pax.log reports: Jun 20 12:29:31 devil kernel: PAX: execution attempt in: <anonymous mapping>, a5ddd000-a5e5d000 a5ddd000 Jun 20 12:29:31 devil kernel: PAX: terminating task: /usr/bin/xlock(xlock):28784, uid/euid: 1000/1000, PC: a5ddd010, SP: bed6d5dc Jun 20 12:29:31 devil kernel: PAX: bytes at PC: 55 89 e5 81 e4 f0 ff ff ff 53 57 56 81 ec 74 07 00 00 8b 45 Jun 20 12:29:31 devil kernel: PAX: bytes at SP-4: 00000074 a6c3ae14 0c2b5c4c 0c424238 0c2abd48 00000000 00000018 00000074 0c2ab924 00000000 00000014 00000000 00000000 00000004 bed6d6b0 00000007 00000018 00000000 0000000c 00000000 00000000 Jun 20 15:14:55 devil kernel: PAX: execution attempt in: <anonymous mapping>, a53fd000-a6789000 a53fd000 Jun 20 15:14:55 devil kernel: PAX: terminating task: /usr/bin/xlock(xlock):2639, uid/euid: 1000/1000, PC: a53fd010, SP: b27f1e6c Jun 20 15:14:55 devil kernel: PAX: bytes at PC: 55 89 e5 81 e4 f0 ff ff ff 53 57 56 81 ec 54 03 00 00 8b 45 Jun 20 15:14:55 devil kernel: PAX: bytes at SP-4: 00000054 a6c4ce14 0c0c5b24 0c263b08 0c0bbc28 00000000 0000001a 00000054 0c0bb804 00000000 0000000c 00000000 00000000 00000004 b27f1f40 00000003 0000001a 00000000 00000001 00000001 00000000 Jun 20 15:19:22 devil kernel: PAX: execution attempt in: <anonymous mapping>, 9c70b000-9da97000 9c70b000 Jun 20 15:19:22 devil kernel: PAX: terminating task: /usr/bin/xlock(xlock):8792, uid/euid: 1000/1000, PC: 9c70b010, SP: b29b090c Jun 20 15:19:22 devil kernel: PAX: bytes at PC: 55 89 e5 81 e4 f0 ff ff ff 53 57 56 81 ec b4 03 00 00 8b 45 Jun 20 15:19:22 devil kernel: PAX: bytes at SP-4: 00000054 9df5ae14 09705a34 098814d8 096fbb38 00000000 00000034 00000054 096fb714 00000000 00000000 00000000 00000000 00000004 b29b09e0 00000003 00000034 00000000 00000001 00000001 00000000 Jun 20 15:19:27 devil kernel: PAX: execution attempt in: <anonymous mapping>, a585c000-a58dc000 a585c000 Jun 20 15:19:27 devil kernel: PAX: terminating task: /usr/bin/xlock(xlock):8913, uid/euid: 1000/1000, PC: a585c010, SP: b3ba88bc Jun 20 15:19:27 devil kernel: PAX: bytes at PC: 55 89 e5 81 e4 f0 ff ff ff 53 57 56 81 ec 74 07 00 00 8b 45 Jun 20 15:19:27 devil kernel: PAX: bytes at SP-4: 00000074 a66b9e14 0c03b3f4 0c1a98c0 0c0314e8 00000000 00000018 00000074 0c0310c4 00000000 00000014 00000000 00000000 00000004 b3ba8990 00000007 00000018 00000000 0000000c 00000000 00000000 Jun 20 15:21:48 devil kernel: PAX: execution attempt in: <anonymous mapping>, acf7a000-ad906000 acf7a000 Jun 20 15:21:48 devil kernel: PAX: terminating task: /usr/bin/xlock(xlock):9395, uid/euid: 1000/1000, PC: acf7a010, SP: bcb0b47c Jun 20 15:21:48 devil kernel: PAX: bytes at PC: 55 89 e5 81 e4 f0 ff ff ff 53 57 56 81 ec 44 06 00 00 8b 45 Jun 20 15:21:48 devil kernel: PAX: bytes at SP-4: 00000064 addc9e14 0a9c0e2c 0abf6c18 0a9b59f0 00000000 00000004 00000064 0a9b55cc 00000000 00000000 00000000 00000000 00000004 bcb0b550 00000007 00000004 00000000 00000001 00000001 00000000 It happens sometimes, is not reproducible always Portage 2.1.12.2 (default/linux/x86/13.0, gcc-4.6.3, glibc-2.15-r3, 3.2.42-hardened-r1 i686) ================================================================= System uname: Linux-3.2.42-hardened-r1-i686-Intel-R-_Celeron-R-_M_CPU_430_@_1.73GHz-with-gentoo-2.2 KiB Mem: 2060284 total, 1290144 free KiB Swap: 1048572 total, 1048572 free Timestamp of tree: Wed, 19 Jun 2013 09:30:01 +0000 ld GNU ld (GNU Binutils) 2.22 app-shells/bash: 4.2_p45 dev-lang/python: 2.7.3-r3 dev-util/cmake: 2.8.10.2-r2 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.11.8 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.12.6 sys-devel/binutils: 2.22-r1 sys-devel/gcc: 4.6.3 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.7 (virtual/os-headers) sys-libs/glibc: 2.15-r3 Repositories: gentoo x-portage ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="*" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=pentium-m -g0" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -march=pentium-m -g0" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -march=i686 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FFLAGS="-O2 -march=i686 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="it_IT.