Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 483242 - kde-base/kmail-4.11.0 denied RWX mmap
Summary: kde-base/kmail-4.11.0 denied RWX mmap
Status: RESOLVED TEST-REQUEST
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: The Gentoo Linux Hardened Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-09-01 06:55 UTC by Michael Rowell
Modified: 2015-10-10 17:43 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Rowell 2013-09-01 06:55:58 UTC
KMail crashes on startup with vanilla-sources patched with grsec. Solution is to 

paxctl-ng -m /usr/bin/kmail

[ 5940.624584] grsec: denied RWX mmap of <anonymous mapping> by /usr/bin/kmail[kmail:5006] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/kmail[kmail:5005] uid/euid:1000/1000 gid/egid:1000/1000

$ emerge --info kmail
Portage 2.2.1 (hardened/linux/amd64, gcc-4.8.1, glibc-2.17, 3.10.10-ck1-grsec x86_64)
=================================================================
                         System Settings
=================================================================
System uname: Linux-3.10.10-ck1-grsec-x86_64-Intel-R-_Core-TM-_i5-2520M_CPU_@_2.50GHz-with-gentoo-2.2
KiB Mem:    16245824 total,  11071740 free
KiB Swap:          0 total,         0 free
Timestamp of tree: Sat, 31 Aug 2013 14:45:01 +0000
ld GNU ld (GNU Binutils) 2.23.2
ccache version 3.1.9 [enabled]
app-shells/bash:          4.2_p45
dev-java/java-config:     2.2.0
dev-lang/python:          2.7.5-r2, 3.3.2-r2
dev-util/ccache:          3.1.9
dev-util/cmake:           2.8.11.1
dev-util/pkgconfig:       0.28
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.12
sys-apps/sandbox:         2.6-r1
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.11.6, 1.12.6, 1.13.4, 1.14
sys-devel/binutils:       2.23.2
sys-devel/gcc:            4.8.1
sys-devel/gcc-config:     1.8
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.10 (virtual/os-headers)
sys-libs/glibc:           2.17
Repositories: gentoo x-portage qt ROKO__
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA @FREE Intel-SDP"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=corei7-avx -O2 -pipe -flto=4 -floop-interchange -ftree-loop-distribution -floop-strip-mine -floop-block -ftree-vectorize"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/themes/oxygen-gtk/gtk-2.0 /usr/share/themes/oxygen-gtk/gtk-3.0"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=corei7-avx -O2 -pipe -flto=4 -floop-interchange -ftree-loop-distribution -floop-strip-mine -floop-block -ftree-vectorize"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--jobs=4 --load-average=4.00 --keep-going"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs ccache config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://gentoo.arcticnetwork.ca/ http://gentoo.llarian.net/ ftp://gentoo.llarian.net/pub/gentoo http://gentoo.gossamerhost.com http://gentoo.mirrors.tera-byte.com/"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,--as-needed,-O1 -flto=4"
MAKEOPTS="-j4 -l4"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage /var/lib/layman/qt /var/lib/layman/ROKO__"
SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi alsa amd64 avx berkdb bluetooth bzip2 cli colord consolekit cracklib crypt cups cxx dbus declarative dri dts exif ffmpeg flac gdbm gif google gstreamer hardened iconv iproute2 ipv6 jpeg jpeg2k justify kde kipi libass lightdm lzma matroska mmx modules mp3 mpeg mudflap multilib ncurses netlink networkmanager nls nptl offensive ogg openexr opengl openmp orc pam pax_kernel pcre phonon plasma png policykit pulseaudio qt3support qt4 readline semantic-desktop session sse sse2 sse3 sse4_1 sse4_2 ssl ssse3 startup-notification svg tcpd theora threads tiff truetype udev unicode urandom usb vaapi vorbis x264 xattr xcomposite xinerama xscreensaver xvid xvmc zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="canon directory fuji ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" GRUB_PLATFORMS="efi-64 pc" INPUT_DEVICES="evdev synaptics wacom" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en en_US en_GB" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" RUBY_TARGETS="ruby19 ruby18" USERLAND="GNU" VIDEO_CARDS="intel i965" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
USE_PYTHON="2.7 3.3"
Unset:  CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

