<preamble> I'm rather unexperienced with hardened details, which is why I can't provide a (supposed) reason for this problem, so I'll just explain what happened. However, I think it is a "hardened"-bug, since it doesn't occur on my non-hardened amd64 box (doesn't mean anything, but I think I'm right anyways ;)) </preamble> I tried to run net-dns/pdns-recursor-3.1.7 on my amd64 hardened gentoo box (although the same problem happened with older versions). Whatever I tried, it segfaulted right after starting. Now I finally got myself around trying to debug it, to find out what's causing the problem. I followed the Gentoo backtrace guide and the related Hardened FAQ topic, and after I recompiled the program with -nopie in LDFLAGS, it starts without segfaulting and runs fine. Things I tried/did before LDFLAGS, which didn't have any impact on the behaviour: * changing CFLAGS to -O1 -ggdb * disabling (all) PAX flags with paxctl Please tell me what further information you need me to provide.
You neglected to post your emerge --info. Also the actual output and any relevant logs from dmesg, syslog, etc. would be helpful.
First: sorry for filing this under hardened, if this was wrong, I apologize. Second: info coming right up... === emerge --info output (stripped of mirrors etc.) === Portage 2.1.4.4 (hardened/amd64, gcc-3.4.6, glibc-2.6.1-r0, 2.6.20-hardened-r10 x86_64) ================================================================= System uname: 2.6.20-hardened-r10 x86_64 AMD Athlon(tm) 64 Processor 3700+ Timestamp of tree: Fri, 18 Jul 2008 09:16:01 +0000 ccache version 2.4 [enabled] app-shells/bash: 3.2_p33 dev-java/java-config: 1.3.7, 2.1.6 dev-lang/python: 2.4.4-r13 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r2 sys-devel/automake: 1.5, 1.10.1 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CXXFLAGS="-march=k8 -O2 -pipe" FEATURES="ccache collision-protect distlocks fixpackages metadata-transfer parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch userpriv" LANG="en_US.UTF-8" LINGUAS="en de" MAKEOPTS="-j2" USE="acl amd64 apache2 bash-completion berkdb bzip2 cracklib crypt doc emacs expat ftp gcc64 gd gif gnutls gs hardened hardenedphp imap iproute2 ipv6 java jbig jpeg jpeg2k justify ldap logrotate maildir midi mysql ncurses nls nptl nptlonly pam pcre perl pic png postfix postgres python readline rle rrdtool socks5 sse2 ssl symlink tcl tcpd threads tiff unicode urandom utf8 vhosts xinetd xml xorg zip zlib" KERNEL="linux" USERLAND="GNU" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
=== dmesg output with PAX flags enabled === PAX: execution attempt in: <NULL>, 00000000-00000000 00000000 PAX: terminating task: /usr/sbin/pdns_recursor(pdns_recursor):14010, uid/euid: 65534/65534, PC: 0000000077ee71a0, SP: 0000058678233438 PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? PAX: bytes at SP-8: 0000000000000000 0000058677f08030 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000058678233470 00002b32306eb9c0 00000586781face8 0000000000000b49 0000000000000000
Created attachment 160762 [details] strace of pdns_recursor with pax flags disabled I don't know if this helps, but this is a strace log I took from pdns_recursor. If PAX flags are enabled, it looks nearly the same, but obviously the program gets terminated by SIGKILL instead of SIGSEGV.
The output from pdns_recursor is not very helpful, it's as always, but of course it ends when the process gets killed (seemingly after initialization has been completed): Jul 18 22:49:00 PowerDNS recursor 3.1.7 (C) 2001-2008 PowerDNS.COM BV (Jul 18 2008, 22:46:51, gcc 3.4.6 (Gentoo Hardened 3.4.6-r2 p1.5, ssp-3.4.6-1.0, pie-8.7.10)) starting up Jul 18 22:49:00 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2. Jul 18 22:49:00 Operating in 64 bits mode Jul 18 22:49:00 Reading random entropy from '/dev/urandom' Jul 18 22:49:00 Only allowing queries from: 127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10 Jul 18 22:49:00 Will not send queries to: 127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10 Jul 18 22:49:00 Inserting rfc 1918 private space zones Jul 18 22:49:00 Listening for UDP queries on 127.0.0.1:1053 Jul 18 22:49:00 Listening for TCP queries on 127.0.0.1:1053 Jul 18 22:49:00 Done priming cache with root hints Jul 18 22:49:00 Enabled 'epoll' multiplexer Jul 18 22:49:00 Set effective group id to 65534 Jul 18 20:49:00 Set effective user id to 65534 Killed
Thanks, re-opening, please also post your kernel config.