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/tmp/" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X aac acl alsa berkdb bzip2 cairo cli consolekit cracklib crypt cxx dbus dri fortran gdbm gpm gudev iconv imlib jpeg jpeg2k lame modules mudflap ncurses nptl ogg opengl openmp pam pax_kernel pcre png policykit readline session ssl tcpd tiff unicode vorbis wicd x86 zlib" ABI_X86="32" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7" RUBY_TARGETS="ruby19 ruby18" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" USE_PYTHON="2.7"
So are you using a pax enabled kernel on a non-pax profile? That would cause problems. I don't think that is something supportable though.
(In reply to Matthew Thode ( prometheanfire ) from comment #1) > So are you using a pax enabled kernel on a non-pax profile? That would > cause problems. I don't think that is something supportable though. I don't understand what you mean by pax-profile
(In reply to Agostino Sarubbo from comment #2) > (In reply to Matthew Thode ( prometheanfire ) from comment #1) > > So are you using a pax enabled kernel on a non-pax profile? That would > > cause problems. I don't think that is something supportable though. > > I don't understand what you mean by pax-profile s/pax/hardened do we expect pax to work on non-hardened profiles?
(In reply to Matthew Thode ( prometheanfire ) from comment #3) > (In reply to Agostino Sarubbo from comment #2) > > (In reply to Matthew Thode ( prometheanfire ) from comment #1) > > > So are you using a pax enabled kernel on a non-pax profile? That would > > > cause problems. I don't think that is something supportable though. > > > > I don't understand what you mean by pax-profile > > s/pax/hardened > > do we expect pax to work on non-hardened profiles? Why not? For what you are saying, pax should be able to work only on gentoo..
(In reply to Matthew Thode ( prometheanfire ) from comment #3) > (In reply to Agostino Sarubbo from comment #2) > > (In reply to Matthew Thode ( prometheanfire ) from comment #1) > > > So are you using a pax enabled kernel on a non-pax profile? That would > > > cause problems. I don't think that is something supportable though. > > > > I don't understand what you mean by pax-profile > > s/pax/hardened > > do we expect pax to work on non-hardened profiles? Why would xlock, compiled with a vanilla toolchain die with exec attempts in anon mappings whereas xlock compiled with a hardened toolchain be fine? its not clear what's at the bottom of this. i have not tried to reproduce.
(In reply to Anthony Basile from comment #5) > (In reply to Matthew Thode ( prometheanfire ) from comment #3) > > (In reply to Agostino Sarubbo from comment #2) > > > (In reply to Matthew Thode ( prometheanfire ) from comment #1) > > > > So are you using a pax enabled kernel on a non-pax profile? That would > > > > cause problems. I don't think that is something supportable though. > > > > > > I don't understand what you mean by pax-profile > > > > s/pax/hardened > > > > do we expect pax to work on non-hardened profiles? > > Why would xlock, compiled with a vanilla toolchain die with exec attempts in > anon mappings whereas xlock compiled with a hardened toolchain be fine? its > not clear what's at the bottom of this. i have not tried to reproduce. Ago, can you paste the ldd output of your xlock? Mainly to see if it is linked against one of the usual offenders.