=================================================================
                        Package Settings
=================================================================

kde-base/kmail-4.11.0 was built with the following:
USE="handbook kontact (-aqua) -debug -test"
CFLAGS="-march=corei7-avx -O2 -pipe -fno-lto -ggdb"
CXXFLAGS="-march=corei7-avx -O2 -pipe -fno-lto -ggdb"
LDFLAGS="-Wl,--as-needed,-O1 -fno-lto"
Comment 1 Ondřej Guth 2014-08-17 11:30:31 UTC
The same problem with kde-base/kmail-4.13.3.

emerge --info
Portage 2.2.12 (python 3.3.5-final-0, hardened/linux/amd64, gcc-4.7.3, glibc-2.19-r1, 3.13.8-hardened-r2 x86_64)
=================================================================
System uname: Linux-3.13.8-hardened-r2-x86_64-Intel-R-_Core-TM-_i5-2520M_CPU_@_2.50GHz-with-gentoo-2.2
KiB Mem:     3988444 total,   2345112 free
KiB Swap:          0 total,         0 free
Timestamp of tree: Sat, 16 Aug 2014 17:15:01 +0000
ld GNU ld (Gentoo 2.24 p1.4) 2.24
app-shells/bash:          4.2_p47
dev-java/java-config:     2.2.0
dev-lang/python:          2.7.8, 3.2.5-r2, 3.3.5-r1, 3.4.1
dev-util/cmake:           2.8.12.2-r1
dev-util/pkgconfig:       0.28-r2
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.12.4
sys-apps/sandbox:         2.6-r1
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.11.6, 1.12.6, 1.13.4, 1.14.1
sys-devel/binutils:       2.24-r3
sys-devel/gcc:            4.7.3, 4.8.3
sys-devel/gcc-config:     1.8
sys-devel/libtool:        2.4.2-r1
sys-devel/make:           4.0-r1
sys-kernel/linux-headers: 3.16 (virtual/os-headers)
sys-libs/glibc:           2.19-r1
Repositories: gentoo xmw luman voyageur
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA AdobeFlash-11.x skype-4.0.0.7-copyright"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe -fomit-frame-pointer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="${CONFIG_PROTECT} /etc /etc/idea/conf /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/themes/oxygen-gtk/gtk-2.0 /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=native -O2 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--jobs=4 --load-average=3.5"
FCFLAGS="-march=native -O2 -pipe -fomit-frame-pointer"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-march=native -O2 -pipe -fomit-frame-pointer"
GENTOO_MIRRORS="rsync://gentoo.mirror.dkm.cz/gentoo/ http://gentoo.mirror.dkm.cz/pub/gentoo/ rsync://ftp.fi.muni.cz/pub/linux/gentoo/ http://gentoo.supp.name/ http://gentoo.mirror.web4u.cz/"
LANG="en_GB.utf8"
LC_ALL="en_GB.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="--jobs=5 --load-average=4.1"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/xmw /var/lib/layman/luman /var/lib/layman/voyageur"
SYNC="rsync://rsync.cz.gentoo.org/gentoo-portage"
USE="X acl acpi alsa amd64 avx bash-completion berkdb bzip2 cli cracklib crypt custom-cflags custom-cpuopts custom-optimization cxx dri dvb exif fam gdbm glamor hardened iconv ipv6 jit justify kde lm_sensors mmx modules multilib ncurses nls nptl opengl openmp pam pax_kernel pcre qt3support readline semantic-desktop session spell sse sse2 sse3 sse4_1 sse4_2 ssl ssse3 system-cairo system-icu tcpd unicode urandom uxa v4l vaapi vdpau wifi xa xcb xorg xtpax xv xvmc zlib" ABI_X86="64" ALSA_CARDS="hda-intel" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" DVB_CARDS="usb-af9015" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en_GB cs" NETBEANS_MODULES="enterprise java" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" RUBY_TARGETS="ruby19 ruby20" USERLAND="GNU" VIDEO_CARDS="intel i965 nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Comment 2 Anthony Basile gentoo-dev 2014-08-17 14:23:51 UTC
(In reply to Michael Rowell from comment #0)
> KMail crashes on startup with vanilla-sources patched with grsec. Solution
> is to 
> 
> paxctl-ng -m /usr/bin/kmail
> 

