Summary: | dev-perl/math-pari crash on 2.6.27-hardened-r8 | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Alex Efros <powerman-asdf> |
Component: | Hardened | Assignee: | The Gentoo Linux Hardened Team <hardened> |
Status: | RESOLVED FIXED | ||
Severity: | critical | CC: | tove |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Alex Efros
2009-03-05 20:16:25 UTC
This bug seems expected somewhat. pari 2.3.x does not have textrels. the math-pari depends on an older version of pari where the textrel problem has not been corrected. I don't get a crash however despite both programs containing some form of textrels. hardened / # perl -e 'use Math::Pari;' ; echo $? 0 (In reply to comment #1) > I don't get a crash however despite both programs containing some form of > textrels. That's strange. Maybe there some differences between our kernels or PaX configuration? Here is my config (PaX part): # # PaX # CONFIG_PAX=y # # PaX Control # # CONFIG_PAX_SOFTMODE is not set CONFIG_PAX_EI_PAX=y CONFIG_PAX_PT_PAX_FLAGS=y CONFIG_PAX_NO_ACL_FLAGS=y # CONFIG_PAX_HAVE_ACL_FLAGS is not set # CONFIG_PAX_HOOK_ACL_FLAGS is not set # # Non-executable pages # CONFIG_PAX_NOEXEC=y # CONFIG_PAX_PAGEEXEC is not set CONFIG_PAX_SEGMEXEC=y # CONFIG_PAX_EMUTRAMP is not set CONFIG_PAX_MPROTECT=y # CONFIG_PAX_NOELFRELOCS is not set # CONFIG_PAX_KERNEXEC is not set # # Address Space Layout Randomization # CONFIG_PAX_ASLR=y CONFIG_PAX_RANDKSTACK=y CONFIG_PAX_RANDUSTACK=y CONFIG_PAX_RANDMMAP=y # # Miscellaneous hardening features # # CONFIG_PAX_MEMORY_SANITIZE is not set CONFIG_PAX_MEMORY_UDEREF=y CONFIG_PAX_REFCOUNT=y # CONFIG_KEYS is not set CONFIG_SECURITY=y # CONFIG_SECURITY_NETWORK is not set # CONFIG_SECURITY_FILE_CAPABILITIES is not set # CONFIG_SECURITY_ROOTPLUG is not set CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR=0 workaround found: http://archives.gentoo.org/gentoo-hardened/msg_61d5a80966be6b6e26147443cb01e2ee.xml Is this still a problem with =dev-perl/math-pari-2.01080601 ? Didn't meant to close this bug. Hmm. Looks like =dev-perl/math-pari-2.01080601 works ok. But, strange, same version or Math::Pari installed using cpan command instead of emerge still has that problem, at least 'make test' failed with these messages in log: 2009-11-11_13:37:53.65369 kern.info: perl5.8.8[3445]: segfault at 5543ced0 ip 55427623 sp 5f846c30 error 7 in ld-2.9.so[55420000+1c000] 2009-11-11_13:37:53.65380 kern.alert: grsec: signal 11 sent to /usr/bin/perl5.8.8[perl5.8.8:3445] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/prove[prove:3444] uid/euid:0/0 gid/egid:0/0 The current in tree versions of dev-perl/math-pari are 2.01080604 (stable, based on pari-2.3.4) and 2.01080604-r1 (unstable based on pari-2.3.5). None of these show any TEXTRELs or other hardened problems when compiled with gcc-4.3.4 or gcc-4.4.4-r1 under in either amd64 or x86. The kernel version should not be an issue, but I tested with hardened-sources-2.6.32-r9. Unless there is some need for older versions which solar mentions in Comment #1, there is nothing to fix. Okay, cleaning out old bugs. This bug no longer seems relevant and there's nothing to fix. I'm closing it. (In reply to comment #8) > Okay, cleaning out old bugs. This bug no longer seems relevant and there's > nothing to fix. I'm closing it. Sorry, but that's not true. I'm not sure what you mean as 'relevant', but bug is still here: # cpan install Math::Pari # perl -MMath::Pari -e 1 Segmentation fault # /usr/src/prelink/src/execstack -q /usr/lib/perl5/site_perl/5.12.2/i686-linux/auto/Math/Pari/Pari.so X /usr/lib/perl5/site_perl/5.12.2/i686-linux/auto/Math/Pari/Pari.so # /usr/src/prelink/src/execstack -c /usr/lib/perl5/site_perl/5.12.2/i686-linux/auto/Math/Pari/Pari.so # /usr/src/prelink/src/execstack -q /usr/lib/perl5/site_perl/5.12.2/i686-linux/auto/Math/Pari/Pari.so - /usr/lib/perl5/site_perl/5.12.2/i686-linux/auto/Math/Pari/Pari.so # perl -MMath::Pari -e 1 # As for 'nothing to fix', in maillist gentoo-hardened under subject '2.6.27-hardened-r8: assassination' people mention patch to glibc (available somewhere in glibc's bugzilla) which fixes this bug. Of course, you probably know glibc maintainer's attitude "Just use a supported kernel" - so he will not apply this patch. But Gentoo developers can add this patch to glibc ebuild. I've no idea why this doesn't happens yet (this bug kills not only Math::Pari, but also Zend, Ioncube, and maybe some other apps), maybe supporting such a patch doesn't sounds like something interesting, but it's surely doesn't same as 'nothing to fix'. So, I reopen this bug. If you wanna close it - close as WONTFIX, not CANTFIX. :) (In reply to comment #9) > So, I reopen this bug. If you wanna close it - close as WONTFIX, not CANTFIX. > :) No no. If there's a bug there which I'm missing, I want it fix. Thanks for reopening. (In reply to comment #6) > Hmm. Looks like =dev-perl/math-pari-2.01080601 works ok. But, strange, same > version or Math::Pari installed using cpan command instead of emerge still has > that problem (In reply to comment #9) > I'm not sure what you mean as 'relevant', but bug is still here: > > # cpan install Math::Pari Please try to reproduce with the ebuild. We have no control over the cpan install. I guess `cpan install` still fetches the older pari-2.1.7 while the ebuild uses pari-2.3.5. (In reply to comment #11) > I guess `cpan install` still fetches the older pari-2.1.7 while the ebuild uses > pari-2.3.5. Yes, pari-2.3.5 works just fine, without needs for execstack workaround. I wonder why Mari::Pari author continue releasing two versions of Math::Pari each time - Math-Pari-2.01080604 for pari-2.1.7 and (unstable/development/alpha release) Math-Pari-2.0305_01080604a for pari-2.3.5. Probably there are some open issues with 2.3.5? Anyway, looks like this bug really can be closed. Not sure is I should open new one related to that glibc bug and Zend/Ioncube issue… (In reply to comment #12) > (In reply to comment #11) > Anyway, looks like this bug really can be closed. Done. |