# dmesg: ... [11363.001593] PAX: From 127.0.0.6: execution attempt in: <anonymous mapping>, 2f49fbdf000-2f49fbe1000 2f49fbdf000 [11363.001598] PAX: terminating task: /var/tmp/portage/dev-libs/libffi-3.0.12/work/libffi-3.0.12/x86_64-pc-linux-gnu/testsuite/unwindtest.exe(unwindtest.exe):32497, uid/euid: 250/250, PC: 000002f49fbdf010, SP: 000003f063d0ae18 [11363.001600] PAX: bytes at PC: 49 bb b2 f7 a2 9f f4 02 00 00 49 ba 10 f0 bd 9f f4 02 00 00 [11363.001610] PAX: bytes at SP-8: 0000000000000009 0000001cf1fd5119 00000000ffffffff 000002f49fbe1259 000002f49fbe1228 000002f49fbdf010 0000000000000002 000003f063d0ae60 000002f49fa2fa80 0000000000000000 00000000f63d4e2e ... Portage 2.2.0_alpha162 (hardened/linux/amd64/selinux, gcc-4.7.2, glibc-2.17, 3.7.7-pax.x86_64 x86_64) ================================================================= System Settings ================================================================= System uname: Linux-3.7.7-pax.x86_64-x86_64-Intel-R-_Core-TM-2_Quad_CPU_Q9300_@_2.50GHz-with-gentoo-2.2 KiB Mem: 6114292 total, 1113564 free KiB Swap: 10484724 total, 10268332 free Timestamp of tree: Thu, 14 Feb 2013 01:15:01 +0000 ld GNU gold (GNU Binutils 2.23.1) 1.11 ccache version 3.1.9 [disabled] app-shells/bash: 4.2_p42 dev-java/java-config: 2.1.12-r1 dev-lang/python: 2.5.4-r5, 2.6.8-r1, 2.7.3-r3, 3.1.5-r1, 3.2.3-r2, 3.3.0-r1 dev-util/ccache: 3.1.9 dev-util/cmake: 2.8.10.2-r1 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.11.8 sys-apps/sandbox: 2.6 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.12.6, 1.13.1 sys-devel/binutils: 2.23.1 sys-devel/gcc: 4.6.3, 4.7.2 sys-devel/gcc-config: 1.8 sys-devel/libtool: 2.4.2 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.7 (virtual/os-headers) sys-libs/glibc: 2.17 Repositories: gentoo systemd hardened-dev gnome custom Installed sets: @local ACCEPT_KEYWORDS="amd64 x86 ~amd64 ~x86" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-Wall -Wextra -gdwarf-4 -ggdb -march=native -pipe -O3 -fno-tree-vectorize -frecord-gcc-switches" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/polkit-1/actions /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo" CXXFLAGS="-Wall -Wextra -gdwarf-4 -ggdb -march=native -pipe -O3 -fno-tree-vectorize -frecord-gcc-switches" DISTDIR="/usr/local/portage/distfiles" FCFLAGS="-Wall -Wextra -gdwarf-4 -ggdb -march=native -pipe -O3 -fno-tree-vectorize -frecord-gcc-switches" FEATURES="assume-digests binpkg-logs buildpkg collision-protect compressdebug config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch preserve-libs protect-owned sandbox selinux sesandbox sfperms split-elog split-log splitdebug strict test test-fail-continue unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync webrsync-gpg xattr" FFLAGS="-Wall -Wextra -gdwarf-4 -ggdb -march=native -pipe -O3 -fno-tree-vectorize -frecord-gcc-switches" GENTOO_MIRRORS="http://mirrors.163.com/gentoo http://distfiles.gentoo.org" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu -Wl,--icf=safe" MAKEOPTS="V=1 -j6" PKGDIR="/usr/local/portage/packages-amd64" PORTAGE_BZIP2_COMMAND="lbzip2" PORTAGE_COMPRESS="xz" PORTAGE_COMPRESS_FLAGS="-9ef" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_EXTRA_OPTS="--ipv4" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/systemd /var/lib/layman/hardened-development /var/lib/layman/gnome /usr/local/portage" SYNC="rsync://mirrors.ustc.edu.cn/gentoo-portage" USE="X acl alsa amd64 audit bash-completion berkdb bzip2 c++0x cairo caps cli cracklib crypt custom-cflags cxx dbus dri ffmpeg gdbm gmp gnome