Why are you not using a hardened-sources kernel?  While I suspect that it might crash for the same reason on a hardened-sources kernel, I really can't reproduce the issue and so I'm not sure we're not comparing apples and oranges.
Comment 3 Michael Rowell 2014-08-17 18:13:58 UTC
(In reply to Anthony Basile from comment #2)
> (In reply to Michael Rowell from comment #0)
> > KMail crashes on startup with vanilla-sources patched with grsec. Solution
> > is to 
> > 
> > paxctl-ng -m /usr/bin/kmail
> > 
> 
> Why are you not using a hardened-sources kernel?  While I suspect that it
> might crash for the same reason on a hardened-sources kernel, I really can't
> reproduce the issue and so I'm not sure we're not comparing apples and
> oranges.

In my case, because it was easier to apply Con Kolivas' patchset *before* grsec's. Less patch failures to correct.

You may note that Ondřej *was* using hardened sources, along with a more recent version of kmail. Further, the problem here is that there are no PAX markings on the relevant KDE binaries (possibly because they didn't apply during emerge, I'm not sure because it's been a long time and I've stopped using grsec/PAX and KMail in the meantime, but I do seem to remember having such problems). Hence, they crash under a seemingly standard implementation of PAX (along with several other KDE binaries as per my other bug, #483236).

So unless Hardened is significantly modifying PAX in such a way as to cause effective suppression of these errors, then I believe the *technically* correct course of action would be to apply the correct PAX markings in the ebuild. Correct me if I'm wrong.

All that said, frankly I've stopped caring. No one responded to either bug, so I made do with paxctl'ing the relevant binaries everytime I upgraded KDE (but after running them once, to make sure they still crashed [they did]). I have long since stopped using PAX/GRSec, and further, my main Gentoo system is recently dead, so at present I can't really do anything else to help except to provide my recollection, as I have done here.

Sorry.
Comment 4 Anthony Basile gentoo-dev 2014-08-17 20:38:25 UTC
(In reply to Michael Rowell from comment #3)
> (In reply to Anthony Basile from comment #2)
> > (In reply to Michael Rowell from comment #0)
> > > KMail crashes on startup with vanilla-sources patched with grsec. Solution
> > > is to 
> > > 
> > > paxctl-ng -m /usr/bin/kmail
> > > 
> > 
> > Why are you not using a hardened-sources kernel?  While I suspect that it
> > might crash for the same reason on a hardened-sources kernel, I really can't
> > reproduce the issue and so I'm not sure we're not comparing apples and
> > oranges.
> 
> In my case, because it was easier to apply Con Kolivas' patchset *before*
> grsec's. Less patch failures to correct.
> 
> You may note that Ondřej *was* using hardened sources, along with a more
> recent version of kmail. Further, the problem here is that there are no PAX
> markings on the relevant KDE binaries (possibly because they didn't apply
> during emerge, I'm not sure because it's been a long time and I've stopped
> using grsec/PAX and KMail in the meantime, but I do seem to remember having
> such problems). Hence, they crash under a seemingly standard implementation
> of PAX (along with several other KDE binaries as per my other bug, #483236).

Sorry it fell of my radar.  I'll take care of it now.

> 
> So unless Hardened is significantly modifying PAX in such a way as to cause
> effective suppression of these errors, then I believe the *technically*
> correct course of action would be to apply the correct PAX markings in the
> ebuild. Correct me if I'm wrong.

No, its a question of which version of the pax patches you're using.  The pax patches themselves change over time, so if you apply your own, I can't figure out which version we're talking about.

> 
> All that said, frankly I've stopped caring. No one responded to either bug,
> so I made do with paxctl'ing the relevant binaries everytime I upgraded KDE
> (but after running them once, to make sure they still crashed [they did]). I
> have long since stopped using PAX/GRSec, and further, my main Gentoo system
> is recently dead, so at present I can't really do anything else to help
> except to provide my recollection, as I have done here.
> 
> Sorry.

Don't be afraid to ping me.  I'm very busy and sometimes I overlook a bug.
Comment 5 Anthony Basile gentoo-dev 2014-08-18 06:33:15 UTC
As noted in bug #483236, this only seem to be a problem on some video cards.  We're still not 100% sure which cards work and which don't.
Comment 6 Michael Palimaka (kensington) gentoo-dev 2015-07-22 14:54:19 UTC
Is this still an issue?