Hi Hardened members, After setting up a hardened-full 64bit environment (nomultilib, gcc compile failed that way), only this bug remained. (and joe segfaulting, even with the minimal install cd kernel, maybe I file a bug later, there are other editors :)) First I tried with x86 as ARCH, it compiled there. Not sure if it's relevant, but kernel doesn't have CONFIG_IA32_EMULATION set. (It had, failed anyway). Tried to set -m64 CFLAG, to no avail. Tried to compile from source from http://www.adamantix.org/paxtest/paxtest-0.9.6.tar.gz, but this release is too old. All packages up-to-date, using safe cflags. Maybe relevant: http://forums.grsecurity.net/viewtopic.php?p=5580&sid=67beaddf4d933fd65bf619856be4b6ac My xeon doesn't have the nx flag neither, don't know if I lose most pax functionality that way. And I can't even test it :) BTW tested when using x86 ARCH, with good results. (only those failed which should have because of the RANDEXEC removal). Details: Hw: IBM eServer x336 Portage 2.0.54 (hardened/amd64, gcc-3.4.5, glibc-2.3.5-r2, 2.6.14-hardened-r5 x86_64) ================================================================= System uname: 2.6.14-hardened-r5 x86_64 Intel(R) Xeon(TM) CPU 3.20GHz Gentoo Base System version 1.6.14 dev-lang/python: 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=nocona -O2 -fomit-frame-pointer -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=nocona -O2 -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://gentoo.math.bme.hu http://gentoo.mirror.icd.hu/ http://gentoo.inode.at/ http://gd.tuwien.ac.at/opsys/linux/gentoo/ http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ http://ftp.uni-erlangen.de/pub/mirrors/gentoo http://mirrors.sec.informatik.tu-darmstadt.de/gentoo/ http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/usr/portage/tmp" PORTDIR="/usr/portage" SYNC="rsync://gentoo-mirror.mc.ind.hu/gentoo-portage" USE="amd64 apache2 bash-completion berkdb bzip2 chroot crypt dnsdb expat hardened hpn justify maildir memlimit ncurses nls openssh pam pam_chroot pam_console pam_timestamp pcre pic posix readline slang ssl udev unicode userlocales utf8 wildlsearch xml zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTDIR_OVERLAY >>> Source unpacked. gcc -O2 -DRUNDIR=\"/usr/lib64/paxtest\" -fno-stack-protector -fno-stack-protector-all -fPIC -DPIC -o shlibtest.o -c shlibtest.c gcc -O2 -DRUNDIR=\"/usr/lib64/paxtest\" -fno-stack-protector -fno-stack-protector-all -fPIC -DPIC -o shlibtest2.o -c shlibtest2.c gcc -O2 -DRUNDIR=\"/usr/lib64/paxtest\" -fno-stack-protector -fno-stack-protector-all -o body.o -c body.c gcc -O2 -DRUNDIR=\"/usr/lib64/paxtest\" -fno-stack-protector -fno-stack-protector-all -o randbody.o -c randbody.c gcc -O2 -DRUNDIR=\"/usr/lib64/paxtest\" -fno-stack-protector -fno-stack-protector-all -o retbody.o -c body.c gcc -O2 -DRUNDIR=\"/usr/lib64/paxtest\" -fno-stack-protector -fno-stack-protector-all -o shlibbss.o -c shlibbss.c body.c: In function `main': body.c:80: warning: generating trampoline in object (requires executable stack) gcc -O2 -DRUNDIR=\"/usr/lib64/paxtest\" -fno-stack-protector -fno-stack-protector-all -o shlibdata.o -c shlibdata.c body.c: In function `main': body.c:80: warning: generating trampoline in object (requires executable stack) gcc -O2 -DRUNDIR=\"/usr/lib64/paxtest\" -fno-stack-protector -fno-stack-protector-all -o getamap.o -c getamap.c gcc -O2 -DRUNDIR=\"/usr/lib64/paxtest\" -fno-stack-protector -fno-stack-protector-all -o getheap1.o -c getheap.c gcc -O2 -DRUNDIR=\"/usr/lib64/paxtest\" -fno-stack-protector -fno-stack-protector-all -fPIC -DPIC -o crt1S.o -c crt1S.S gcc -O2 -DRUNDIR=\"/usr/lib64/paxtest\" -fno-stack-protector -fno-stack-protector-all -o interp.o -c interp.c gcc -O2 -DRUNDIR=\"/usr/lib64/paxtest\" -fno-stack-protector -fno-stack-protector-all -fPIC -DPIC -o getheap2.o -c getheap.c crt1S.S: Assembler messages: crt1S.S:5: Error: suffix or operands invalid for `pop' crt1S.S:10: Error: suffix or operands invalid for `pop' crt1S.S:11: Internal error, aborting at /usr/portage/tmp/portage/binutils-2.16.1/work/binutils-2.16.1/gas/config/tc-i386.c line 3652 in output_imm Please report this bug. make: *** [crt1S.o] Error 1 make: *** Waiting for unfinished jobs.... rm shlibtest.o shlibtest2.o !!! ERROR: app-admin/paxtest-0.9.6 failed. !!! Function src_compile, Line 27, Exitcode 2 !!! (no error message) !!! If you need support, post the topmost build error, NOT this status message.
paxtest should of never been marked anything but x86. It only fully works on x86 due to some parts that are in asm and others where PAGE_SIZE is assumed to be 4096
Hi Solar, Ok, should we try resolving this issue? Or maybe you remove paxtest from all other ARCH-s. Could you suggest another tool for this arch that does the job of testing all grsec/pax functions? I don't know any.
(In reply to comment #2) > Could you suggest another tool for this arch that does the job of testing all > grsec/pax functions? I don't know any. http://pax.grsecurity.net/~paxguy1/paxtest-0.9.7-pre5.tar.gz Give this a try and let us know.
Error the same: gcc -O2 -DRUNDIR=\"/usr/lib/paxtest\" -fno-stack-protector -fPIC -DPIC -o crt1S. o -c crt1S.S crt1S.S: Assembler messages: crt1S.S:5: Error: suffix or operands invalid for `pop' crt1S.S:10: Error: suffix or operands invalid for `pop' crt1S.S:11: Internal error, aborting at /usr/portage/tmp/portage/binutils-2.16.1 /work/binutils-2.16.1/gas/config/tc-i386.c line 3652 in output_imm Please report this bug. make[1]: *** [crt1S.o] Error 1 rm shlibtest.o shlibtest2.o make[1]: Leaving directory `/usr/src/paxtest-0.9.7-pre5' make: *** [gentoo] Error 2
Just a finding: paxtest 0.9.5-r1 compiled well after removing ~
As it stands this bug is invalid. Any stable markings of paxtest are the problem of the people who decided to mark it as such on non x86 arches.
so how about removing the keywords?
Go for it. Reassigning bug to you then.
Dear arches, This is an un-keyword request (something new, eh? ;)) Could you please either drop the keywords or downgrade to ~arch as per comment #6 ? thanks in advance
Downgraded amd64
paxutils builds just fine on PPC64. unfortunatly I don't have a hardened chroot around, so I cannot test this. dostrow: adding you directly so you can comment on this, as you have added the ppc64 keyword.
No build problems on ppc here and it seems to work ok. Should it really be downgraded to ~arch on ppc too?
dostrow sais it was actualy working some time ago, though not tested recently. keeping the stable ppc64 keyword.
alright, lets keep it this way. it's not like i'd care anyway.