Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
I've attempted to emerge pike 5 times now. Each and every time, even after emerge sync, pike build fails. I've got hardened toolchain and kernel, not sure if this affects things, but I attempted CFLAGS="-fno-stack-protector" and the build still failed. [ebuild N ] dev-lang/pike-7.6.24 +crypt -debug -doc -fftw +gdbm +gif -gtk +jpeg -kerberos -opengl +pdflib -scanner -svg +tiff +truetype +zlib 0 kB Making Shuffler make[4]: Entering directory `/var/tmp/portage/pike-7.6.24/work/Pike-v7.6.24/build/linux-2.6.7-hardened-r16-i686/post_modules/Shuffler' Makefile:400: warning: overriding commands for target `depend' Makefile:219: warning: ignoring old commands for target `depend' /var/tmp/portage/pike-7.6.24/work/Pike-v7.6.24/build/linux-2.6.7-hardened-r16-i686/pike -DNOT_INSTALLED -DPRECOMPILED_SEARCH_MORE -m/var/tmp/portage/pike-7.6.24/work/Pike-v7.6.24/build/linux-2.6.7-hardened-r16-i686/master.pike /var/tmp/portage/pike-7.6.24/work/Pike-v7.6.24/src/post_modules/Shuffler/make_sources.pike /var/tmp/portage/pike-7.6.24/work/Pike-v7.6.24/src/post_modules/Shuffler sources.h sources_to_compile make[4]: *** [override] Killed make[4]: Leaving directory `/var/tmp/portage/pike-7.6.24/work/Pike-v7.6.24/build/linux-2.6.7-hardened-r16-i686/post_modules/Shuffler' make[3]: *** [Shuffler] Error 1 make[3]: *** Waiting for unfinished jobs.... Compiling /var/tmp/portage/pike-7.6.24/work/Pike-v7.6.24/src/post_modules/Nettle/hash.c /export/spare/pike/home/nilsson/Pike/7.6/src/post_modules/Nettle/hash.cmod: In function `f_HashState_update': /export/spare/pike/home/nilsson/Pike/7.6/src/post_modules/Nettle/hash.cmod:137: warning: passing arg 1 of pointer to function discards qualifiers from pointer target type Linking Bz2 make[4]: Leaving directory `/var/tmp/portage/pike-7.6.24/work/Pike-v7.6.24/build/linux-2.6.7-hardened-r16-i686/post_modules/Bz2' Compiling /var/tmp/portage/pike-7.6.24/work/Pike-v7.6.24/src/post_modules/Nettle/cipher.c Compiling /var/tmp/portage/pike-7.6.24/work/Pike-v7.6.24/src/post_modules/Nettle/crypt_md5.c Compiling /var/tmp/portage/pike-7.6.24/work/Pike-v7.6.24/src/post_modules/Nettle/nt.c Compiling /var/tmp/portage/pike-7.6.24/work/Pike-v7.6.24/src/post_modules/Nettle/idea.c /export/spare/pike/home/nilsson/Pike/7.6/src/post_modules/Nettle/cipher.cmod: In function `init_DES3_Info_struct': /export/spare/pike/home/nilsson/Pike/7.6/src/post_modules/Nettle/cipher.cmod:758: warning: initialization from incompatible pointer type /export/spare/pike/home/nilsson/Pike/7.6/src/post_modules/Nettle/cipher.cmod:758: warning: initialization from incompatible pointer type /export/spare/pike/home/nilsson/Pike/7.6/src/post_modules/Nettle/cipher.cmod: In function `init_IDEA_Info_struct': /export/spare/pike/home/nilsson/Pike/7.6/src/post_modules/Nettle/cipher.cmod:990: warning: initialization from incompatible pointer type /export/spare/pike/home/nilsson/Pike/7.6/src/post_modules/Nettle/cipher.cmod:990: warning: initialization from incompatible pointer type Linking Nettle make[4]: Leaving directory `/var/tmp/portage/pike-7.6.24/work/Pike-v7.6.24/build/linux-2.6.7-hardened-r16-i686/post_modules/Nettle' make[3]: Leaving directory `/var/tmp/portage/pike-7.6.24/work/Pike-v7.6.24/build/linux-2.6.7-hardened-r16-i686/post_modules' make[2]: *** [post_module_objects] Error 1 make[2]: Leaving directory `/var/tmp/portage/pike-7.6.24/work/Pike-v7.6.24/build/linux-2.6.7-hardened-r16-i686' make[1]: *** [all] Error 2 make[1]: Leaving directory `/var/tmp/portage/pike-7.6.24/work/Pike-v7.6.24/build/linux-2.6.7-hardened-r16-i686' make: *** [compile] Error 2 !!! ERROR: dev-lang/pike-7.6.24 failed. !!! Function src_compile, Line 53, Exitcode 2 !!! (no error message) !!! If you need support, post the topmost build error, NOT this status message. Reproducible: Always Steps to Reproduce: 1. emerge pike 2. 