(In reply to Francisco Blas Izquierdo Riera from comment #6) > (In reply to Anthony Basile from comment #5) > > (In reply to Matthew Thode ( prometheanfire ) from comment #3) > > > (In reply to Agostino Sarubbo from comment #2) > > > > (In reply to Matthew Thode ( prometheanfire ) from comment #1) > > > > > So are you using a pax enabled kernel on a non-pax profile? That would > > > > > cause problems. I don't think that is something supportable though. > > > > > > > > I don't understand what you mean by pax-profile > > > > > > s/pax/hardened > > > > > > do we expect pax to work on non-hardened profiles? > > > > Why would xlock, compiled with a vanilla toolchain die with exec attempts in > > anon mappings whereas xlock compiled with a hardened toolchain be fine? its > > not clear what's at the bottom of this. i have not tried to reproduce. > > Ago, can you paste the ldd output of your xlock? Mainly to see if it is > linked against one of the usual offenders. Its a long list below, but if it linked against one of the offenders, it would equally fail if built under a hardened profile unless USE=jit or one of those flags were on, and I asked ago to turn off those, as well as enable pax_kernel. linux-vdso.so.1 (0x00007fff51342000) libXpm.so.4 => /usr/lib64/libXpm.so.4 (0x00007f6fea021000) libMagickCore.so.5 => /usr/lib64/libMagickCore.so.5 (0x00007f6fe9b5e000) libftgl.so.2 => /usr/lib64/libftgl.so.2 (0x00007f6fe992b000) libGL.so.1 => /usr/lib64/libGL.so.1 (0x00007f6fe96a0000) libGLU.so.1 => /usr/lib64/libGLU.so.1 (0x00007f6fe9413000) libXext.so.6 => /usr/lib64/libXext.so.6 (0x00007f6fe91ff000) libXinerama.so.1 => /usr/lib64/libXinerama.so.1 (0x00007f6fe8ffc000) libaudio.so.2 => /usr/lib64/libaudio.so.2 (0x00007f6fe8ddf000) libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f6fe8ba8000) libX11.so.6 => /usr/lib64/libX11.so.6 (0x00007f6fe8856000) libstdc++.so.6 => /usr/lib/gcc/x86_64-pc-linux-gnu/4.6.3/libstdc++.so.6 (0x00007f6fe8538000) libm.so.6 => /lib64/libm.so.6 (0x00007f6fe8242000) libgcc_s.so.1 => /usr/lib/gcc/x86_64-pc-linux-gnu/4.6.3/libgcc_s.so.1 (0x00007f6fe802b000) libc.so.6 => /lib64/libc.so.6 (0x00007f6fe7c82000) libfftw3.so.3 => /usr/lib64/libfftw3.so.3 (0x00007f6fe78ec000) libfontconfig.so.1 => /usr/lib64/libfontconfig.so.1 (0x00007f6fe76b0000) libfreetype.so.6 => /usr/lib64/libfreetype.so.6 (0x00007f6fe7403000) libbz2.so.1 => /lib64/libbz2.so.1 (0x00007f6fe71f3000) libz.so.1 => /lib64/libz.so.1 (0x00007f6fe6fdc000) libgomp.so.1 => /usr/lib/gcc/x86_64-pc-linux-gnu/4.6.3/libgomp.so.1 (0x00007f6fe6dcb000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f6fe6bae000) libltdl.so.7 => /usr/lib64/libltdl.so.7 (0x00007f6fe69a2000) libglapi.so.0 => /usr/lib64/libglapi.so.0 (0x00007f6fe674d000) libXdamage.so.1 => /usr/lib64/libXdamage.so.1 (0x00007f6fe654a000) libXfixes.so.3 => /usr/lib64/libXfixes.so.3 (0x00007f6fe6343000) libX11-xcb.so.1 => /usr/lib64/libX11-xcb.so.1 (0x00007f6fe6141000) libxcb-glx.so.0 => /usr/lib64/libxcb-glx.so.0 (0x00007f6fe5f21000) libxcb-dri2.so.0 => /usr/lib64/libxcb-dri2.so.0 (0x00007f6fe5d1b000) libxcb.so.1 => /usr/lib64/libxcb.so.1 (0x00007f6fe5af3000) libXxf86vm.so.1 => /usr/lib64/libXxf86vm.so.1 (0x00007f6fe58ed000) libdrm.so.2 => /usr/lib64/libdrm.so.2 (0x00007f6fe56df000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f6fe54db000) libXt.so.6 => /usr/lib64/libXt.so.6 (0x00007f6fe526b000) libXau.so.6 => /usr/lib64/libXau.so.6 (0x00007f6fe5067000) /lib64/ld-linux-x86-64.so.2 (0x00007f6fea234000) libexpat.so.1 => /usr/lib64/libexpat.so.1 (0x00007f6fe4e39000) librt.so.1 => /lib64/librt.so.1 (0x00007f6fe4c30000) libXdmcp.so.6 => /usr/lib64/libXdmcp.so.6 (0x00007f6fe4a29000) libSM.so.6 => /usr/lib64/libSM.so.6 (0x00007f6fe4820000) libICE.so.6 => /usr/lib64/libICE.so.6 (0x00007f6fe4603000) libuuid.so.1 => /lib64/libuuid.so.1 (0x00007f6fe43fe000)
(In reply to Francisco Blas Izquierdo Riera from comment #6) > Ago, can you paste the ldd output of your xlock? Mainly to see if it is > linked against one of the usual offenders. linux-gate.so.1 (0xa09fd000) libXpm.so.4 => /usr/lib/libXpm.so.4 (0xa09df000) libGL.so.1 => /usr/lib/libGL.so.1 (0xa0981000) libGLU.so.1 => /usr/lib/libGLU.so.1 (0xa08f9000) libXext.so.6 => /usr/lib/libXext.so.6 (0xa08e6000) libpam.so.0 => /lib/libpam.so.0 (0xa08d7000) libX11.so.6 => /usr/lib/libX11.so.6 (0xa0793000) libstdc++.so.6 => /usr/lib/gcc/i686-pc-linux-gnu/4.6.3/libstdc++.so.6 (0xa06ab000) libm.so.6 => /lib/libm.so.6 (0xa0680000) libgcc_s.so.1 => /usr/lib/gcc/i686-pc-linux-gnu/4.6.3/libgcc_s.so.1 (0xa0662000) libc.so.6 => /lib/libc.so.6 (0xa04be000) libglapi.so.0 => /usr/lib/libglapi.so.0 (0xa04a8000) libXdamage.so.1 => /usr/lib/libXdamage.so.1 (0xa04a4000) libXfixes.so.3 => /usr/lib/libXfixes.so.3 (0xa049e000) libX11-xcb.so.1 => /usr/lib/libX11-xcb.so.1 (0xa049b000) libxcb-glx.so.0 => /usr/lib/libxcb-glx.so.0 (0xa0481000) libxcb-dri2.so.0 => /usr/lib/libxcb-dri2.so.0 (0xa047b000) libxcb.so.1 => /usr/lib/libxcb.so.1 (0xa0458000) libXxf86vm.so.1 => /usr/lib/libXxf86vm.so.1 (0xa0451000) libdrm.so.2 => /usr/lib/libdrm.so.2 (0xa0444000) libpthread.so.0 => /lib/libpthread.so.0 (0xa0428000) libdl.so.2 => /lib/libdl.so.2 (0xa0423000) /lib/ld-linux.so.2 (0xa09fe000) libXau.so.6 => /usr/lib/libXau.so.6 (0xa041f000) libXdmcp.so.6 => /usr/lib/libXdmcp.so.6 (0xa0418000) librt.so.1 => /lib/librt.so.1 (0xa040e000)
I dare say this is obsolete by now. Let us know if it's not. I can't personally test with PaX.