gpm gtk gtk3 hardened iconv icu ipv6 jit jpeg jpeg2k justify lzma mmx modules mudflap multilib ncurses nls nptl open_perms opengl openmp orc pam pax_kernel pcre png pulseaudio qt4 readline selinux session sse sse2 ssl svg systemd tcpd threads tiff udev unicode urandom vim-syntax xattr xinetd zlib" ABI_X86="64" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" DRACUT_MODULES="bootchart btrfs caps dmsquash-live gensplash livenet lvm nfs ssh-client syslog systemd" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en en_US zh zh_CN" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2 python3_3" QEMU_SOFTMMU_TARGETS="x86_64 arm mips64el ppc64" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="nouveau nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" USE_PYTHON="2.7 3.2 3.3" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND ================================================================= Package Settings ================================================================= dev-libs/libffi-3.0.12 was built with the following: USE="pax_kernel test -debug -static-libs"
Created attachment 338826 [details] libffi-3.0.12-build.log
Created attachment 338828 [details, diff] the difference between libffi-3.0.11-r1 and libffi-3.0.12
(In reply to comment #2) > Created attachment 338828 [details, diff] [details, diff] > the difference between libffi-3.0.11-r1 and libffi-3.0.12 Alphat-PC, in that code you quote, can you change: strcmp( first, "PaX" ) to strcmp( first, "PaX:" ) Note the ":" at the end of PaX. If you need a proper patch, I can provide, but that should be a simple fix to just apply and test.
Created attachment 338946 [details, diff] the difference between libffi-3.0.11-r1 and libffi-3.0.12
(In reply to comment #4) > Created attachment 338946 [details, diff] [details, diff] > the difference between libffi-3.0.11-r1 and libffi-3.0.12 Does it fix the problem?
(In reply to comment #5) > (In reply to comment #4) > > Created attachment 338946 [details, diff] [details, diff] [details, diff] > > the difference between libffi-3.0.11-r1 and libffi-3.0.12 > > Does it fix the problem? Yes, it does. emutramp_enabled_check() { return 0; } -> fine. emutramp_enabled_check() { return 1; } -> test killed by PaX.
*** Bug 457146 has been marked as a duplicate of this bug. ***
Is some one willing to test libffi-3.12-r1 in the hardened-dev overlay to se if it fix the problem? You need to have Emutramp enable on the binarys that use the libffi lib. The hard part is to fix the testsute for we need to enable Emutramp on the testbins before thay is run.
For me the dev-libs/libffi-3.0.12-r1::hardened-development solved the problem on ~amd64. :)
dev-libs/libffi-3.0.12-r1 from hardened-dev overlay fixed this issue for me as well. GNOME shell still has the same problem with `paxctl -E /usr/bin/gnome-shell` as well as `paxctl-ng -E /usr/bin/gnome-shell` (emutramp enabled).
Created attachment 343064 [details, diff] libffi-3.0.13 emutramp pax patch Hi, I updated the libffi-3.0.12-r1 patch from hardened-dev overlay to libffi-3.0.13, I'm using it right now, things are working well.
Can some one test the libffi 3.013-r1 on the hardened-dev overlay? Have added loging stuff and test will still fail.
I just tried to merge 3.0.13-r1 from hardened-dev. First, there is a typo, since the patch is named slightly different, this needs to be adjusted in the ebuild. However the build log, didn't show any significant differences in comparison to a build from 3.0.13 from the main tree. What exactly should I be looking for?
