Summary: | dev-libs/libffi-3.0.12 - test killed by PaX | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | iGentoo <AlphatPC> |
Component: | [OLD] Core system | Assignee: | Gentoo Toolchain Maintainers <toolchain> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | alexander, alonbl, atoth, eva, gentoo, hardened, pva, qnikst, staticsunn, stsander |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/atgreen/libffi/issues/38 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=457146 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 464070 | ||
Attachments: |
libffi-3.0.12-build.log
the difference between libffi-3.0.11-r1 and libffi-3.0.12 the difference between libffi-3.0.11-r1 and libffi-3.0.12 libffi-3.0.13 emutramp pax patch syslog output from 3.0.13-r1 Patch that use /proc for pax check New patch from vapier's input use /proc for pax mark check |
Description
iGentoo
2013-02-14 02:39:04 UTC
Created attachment 338826 [details]
libffi-3.0.12-build.log
Created attachment 338828 [details, diff]
the difference between libffi-3.0.11-r1 and libffi-3.0.12
(In reply to comment #2) > Created attachment 338828 [details, diff] [details, diff] > the difference between libffi-3.0.11-r1 and libffi-3.0.12 Alphat-PC, in that code you quote, can you change: strcmp( first, "PaX" ) to strcmp( first, "PaX:" ) Note the ":" at the end of PaX. If you need a proper patch, I can provide, but that should be a simple fix to just apply and test. Created attachment 338946 [details, diff]
the difference between libffi-3.0.11-r1 and libffi-3.0.12
(In reply to comment #4) > Created attachment 338946 [details, diff] [details, diff] > the difference between libffi-3.0.11-r1 and libffi-3.0.12 Does it fix the problem? (In reply to comment #5) > (In reply to comment #4) > > Created attachment 338946 [details, diff] [details, diff] [details, diff] > > the difference between libffi-3.0.11-r1 and libffi-3.0.12 > > Does it fix the problem? Yes, it does. emutramp_enabled_check() { return 0; } -> fine. emutramp_enabled_check() { return 1; } -> test killed by PaX. *** Bug 457146 has been marked as a duplicate of this bug. *** Is some one willing to test libffi-3.12-r1 in the hardened-dev overlay to se if it fix the problem? You need to have Emutramp enable on the binarys that use the libffi lib. The hard part is to fix the testsute for we need to enable Emutramp on the testbins before thay is run. For me the dev-libs/libffi-3.0.12-r1::hardened-development solved the problem on ~amd64. :) dev-libs/libffi-3.0.12-r1 from hardened-dev overlay fixed this issue for me as well. GNOME shell still has the same problem with `paxctl -E /usr/bin/gnome-shell` as well as `paxctl-ng -E /usr/bin/gnome-shell` (emutramp enabled). Created attachment 343064 [details, diff]
libffi-3.0.13 emutramp pax patch
Hi, I updated the libffi-3.0.12-r1 patch from hardened-dev overlay to libffi-3.0.13, I'm using it right now, things are working well.
Can some one test the libffi 3.013-r1 on the hardened-dev overlay? Have added loging stuff and test will still fail. I just tried to merge 3.0.13-r1 from hardened-dev. First, there is a typo, since the patch is named slightly different, this needs to be adjusted in the ebuild. However the build log, didn't show any significant differences in comparison to a build from 3.0.13 from the main tree. What exactly should I be looking for? (In reply to comment #13) > I just tried to merge 3.0.13-r1 from hardened-dev. First, there is a typo, > since the patch is named slightly different, this needs to be adjusted in > the ebuild. > > However the build log, didn't show any significant differences in comparison > to a build from 3.0.13 from the main tree. What exactly should I be looking > for? Fixed the typo It will log to syslog if it can read /proc/self/status and the binary don't have pax emutramp enable. Created attachment 344008 [details]
syslog output from 3.0.13-r1
This is the output I sifted out from the syslog. I think I got everything in there.
The patch in hardened-dev doesn´t work for me. Whoops, nevermind about that last comment. Things seem to be working now. Created attachment 346610 [details, diff]
Patch that use /proc for pax check
This patch use /proc to see if pax is enable and emutramp.
it is from libffi-3.0.13-r2 in the hardened-dev overlay.
Comment on attachment 346610 [details, diff]
Patch that use /proc for pax check
pretty sure this version has bugs. certainly the style is off. do this instead (the 'E' check might need to be changed to 'e' ... not sure):
static int
emutramp_enabled_check (void)
{
char *line;
size_t len;
FILE *fp;
int ret;
fp = fopen ("/proc/self/status", "r");
if (!fp)
return 0;
line = NULL;
ret = 0;
while (getline (&line, &len, fp) != -1)
if (!strncmp (line, "PaX:", 4))
{
char emutramp;
if (sscanf (line, "%*s %*c%c", &emutramp) == 1)
ret = (emutramp == 'E');
break;
}
fclose (fp);
return ret;
}
(In reply to comment #19) > Comment on attachment 346610 [details, diff] [details, diff] > Patch that use /proc for pax check > > pretty sure this version has bugs. certainly the style is off. do this > instead (the 'E' check might need to be changed to 'e' ... not sure): > > static int > emutramp_enabled_check (void) > { > char *line; > size_t len; > FILE *fp; > int ret; > > fp = fopen ("/proc/self/status", "r"); > if (!fp) > return 0; > > line = NULL; > ret = 0; > > while (getline (&line, &len, fp) != -1) > if (!strncmp (line, "PaX:", 4)) > { > char emutramp; > > if (sscanf (line, "%*s %*c%c", &emutramp) == 1) > ret = (emutramp == 'E'); > > break; > } > > fclose (fp); > > return ret; > } Doesn't this have a memory leak? getline allocates a buffer for *line but I think we need to free it. I'll check in a sec. (In reply to comment #20) true. put a free(line) just before the fclose(fp). Created attachment 346832 [details, diff]
New patch from vapier's input
Updated patch for the /proc check.
Vapier is this patch okey to commit?
Comment on attachment 346832 [details, diff] New patch from vapier's input the style is incorrect in many places. you should also send this to the upstream libffi mailing list. >+ f = fopen("/proc/self/status", "r"); one space before the =, and one space beteween fopen and ( >+ if (f == NULL) one space after the if >+ /* We can't read the needed info from /proc */ put a period after the /proc and two spaces between it and the */ >+ if (sscanf (buf, "%*s %*c%c", &emutramp) == 1) >+ ret = (emutramp == 'E'); only indent the ret with two spaces >+ free(buf); needs space between the free and ( Created attachment 346850 [details, diff]
use /proc for pax mark check
Patch bumped
Comment on attachment 346850 [details, diff]
use /proc for pax mark check
i'm not sure if you want to use syslog() at all. but the patch as is is fine by me. make sure you submit it to upstream and you may commit it to the tree.
The patch is allready posted on the libffi ml *** Bug 469758 has been marked as a duplicate of this bug. *** I mailed it upstream but no respons on the patch yet. Can it be commited att least on gentoo for now? (In reply to comment #28) i said in comment 25 you may commit once you posted upstream you should also add some metadata to the top of the patch referring to bugs/urls. see http://dev.gentoo.org/~vapier/clean-patches for more details. I see libffi-3.2.1 applied a version of this patch. Not helping me much to make dev-python/cryptography work... but still... maybe this specific bug can be closed. (In reply to Alon Bar-Lev from comment #30) > I see libffi-3.2.1 applied a version of this patch. Not helping me much to > make dev-python/cryptography work... but still... maybe this specific bug > can be closed. OK, I close. |