

  fp = fopen ("/proc/self/status", "r");
  if (!fp)
    return 0;

  line = NULL;
  ret = 0;

  while (getline (&line, &len, fp) != -1)
    if (!strncmp (line, "PaX:", 4))
      {
        char emutramp;

        if (sscanf (line, "%*s %*c%c", &emutramp) == 1)
          ret = (emutramp == 'E');

        break;
      }

  fclose (fp);

  return ret;
}
Comment 20 Anthony Basile gentoo-dev 2013-04-26 10:33:18 UTC
(In reply to comment #19)
> Comment on attachment 346610 [details, diff] [details, diff]
> Patch that use /proc for pax check
> 
> pretty sure this version has bugs.  certainly the style is off.  do this
> instead (the 'E' check might need to be changed to 'e' ... not sure):
> 
> static int
> emutramp_enabled_check (void)
> {
>   char *line;
>   size_t len;
>   FILE *fp;
>   int ret;
> 
>   fp = fopen ("/proc/self/status", "r");
>   if (!fp)
>     return 0;
> 
>   line = NULL;
>   ret = 0;
> 
>   while (getline (&line, &len, fp) != -1)
>     if (!strncmp (line, "PaX:", 4))
>       {
>         char emutramp;
> 
>         if (sscanf (line, "%*s %*c%c", &emutramp) == 1)
>           ret = (emutramp == 'E');
> 
>         break;
>       }
> 
>   fclose (fp);
> 
>   return ret;
> }

Doesn't this have a memory leak?  getline allocates a buffer for *line but I think we need to free it.  I'll check in a sec.
Comment 21 SpanKY gentoo-dev 2013-04-26 15:41:09 UTC
(In reply to comment #20)

true.  put a free(line) just before the fclose(fp).
Comment 22 Magnus Granberg gentoo-dev 2013-04-28 22:15:55 UTC
Created attachment 346832 [details, diff]
New patch from vapier's input

Updated patch for the /proc check.
Vapier is this patch okey to commit?
Comment 23 SpanKY gentoo-dev 2013-04-28 23:31:03 UTC
Comment on attachment 346832 [details, diff]
New patch from vapier's input

the style is incorrect in many places.  you should also send this to the upstream libffi mailing list.

>+  f  = fopen("/proc/self/status", "r");

one space before the =, and one space beteween fopen and (

>+  if  (f == NULL)

one space after the if

>+      /* We can't read the needed info from /proc */

put a period after the /proc and two spaces between it and the */

>+        if (sscanf (buf, "%*s %*c%c", &emutramp) == 1)
>+            ret = (emutramp == 'E');

only indent the ret with two spaces

>+  free(buf);

needs space between the free and (
Comment 24 Magnus Granberg gentoo-dev 2013-04-29 01:01:20 UTC
Created attachment 346850 [details, diff]
use /proc for pax mark check

Patch bumped
Comment 25 SpanKY gentoo-dev 2013-04-29 02:31:56 UTC
Comment on attachment 346850 [details, diff]
use /proc for pax mark check

i'm not sure if you want to use syslog() at all.  but the patch as is is fine by me.  make sure you submit it to upstream and you may commit it to the tree.
Comment 26 Magnus Granberg gentoo-dev 2013-05-13 17:08:03 UTC
The patch is allready posted on the libffi ml
Comment 27 Magnus Granberg gentoo-dev 2013-05-13 23:18:57 UTC
*** Bug 469758 has been marked as a duplicate of this bug. ***
Comment 28 Magnus Granberg gentoo-dev 2013-05-15 18:38:09 UTC
I mailed it upstream but no respons on the patch yet.
Can it be commited att least on gentoo for now?
Comment 29 SpanKY gentoo-dev 2013-05-21 21:22:38 UTC
(In reply to comment #28)

i said in comment 25 you may commit once you posted upstream

you should also add some metadata to the top of the patch referring to bugs/urls.  see http://dev.gentoo.org/~vapier/clean-patches for more details.
Comment 30 Alon Bar-Lev (RETIRED) gentoo-dev 2015-09-03 10:11:22 UTC
I see libffi-3.2.1 applied a version of this patch. Not helping me much to make dev-python/cryptography work... but still... maybe this specific bug can be closed.
Comment 31 Matthias Maier gentoo-dev 2017-06-21 21:45:54 UTC
(In reply to Alon Bar-Lev from comment #30)
> I see libffi-3.2.1 applied a version of this patch. Not helping me much to
> make dev-python/cryptography work... but still... maybe this specific bug
> can be closed.

OK, I close.