3. Actual Results: see details. Expected Results: installed. Portage 2.0.51-r3 (default-linux/x86/2004.3, gcc-3.3.4, glibc-2.3.4.20040808-r1, 2.6.7-hardened-r16 i686) ================================================================= System uname: 2.6.7-hardened-r16 i686 Intel(R) Celeron(R) CPU 1.70GHz Gentoo Base System version 1.4.16 Autoconf: sys-devel/autoconf-2.59-r5 Automake: sys-devel/automake-1.8.5-r1 Binutils: sys-devel/binutils-2.15.90.0.1.1-r3 Headers: sys-kernel/linux26-headers-2.6.8.1 Libtools: sys-devel/libtool-1.5.2-r7,sys-devel/libtool-1.4.3-r4 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=pentium4 -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/ config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/mail/dspam /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=pentium4 -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://gentoo.mirrors.pair.com/ http://mirrors.tds.net/gentoo ftp://mirrors.tds.net/gentoo" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.us.gentoo.org/gentoo-portage" USE="acl adns aim aliaschain apache2 async authdaemond berkdb caps cdb chroot cnamefix crypt curl curlwrappers cyrus dba distcache dnsdb drac erandom exif fastcgi fla flatfile ftp gd gd-external gdbm gif glep gmail hardened icq imap innodb ipalias jabber javascript jp2 jpeg libg++ libwww lids maildir maildrop memlimit mime ming mmx mng mpi msn multipleip mysql ncurses nethack nls nptl oscar pam parse-clocks passfile pcre pdflib perl php pic pie png posix procmail python qmail readline roundrobin rrdtool sasl semanticfix session sftplogging skey snmp sockets spamassassin spell sse ssl tcpd tiff tokenizer transparent- proxy truetype vhosts virus-scan vpopmail x86 xattr xml xml2 yahoo zlib"
http://shell.xhcl.net/pike-7.6.24-r1.ebuild this does a simple check to see if the particular kernel is a hardened kernel. the problem is that when compiled --with-machine-code, pike trips PAX and is SIGKILL'd if pike is build --without-machine-code it seems to run just fine on a PAX enabled kernel. If you can find a more elegant way of doing the same thing, please do, my ebuild is just a dirty hack to make it work right.
I found a more elegant way to do it: --- /usr/local/portage/testing/pike/pike-7.6.24-r1.ebuild 2004-12-11 20:08:05.919789764 -0900 +++ /usr/portage/dev-lang/pike/pike-7.6.24.ebuild 2004-10-20 07:42:53.000000000 -0800 @@ -4,8 +4,6 @@ IUSE="crypt debug doc fftw gdbm gif gtk jpeg kerberos opengl pdflib scanner svg tiff truetype zlib" -inherit eutils linux-info - S="${WORKDIR}/Pike-v${PV}" HOMEPAGE="http://pike.ida.liu.se/" DESCRIPTION="Pike programming language and runtime" @@ -32,26 +30,9 @@ zlib? ( sys-libs/zlib ) dev-libs/gmp" -pax_check() { - ebegin "Checking if PaX is enabled" - linux_chkconfig_present PAX - eend $? - - if [ "$?" = 0 ] - then - einfo "PaX's mprotect kills Pike's build process unless" - einfo "--without-machine-code is used in configure this" - einfo "message just tells you that we fixed it before it" - einfo "broke. You won't see this message probably." - export HARD="--without-machine-code" - fi -} - - src_compile() { - pax_check; - emake CONFIGUREARGS="--prefix=/usr $HARD --disable-make_conf \ + emake CONFIGUREARGS="--prefix=/usr --disable-make_conf \ `use_with debug` \ `use_with crypt nettle` \ `use_with fftw` \
btw. can you try without Nettle support (-crypt in USE)? Just so we know it's only the Nettle part of Pike that is causing this problem... I didn't have time to set up a hardened toolchain yet, I hope someone from our hardened team can look at this.
