Summary: | =app-portage/mirrorselect-2.2.0.1 crashes with segmentation fault | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Christian Roessner <c> |
Component: | Current packages | Assignee: | Portage Tools Team <tools-portage> |
Status: | RESOLVED DUPLICATE | ||
Severity: | normal | CC: | blueness, hardened |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Christian Roessner
2015-04-29 06:13:12 UTC
Please provide a full backtrace as described here: https://wiki.gentoo.org/wiki/Bugzilla/Guide#Debugging_using_GDB P.S. 2.2.0.1 works just fine here. Mirrorselect is pure python code, so should be nearly impossible to segfault. If you have other python versions installed, try running it with them. You will most likely have to re-emerge python or one of the other libs like openssl. I guess, it has to do with Grsecurity. I traced the app (gdb and python??) open("/usr/lib64/python2.7/site-packages/cffi/gc_weakref.pyc", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=1158, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x6af2ec957000 read(5, "\3\363\r\na\277`Sc\0\0\0\0\0\0\0\0\3\0\0\0@\0\0\0s*\0\0\0d\0"..., 4096) = 1158 fstat(5, {st_mode=S_IFREG|0644, st_size=1158, ...}) = 0 read(5, "", 4096) = 0 close(5) = 0 munmap(0x6af2ec957000, 4096) = 0 close(4) = 0 munmap(0x6af2e642e000, 262144) = 0 munmap(0x6af2e64ae000, 262144) = 0 munmap(0x6af2e64ee000, 262144) = 0 munmap(0x6af2e652e000, 262144) = 0 munmap(0x6af2e656e000, 262144) = 0 munmap(0x6af2e65ee000, 262144) = 0 munmap(0x6af2e662e000, 262144) = 0 munmap(0x6af2e666e000, 262144) = 0 munmap(0x6af2e66ae000, 262144) = 0 munmap(0x6af2e66ee000, 262144) = 0 munmap(0x6af2e672e000, 262144) = 0 munmap(0x6af2e676e000, 262144) = 0 munmap(0x6af2e67ae000, 262144) = 0 munmap(0x6af2e67ee000, 262144) = 0 munmap(0x6af2e682e000, 262144) = 0 munmap(0x6af2e686e000, 262144) = 0 munmap(0x6af2e68ee000, 262144) = 0 munmap(0x6af2e692e000, 262144) = 0 munmap(0x6af2e696e000, 262144) = 0 munmap(0x6af2e69ae000, 262144) = 0 munmap(0x6af2e69ee000, 262144) = 0 munmap(0x6af2e6a2e000, 262144) = 0 munmap(0x6af2e6a6e000, 262144) = 0 munmap(0x6af2e6aae000, 262144) = 0 munmap(0x6af2e6b6e000, 262144) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = -1 EPERM (Operation not permitted) --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0} --- +++ killed by SIGSEGV +++ Segmentation fault And this is, what the kernel message buffer said: [390433.645995] grsec: From 193.239.106.201: denied RWX mmap of <anonymous mapping> by /usr/lib64/python-exec/python2.7/mirrorselect[mirrorselect:24420] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/strace[strace:24417] uid/euid:0/0 gid/egid:0/0 So I might fix this with paxctl, but at the end something crashes: [390421.989628] mirrorselect[24409]: segfault at 0 ip 00006de65b83c3d5 sp 0000765f21c3be60 error 6 in libffi.so.6.0.1[6de65b836000+8000] Whatever libel is, it should not set fault. It seems it does not catch an exception in the mmap operation and therefor crashes, It is impossible for me to debug this with gdb. I recompiled python2.7 and lib with FEATURES="nostril" and -ggdb support. I set the gdb PaX flags, but I see exactly nothing, when the crash appears. So unfortunately I can not provide debugging symbols. All you can do is look at the lib code for the mmap operation, if that might be buggy. I _could_ try to set paxctl -m for /usr/bin/python2.7, but I am not sure, if that is really clever or not. Setting paxctl -m /usr/bin/python2.7 is a temporar workaround Anthony, Can you shed any light on this problem? Is it a paxctl problem? (In reply to Brian Dolbec from comment #6) > Anthony, Can you shed any light on this problem? Is it a paxctl problem? Yes. You need two things to get python working right in a hardened kernel: 1) paxctl-ng -vE /usr/bin/python2.7 #enable trampolines in userland 2) CONFIG_PAX_EMUTRAMP=y #enable trampolitines in the kernel. Disabling MPROTECT works but is overkill. For a few years now, python has decided that they want to use PROT_WRITE | PROT_EXEC in their mmap()-ings. This opens up a gaping security hole which we have mitigated by using kernel assisted trampolines. @Christian. Sorry, we've tried to get the word out. Maybe we could add it to our FAQ? I'm going to close this INVALID. Please reopen if the above doesn't fix your issue. paxctl-ng -v /usr/bin/python2.7 /usr/bin/python2.7: PT_PAX : -Em-- XATTR_PAX : not found It does not work for me without -m So I reopen it. My kernel is compiled with trampoline support: CONFIG_PAX_EMUTRAMP=y So I had to add MPROTECT disabled. It seems the -E does not solve the problem here. (In reply to Christian Roessner from comment #8) > paxctl-ng -v /usr/bin/python2.7 > /usr/bin/python2.7: > PT_PAX : -Em-- > XATTR_PAX : not found > > It does not work for me without -m > > So I reopen it. > > My kernel is compiled with trampoline support: > > CONFIG_PAX_EMUTRAMP=y > > So I had to add MPROTECT disabled. It seems the -E does not solve the > problem here. If you have dev-python/cffi installed you need to use unstable version. I can confirm that using unstable cffi, mirrorselect works. But is this not considered a bug, if a dependency requires an unstable XYZ for a stable package? At least thanks for your help. *** This bug has been marked as a duplicate of bug 525494 *** (In reply to Christian Roessner from comment #10) > I can confirm that using unstable cffi, mirrorselect works. But is this not > considered a bug, if a dependency requires an unstable XYZ for a stable > package? > > At least thanks for your help. It is a bug. I thought the appropriate version of cffi was already stable. My bad. We're stabilizing it now. Bug #548530. |