Created attachment 160781 [details] kernel config
(In reply to comment #3) > === dmesg output with PAX flags enabled === > > PAX: execution attempt in: <NULL>, 00000000-00000000 00000000 > PAX: terminating task: /usr/sbin/pdns_recursor(pdns_recursor):14010, uid/euid: > 65534/65534, PC: 0000000077ee71a0, SP: 0000058678233438 > PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? > PAX: bytes at SP-8: 0000000000000000 0000058677f08030 0000000000000000 > 0000000000000000 0000000000000000 0000000000000000 0000058678233470 > 00002b32306eb9c0 00000586781face8 > 0000000000000b49 0000000000000000 > Please set paxctl -r on the binary and re-create this, then post the PAX termination log from that. Please also enable coredumping and attach a backtrace from gdb.
(In reply to comment #8) > > Please set paxctl -r on the binary and re-create this, then post the PAX > termination log from that. I'm afraid I recompiled the binary since then, so here come both outputs: # paxctl -z pdns_recursor pdns_recursor[30900]: segfault at 0000000029d461a0 rip 0000000029d461a0 rsp 00000bcb2a08d208 error 14 PAX: execution attempt in: <NULL>, 00000000-00000000 00000000 PAX: terminating task: /var/tmp/portage/net-dns/pdns-recursor-3.1.7/image/usr/sbin/pdns_recursor(pdns_recursor):30900, uid/euid: 65534/65534, PC: 0000000029d461a0, SP: 00000bcb2a08d208 PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? PAX: bytes at SP-8: 0000000000000000 00000bcb29d67030 0000000000000000 0000000000000000 0000000000000000 0000000000000000 00000bcb2a08d240 0000385d4c5d29c0 00000bcb2a054b40 0000000000000d79 0000000000000000 # paxctl -r pdns_recursor pdns_recursor[30917]: segfault at 00000000555b01a0 rip 00000000555b01a0 rsp 00005555558f4668 error 14 PAX: execution attempt in: <NULL>, 00000000-00000000 00000000 PAX: terminating task: /var/tmp/portage/net-dns/pdns-recursor-3.1.7/image/usr/sbin/pdns_recursor(pdns_recursor):30917, uid/euid: 65534/65534, PC: 00000000555b01a0, SP: 00005555558f4668 PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? PAX: bytes at SP-8: 0000000000000000 00005555555d1030 0000000000000000 0000000000000000 0000000000000000 0000000000000000 00005555558f46a0 00002b33f83399c0 00005555558bbfa0 0000000000000919 0000000000000000 > > Please also enable coredumping and attach a backtrace from gdb. > coredump coming right up, gdb-backtrace is a little tricky, since I thought I had to disable PIE at the final linking stage to get decent backtraces, at least according to the hardened FAQ. But then, like I mentioned in the summary and my first post, when I link the program with -nopie, it _doesn't_ segfault, but works just fine. Some pointer at what I should do to get a backtrace that can help you would be appreciated.
Created attachment 160836 [details] coredump from pdns_recursor had to start pdns_recursor without dropping privileges this time (i.e. --setuid= and --setgid=) in order to get core dumped
sys-devel/gdb-6.8-r1 should have support for debugging PIEs, pretty sure the rest don't. Could you try emerging with: CXXFLAGS="${CFLAGS} -fno-stack-protector -fno-stack-protector-all" Wondering if this may be another for bug 135265.