and the URL with the build log seems to be down, can you host it somewhere else or attach to this bug?
linux-2.6.10-grsec w/ PaX enabled USE="-*" emerge =pike-7.6.24: var/tmp/portage/pike-7.6.24/work/Pike-v7.6.24/build/linux-2.6.10-grsec-i686/pike -DNOT_INSTALLED -DPRECOMPILED_SEARCH_MORE -m/var/tmp/portage/pike-7.6.24/work/Pike-v7.6.24/build/linux-2.6.10-grsec-i686/master.pike /var/tmp/portage/pike-7.6.24/work/Pike-v7.6.24/src/post_modules/Shuffler/make_sources.pike /var/tmp/portage/pike-7.6.24/work/Pike-v7.6.24/src/post_modules/Shuffler sources.h sources_to_compile make[4]: *** [override] Killed make[4]: Leaving directory `/var/tmp/portage/pike-7.6.24/work/Pike-v7.6.24/build/linux-2.6.10-grsec-i686/post_modules/Shuffler' make[3]: *** [Shuffler] Error 1 make[3]: Leaving directory `/var/tmp/portage/pike-7.6.24/work/Pike-v7.6.24/build/linux-2.6.10-grsec-i686/post_modules' make[2]: *** [post_module_objects] Error 1 make[2]: Leaving directory `/var/tmp/portage/pike-7.6.24/work/Pike-v7.6.24/build/linux-2.6.10-grsec-i686' make[1]: *** [all] Error 2 make[1]: Leaving directory `/var/tmp/portage/pike-7.6.24/work/Pike-v7.6.24/build/linux-2.6.10-grsec-i686' dmesg output: PAX: execution attempt in: <anonymous mapping>, 081e3000-08384000 081e3000 PAX: terminating task: /var/tmp/portage/pike-7.6.24/work/Pike-v7.6.24/build/linux-2.6.10-grsec-i686/pike(pike):19305, uid/euid: 0/0, PC: 08321ed0, SP: 586e2294 PAX: bytes at PC: 8b 0d 30 70 24 08 b8 30 e1 cd f7 f7 d8 89 41 1c 8b 15 20 70 PAX: bytes at SP: 00000000 00000000 00000000 578f84f8 00000000 08319874 080f6431 082f2cf0 00000000 586e23d8 08076cfd 08321ed0 00000000 20837037 2075ffea 20764b84 0833dc00 00000048 00000e69 00000000 -> confirmed
Created an attachment (id=47739) [edit] change PaX flags on pike binary right after building it skeleton patch to change PaX flags on the newly build pike binary, we'll need to figure out what flags to set (just edit the patch, no need for re-diffing stuff)
Created an attachment (id=50085) [edit] patch with working PaX flags (-pms) compiles fine, but there's still a grsec message: grsec: attempted resource overstep by requesting 8409088 for RLIMIT_STACK against limit 8388608 by /var/tmp/portage/pike-7.6.24/work/Pike-v7.6.24/build/linux-2.6.10-grsec-i686/conftest[conftest:17691] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:17690] uid/euid:0/0 gid/egid:0/0 doesn't seem to cause any problems though
if this can be built as to not trigger PaX at all while still keeping PaX enabled then the hardened team would like to go that route. IUSE="... hardened" src_compile() { .. use hardened && myconfig="--without-machine-code" \ || myconfig="--with-machine-code" } Please only set PaX flags when we have no other option.
This still happens with pike-7.6.24, compiling --without-machine-code helps.
Fixed in 7.6.24 CVS rev. 1.7; --without-machine-code added when USE=hardened. No change when not USE=hardened; keywords unchanged.
