Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 297054 - kde-base/kate-4.3.4 crashed with qt-script JIT code on hardened
Summary: kde-base/kate-4.3.4 crashed with qt-script JIT code on hardened
Status: RESOLVED NEEDINFO
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: x86 Linux
: High normal (vote)
Assignee: The Gentoo Linux Hardened Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 313999
  Show dependency tree
 
Reported: 2009-12-15 17:30 UTC by Hugo Mildenberger
Modified: 2010-06-20 21:01 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
emerge --info =kde-base/kate-4.3.4 (emerge--info-kate.txt,4.21 KB, text/plain)
2009-12-15 17:43 UTC, Hugo Mildenberger
Details
gdb backtrace and more (gdb-kate-4.3.4-core.log,18.42 KB, text/plain)
2009-12-15 18:13 UTC, Hugo Mildenberger
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Hugo Mildenberger 2009-12-15 17:30:16 UTC
An update to kde-4.3.4 on hardened Gentoo (running 2.6.31.7-grsec), which also includes an update of qt-scripts to version 4.6.0 resulted in the situation that the KDE editors kwrite and kate get killed by signal 9. Analyzing core, it turned out that both program use a QT java script engine, partly implemented in assembly language, and that both fail at the same positon. Both run fine with vanilla kernel 2.6.32.  paxctl -m $(which kwrite) $(which kate) fixes the issue.  

Here are some of the topmost stackframes:
#0  0x494ee1a8 in ?? ()
#1  0x49ec0f36 in ctiTrampoline () from /usr/lib/qt4/libQtScript.so.4
#2  0x49eead45 in QTJSC::Interpreter::execute (this=0x4951c488, eval=0x5b827de8, callFrame=0x10a22234, 
#   thisObj=0x49080000, globalRegisterOffset=9, scopeChain=0x495571c8, exception=0x5b827d44)
    at ../3rdparty/javascriptcore/JavaScriptCore/jit/JITCode.h:79

Will attach the complete gdb backtrace later. 

According to gdb, 0x494ee1a8 is not covered by any function. The dissassembly lookś like the CPU is sitting in the forest. Except from kernel, gcc and glibc, the whole system is compiled with -fstack-protector-all applied, though I don't believe that this is an issue here.


Below is the code from ctiTrampoline(). I copied this from
 
  qt-everywhere-opensourcesrc-4.6.0/src/3rdparty/
     javascriptcore/JavaScriptCore/jit/JITStubs.cpp, 

which is part of the x11-libs/qt-script-4.6.0 package.

106 asm volatile (
 107 ".globl " SYMBOL_STRING(ctiTrampoline) "\n"
 108 HIDE_SYMBOL(ctiTrampoline) "\n"
 109 SYMBOL_STRING(ctiTrampoline) ":" "\n"
 110     "pushl %ebp" "\n"
 111     "movl %esp, %ebp" "\n"
 112     "pushl %esi" "\n"
 113     "pushl %edi" "\n"
 114     "pushl %ebx" "\n"
 115     "subl $0x3c, %esp" "\n"
 116     "movl $512, %esi" "\n"
 117     "movl 0x58(%esp), %edi" "\n"
 118     "call *0x50(%esp)" "\n"
 119     "addl $0x3c, %esp" "\n"
 120     "popl %ebx" "\n"
 121     "popl %edi" "\n"
 122     "popl %esi" "\n"
 123     "popl %ebp" "\n"
 124     "ret" "\n"
 125 );

If you have difficulties to reproduce this, see bug #281988, and scroll down for a patch for plasma-4.3.4, else you probably even won't be able to login into kde (I possibly should post that issue on a new report targeting x11-libs/solid-4.3.4-r1.)
Comment 1 Hugo Mildenberger 2009-12-15 17:43:58 UTC
Created attachment 213112 [details]
emerge --info =kde-base/kate-4.3.4
Comment 2 Hugo Mildenberger 2009-12-15 18:13:03 UTC
Created attachment 213121 [details]
gdb backtrace and more

Running c++filt to demangle some gdb output, I guess the problem is at or below QTJSC::EvalExecutable::generateJITCode(QTJSC::ExecState*, QTJSC::ScopeChainNode*). As JIT code is mostly incompatible with hardened (and you wonder why an editor needs to compile javascript), there should be a build option to disable it. I could not find one. And konqueror-4.3.4 runs fine with Javascript enabled.


gdb) x/10a $esp-4
0x5bfba278:     0x88ab12b2      0x4f3a9f36 <ctiTrampoline+22>   0x4ea054b0      0x0
0x5bfba288:     0x5bfba2c8      0x4f42b38e <QTJSC::EvalExecutable::generateJITCode(QTJSC::ExecState*, QTJSC::ScopeChainNode*)+208>     0x4ea19600      0x4ea00400
0x5bfba298:     0x4ea01e10      0x4ea401c8
Comment 3 Magnus Granberg gentoo-dev 2010-01-30 19:36:21 UTC
Can some one on the kde herd take a look on this?
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2010-04-17 21:36:42 UTC
What's the status with 4.3.5 or 4.4.2?
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2010-06-09 18:56:27 UTC
This looks like it is a QT problem, so I am cc'ing the qt herd. Anyone with more hardened experience there?!
Comment 6 Andreas K. Hüttel archtester gentoo-dev 2010-06-20 21:01:04 UTC
QT 4.6.0 is gone from the tree for some time...

Please update to QT 4.6.3 and try again. if the problem persists please reopen the bug!