mozilla / firebird / firefox seams to crash when I open a webpage with a java applet. From the kernel logs, I found these errors from grsecurity: 2004-02-29T22:41:13+0000 01 grsec: signal 11 sent to (java_vm:2432) UID(1000) UID(1000), parent (firefox-bin:18053) UID(1000) EUID(1000) 2004-02-29T22:41:13+0000 01 grsec: signal 6 sent to (java_vm:2432) UID(1000) EUID(1000), parent (firefox-bin:18053) UID(1000) EUID(1000) 2004-02-29T22:41:13+0000 01 grsec: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by (java_vm:2432) UID(1000) EUID(1000), parent (firefox-bin:18053) UID(1000) EUID(1000) It seams to me that java tried to overstep the limit for core-files, but is being killed by the kernel in an attempt doing this. Reproducible: Always Steps to Reproduce: Portage 2.0.50-r1 (default-x86-1.4, gcc-3.3.2, glibc-2.3.2-r9, 2.4.22-gentoo-r7) ================================================================= System uname: 2.4.22-gentoo-r7 i686 AMD Athlon(tm) XP 1800+ Gentoo Base System version 1.4.3.13 Autoconf: sys-devel/autoconf-2.57a-r1 Automake: sys-devel/automake-1.7.7 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-mcpu=athlon-xp -Os -pipe -fomit-frame-pointer -fmerge-all-constants -fforce-addr" CHOST="i686-pc-linux-gnu" COMPILER="gcc3" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.2/share/config /usr/kde/3/share/config /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" CXXFLAGS="-mcpu=athlon-xp -Os -pipe -fomit-frame-pointer -fmerge-all-constants -fforce-addr" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache sandbox" GENTOO_MIRRORS="http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ http://mirrors.sec.informatik.tu-darmstadt.de/gentoo http://gentoo.mirror.sdv.fr http://www.fhh.opensource-mirror.de/gentoo.org/ http://trumpetti.atm.tut.fi/gentoo/ http://gentoo.tiscali.nl/gentoo/ http://ftp.lug.ro/gentoo http://sunsite.cnlab-switch.ch/ftp/mirror/gentoo/ http://www.die.unipd.it/pub/Linux/distributions/gentoo-sources/" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/usr/tmp-portage" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow S3TC X aalib acpi alsa apache2 apm arts artswrappersuid avi berkdb bindist cdr chroot crypt cups dedicated dga dvd dvdr encode esd fbcon foomaticdb gatos gd gdbm ggi gif gnome gphoto2 gpm gtk gtk2 gtkhtml imap imlib java jikes jpeg kde ldap libg++ libwww linguas_nl lirc mad maildir mikmod mmx motif mozilla mpeg mysql nas ncurses nls oggvorbis opengl oss pam pdflib perl pic png python qt quicktime readline samba scanner sdl slang speex spell sse ssl tcltk tcpd tetex tiff truetype type1 usb v4l video_cards_radeon x86 xinerama xml2 xmms xv zlib"
Could you please provide an URL to reproduce this problem? Thanks.
It doesn't matter what site I visit; as soon as a java applet is in the page, firefox, mozilla, et al. crash. (for example the radio station www.3fm.nl has a applet in their frontpage) In the past month I did discover that this is a grsecurity issue; but I haven't been able to fix it. re-merging the blackdown-jdk package didn't help either. Currently I'm running a 2.6 kernel that doesn't have this patch enabled yet, and I don't experience the javavm crash.
Reassigning to the grsecurity people. Hopefully they have seen this and know how to fix it...
re-assigning to hardened, who handles grsec stuff.
