Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 641438 - >=sys-libs/compiler-rt-4.0.1 fails test suite on PAX hardened kernels
Summary: >=sys-libs/compiler-rt-4.0.1 fails test suite on PAX hardened kernels
Status: RESOLVED UPSTREAM
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: LLVM support project
URL:
Whiteboard:
Keywords: PATCH
Depends on:
Blocks:
 
Reported: 2017-12-17 07:52 UTC by Hermila Hoover
Modified: 2018-01-23 20:52 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
paxmark failing tests (sys-libs-compiler-rt-4.0.1-PAX-mark-test-suite.patch,2.48 KB, patch)
2017-12-17 07:52 UTC, Hermila Hoover 		Details | Diff
compiler-rt-5.0.1-PAX-mark-test-suite.patch (file_641438.txt,3.98 KB, patch)
2018-01-20 11:23 UTC, Hermila Hoover 		Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hermila Hoover 2017-12-17 07:52:12 UTC 
Created attachment 510418 [details, diff]
paxmark failing tests

sys-libs/compiler-rt-4.0.1 fails the two tests

* test/builtins/Unit/enable_execute_stack_test and
* test/builtins/Unit/clear_cache_test

due to PAX feature MPROTECT. dmesg reads

grsec: denied RWX mprotect of <stack> by /var/tmp/portage/sys-libs/compiler-rt-4.0.1/work/compiler-rt-4.0.1.src/test/builtins/Unit/enable_execute_stack_test[enable_execute_:16130] uid/euid:250/250 gid/egid:250/250, parent /usr/bin/gmake[make:15431] uid/euid:250/250 gid/egid:250/250
PAX: execution attempt in: <stack>, ff831000-ff856000 3fffffda000
grsec: denied RWX mprotect of /var/tmp/portage/sys-libs/compiler-rt-4.0.1/work/compiler-rt-4.0.1.src/test/builtins/Unit/clear_cache_test by /var/tmp/portage/sys-libs/compiler-rt-4.0.1/work/compiler-rt-4.0.1.src/test/builtins/Unit/clear_cache_test[clear_cache_tes:16138] uid/euid:250/250 gid/egid:250/250, parent /usr/bin/gmake[make:15431] uid/euid:250/250 gid/egid:250/250

Attached a patch for the 4.0.1 ebuild to call paxmark.sh on the executable before running. It modifies the Makefile generated by the ebuild to include that paxmark.sh call. Note that the tests for 5.0.1 are handled by lit/CMake and not by an ebuild generated Makefile so another solution has to be found.

PS: Yes, I know that there is no PAX hardened kernel in the official tree anymore. It would nevertheless be nice if you paxmark the above tests. Thanks!
Comment 1 Hermila Hoover 2018-01-20 11:23:18 UTC 
Created attachment 515350 [details, diff]
compiler-rt-5.0.1-PAX-mark-test-suite.patch

Updated patch for compiler-rt-5.0.1. Note that running the tests is now done by the build system (more precisely by lit) and not by the ebuild any more.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-01-20 11:59:12 UTC 
I will not carry a patch for this locally. Please take it to LLVM upstream. Besides, I don't undertand why you're using some fancy tooling instead of regular paxctl.
Comment 3 Hermila Hoover 2018-01-23 20:52:18 UTC 
> I will not carry a patch for this locally. Please take it to LLVM upstream. 

Ok, thanks for the reply.

> Besides, I don't undertand why you're using some fancy tooling instead of regular paxctl.

That's simple: because all the ebuild use it if they need to deal with pax markings and cannot use the eclass pax-utils (e.g. because the call is done in a Makefile). None if them uses your suggested paxctl. I'm sorry if that's not the modern approach but documentation is scare about this subject so suggestions are welcome.