(In reply to comment #13) > I just tried to merge 3.0.13-r1 from hardened-dev. First, there is a typo, > since the patch is named slightly different, this needs to be adjusted in > the ebuild. > > However the build log, didn't show any significant differences in comparison > to a build from 3.0.13 from the main tree. What exactly should I be looking > for? Fixed the typo It will log to syslog if it can read /proc/self/status and the binary don't have pax emutramp enable.
Created attachment 344008 [details] syslog output from 3.0.13-r1 This is the output I sifted out from the syslog. I think I got everything in there.
The patch in hardened-dev doesn´t work for me.
Whoops, nevermind about that last comment. Things seem to be working now.
Created attachment 346610 [details, diff] Patch that use /proc for pax check This patch use /proc to see if pax is enable and emutramp. it is from libffi-3.0.13-r2 in the hardened-dev overlay.
Comment on attachment 346610 [details, diff] Patch that use /proc for pax check pretty sure this version has bugs. certainly the style is off. do this instead (the 'E' check might need to be changed to 'e' ... not sure): static int emutramp_enabled_check (void) { char *line; size_t len; FILE *fp; int ret; fp = fopen ("/proc/self/status", "r"); if (!fp) return 0; line = NULL; ret = 0; while (getline (&line, &len, fp) != -1) if (!strncmp (line, "PaX:", 4)) { char emutramp; if (sscanf (line, "%*s %*c%c", &emutramp) == 1) ret = (emutramp == 'E'); break; } fclose (fp); return ret; }
(In reply to comment #19) > Comment on attachment 346610 [details, diff] [details, diff] > Patch that use /proc for pax check > > pretty sure this version has bugs. certainly the style is off. do this > instead (the 'E' check might need to be changed to 'e' ... not sure): > > static int > emutramp_enabled_check (void) > { > char *line; > size_t len; > FILE *fp; > int ret; > > fp = fopen ("/proc/self/status", "r"); > if (!fp) > return 0; > > line = NULL; > ret = 0; > > while (getline (&line, &len, fp) != -1) > if (!strncmp (line, "PaX:", 4)) > { > char emutramp; > > if (sscanf (line, "%*s %*c%c", &emutramp) == 1) > ret = (emutramp == 'E'); > > break; > } > > fclose (fp); > > return ret; > } Doesn't this have a memory leak? getline allocates a buffer for *line but I think we need to free it. I'll check in a sec.
(In reply to comment #20) true. put a free(line) just before the fclose(fp).
Created attachment 346832 [details, diff] New patch from vapier's input Updated patch for the /proc check. Vapier is this patch okey to commit?
Comment on attachment 346832 [details, diff] New patch from vapier's input the style is incorrect in many places. you should also send this to the upstream libffi mailing list. >+ f = fopen("/proc/self/status", "r"); one space before the =, and one space beteween fopen and ( >+ if (f == NULL) one space after the if >+ /* We can't read the needed info from /proc */ put a period after the /proc and two spaces between it and the */ >+ if (sscanf (buf, "%*s %*c%c", &emutramp) == 1) >+ ret = (emutramp == 'E'); only indent the ret with two spaces >+ free(buf); needs space between the free and (
Created attachment 346850 [details, diff] use /proc for pax mark check Patch bumped
Comment on attachment 346850 [details, diff] use /proc for pax mark check i'm not sure if you want to use syslog() at all. but the patch as is is fine by me. make sure you submit it to upstream and you may commit it to the tree.
The patch is allready posted on the libffi ml
*** Bug 469758 has been marked as a duplicate of this bug. ***
I mailed it upstream but no respons on the patch yet. Can it be commited att least on gentoo for now?
(In reply to comment #28) i said in comment 25 you may commit once you posted upstream you should also add some metadata to the top of the patch referring to bugs/urls. see http://dev.gentoo.org/~vapier/clean-patches for more details.
I see libffi-3.2.1 applied a version of this patch. Not helping me much to make dev-python/cryptography work... but still... maybe this specific bug can be closed.
(In reply to Alon Bar-Lev from comment #30) > I see libffi-3.2.1 applied a version of this patch. Not helping me much to > make dev-python/cryptography work... but still... maybe this specific bug > can be closed. OK, I close.