*** Bug 47343 has been marked as a duplicate of this bug. ***
I really need to document this some other place other than bugzilla as this bug has come up a good way to many times. The java VM itself creates code at runtime. This by nature conflicts with everything that PAX is attempting to protect you from. If you really must run this app (And I highly suggest you don't if you care about security) then you must use chpax/paxctl to disable memory protections on your java binaries in order to get them to run. If you kernel supports EI_PAX flags then you can simply do emerge chpax rc-update add chpax default or chpax -vpeMrxs /opt/*-jdk-*/{jre,}bin/* If your kernel supports PT_PAX_FLAGS then you need to apply the equivalent flags with paxctl on the java binaries. Diederik, Please confirm this so that I may mark this bug as INVALID.
>If you kernel supports EI_PAX flags then you can simply do >emerge chpax >rc-update add chpax default >or >chpax -vpeMrxs /opt/*-jdk-*/{jre,}bin/* > >If your kernel supports PT_PAX_FLAGS then you need to apply the >equivalent flags with paxctl on the java binaries. > >Diederik, >Please confirm this so that I may mark this bug as INVALID. I've compiled the 2.4.25-gentoo-r2 kernel, run the chpax command line, but do this issue. Java crashes with signal 11, posts a list of libraries and ends with the error "INTERNAL ERROR on Browser End: Could not read ack from browser System error?:: Resource temporarily unavailable" These are the pax/acl options from my kernel configuration. # CONFIG_GRKERNSEC_PAX_SOFTMODE is not set CONFIG_GRKERNSEC_PAX_EI_PAX=y CONFIG_GRKERNSEC_PAX_PT_PAX_FLAGS=y CONFIG_GRKERNSEC_PAX_NO_ACL_FLAGS=y # CONFIG_GRKERNSEC_PAX_HAVE_ACL_FLAGS is not set # CONFIG_GRKERNSEC_PAX_HOOK_ACL_FLAGS is not set # CONFIG_GRKERNSEC_PAX_NOEXEC is not set CONFIG_GRKERNSEC_PAX_ASLR=y CONFIG_GRKERNSEC_PAX_RANDKSTACK=y CONFIG_GRKERNSEC_PAX_RANDUSTACK=y CONFIG_GRKERNSEC_PAX_RANDMMAP=y # CONFIG_GRKERNSEC_ACL_HIDEKERN is not set CONFIG_GRKERNSEC_ACL_MAXTRIES=3 CONFIG_GRKERNSEC_ACL_TIMEOUT=30 From the grep output, I notice there is PAX_HOOK_ACL_FLAGS option, but I can't find it in the custom grsecurity setup. This confuses me, because I begin to feel this option must be on to have a correctly working pax system...
PAX_HOOK_ACL_FLAGS= only matters if your using something like selinux/rsbac or otherwise. If your using grsec (which it seems you are) then PAX_ACL_HOOK_FLAGS= is set correctly. Whats a URL to a webpage that crashes for you? I want to test it here.
I always test with www.3fm.nl because they have an applet in their frontpage. I post this from a 2.6 (non-grsec) kernel, and I don't experience any crash. Under the 2.5.24-gentoo-r2 kernel, I get the crash. It only seams to happen if grsecurity is enabled, even though I apply the pax settings.
Please post the output of. chpax -v /opt/*-jdk-*/{jre,}bin/* paxctl -v /opt/*-jdk-*/{jre,}bin/*
Why is this minor? I removed grsec from my kernel because of this. It now runs just fine.
Tobias, It's minor because it's a user error. The error is simply the users are not setting the correct PaX flags or using an ACL/RBAC system. Runtime code generation is not allowed by PaX and java* itself works like a big set of shellcode and gets 'Killed' by the kernel, this is why the user has to set pax flags to tell the kernel that PaX should allow said app to misbehave.
Solar, Sounds absolutely reasonable. Running chpax -vpeMrxs /opt/*-jdk-*/{jre/,}bin/* (modified command from comment 6) fixed the problem for me (grsec 2.4.25 kernel on grsec medium setting). Do you require the user to set those flags manually or should an ebuild do this (at least warn about it)?
You have to set them manually or open a bug with our java maintainers. Closing bug as CANTFIX. (we don't maintain java)
*** Bug 50881 has been marked as a duplicate of this bug. ***
