x86_64-pc-linux-gnu-g++ -o /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/mkcodecache -pthread -rdynamic -m64 -Wl,-z,noexecstack -Wl,--whole-archive /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/tools/v8_gypfiles/libv8_snapshot.a -Wl,--no-whole-archive -Wl,-z,relro -Wl,-z,now -Wl,-O1 -Wl,--as-needed -Wl,--start-group /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/mkcodecache/src/node_snapshot_stub.o /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/mkcodecache/src/node_code_cache_stub.o /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/mkcodecache/tools/code_cache/mkcodecache.o /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/mkcodecache/tools/code_cache/cache_builder.o /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/libnode.a /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/deps/histogram/libhistogram.a /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/tools/v8_gypfiles/libv8_libplatform.a /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/deps/llhttp/libllhttp.a /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/deps/brotli/libbrotli.a /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/tools/v8_gypfiles/libv8_base_without_compiler.a /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/tools/v8_gypfiles/libv8_libbase.a /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/tools/v8_gypfiles/libv8_libsampler.a /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/tools/v8_gypfiles/libv8_compiler.a /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/tools/v8_gypfiles/libv8_snapshot.a /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/tools/v8_gypfiles/libv8_initializers.a -lz -lhttp_parser -luv -lcares -lnghttp2 -lcrypto -lssl -licui18n -licuuc -licudata -ldl -lrt -Wl,--end-group x86_64-pc-linux-gnu-g++ -o /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/node_mksnapshot -pthread -rdynamic -m64 -Wl,-z,noexecstack -Wl,--whole-archive /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/tools/v8_gypfiles/libv8_snapshot.a -Wl,--no-whole-archive -Wl,-z,relro -Wl,-z,now -Wl,-O1 -Wl,--as-needed -Wl,--start-group /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/node_mksnapshot/src/node_snapshot_stub.o /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/node_mksnapshot/src/node_code_cache_stub.o /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/node_mksnapshot/tools/snapshot/node_mksnapshot.o /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/node_mksnapshot/tools/snapshot/snapshot_builder.o /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/libnode.a /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/deps/histogram/libhistogram.a /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/tools/v8_gypfiles/libv8_libplatform.a /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/deps/llhttp/libllhttp.a /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/deps/brotli/libbrotli.a /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/tools/v8_gypfiles/libv8_base_without_compiler.a /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/tools/v8_gypfiles/libv8_libbase.a /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/tools/v8_gypfiles/libv8_libsampler.a /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/tools/v8_gypfiles/libv8_compiler.a /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/tools/v8_gypfiles/libv8_snapshot.a /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj.target/tools/v8_gypfiles/libv8_initializers.a -lz -lhttp_parser -luv -lcares -lnghttp2 -lcrypto -lssl -licui18n -licuuc -licudata -ldl -lrt -Wl,--end-group LD_LIBRARY_PATH=/var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/lib.host:/var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/lib.target:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH; cd ../.; mkdir -p /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj/gen; "/var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/mkcodecache" "/var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj/gen/node_code_cache.cc" LD_LIBRARY_PATH=/var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/lib.host:/var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/lib.target:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH; cd ../.; mkdir -p /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj/gen; "/var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/node_mksnapshot" "/var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj/gen/node_snapshot.cc" # # Fatal error in , line 0 # Check failed: reservation_.SetPermissions(protect_start, protect_size, permission). # # # #FailureMessage Object: 0x7530cb29d8e0 ==== C stack trace =============================== /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/mkcodecache(v8::base::debug::StackTrace::StackTrace()+0x16) [0x1a3e14dd1366] /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/mkcodecache(+0x743d8b) [0x1a3e1478fd8b] /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/mkcodecache(V8_Fatal(char const*, ...)+0x179) [0x1a3e14dcc8f9] /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/mkcodecache(+0x8e6ef3) [0x1a3e14932ef3] /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/mkcodecache(v8::internal::PagedSpace::SetReadAndExecutable()+0x97) [0x1a3e149358c7] /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/mkcodecache(v8::internal::Isolate::Init(v8::internal::ReadOnlyDeserializer*, v8::internal::StartupDeserializer*)+0xa55) [0x1a3e148890f5] /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/mkcodecache(v8::internal::Snapshot::Initialize(v8::internal::Isolate*)+0x6b7) [0x1a3e14b36e07] /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/mkcodecache(v8::Isolate::Initialize(v8::Isolate*, v8::Isolate::CreateParams const&)+0xe2) [0x1a3e1480d0a2] /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/mkcodecache(v8::Isolate::New(v8::Isolate::CreateParams const&)+0x20) [0x1a3e1480d1a0] /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/mkcodecache(main+0x13a) [0x1a3e144c166a] /lib64/libc.so.6(__libc_start_main+0xeb) [0x6d24c955beab] /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/mkcodecache(_start+0x2a) [0x1a3e144c746a] # # Fatal error in , line 0 # Check failed: reservation_.SetPermissions(protect_start, protect_size, permission). # # # #FailureMessage Object: 0x72d4f41ff200/bin/sh: line 1: 17291 Illegal instruction "/var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/mkcodecache" "/var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj/gen/node_code_cache.cc" make: *** [node.target.mk:13: /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj/gen/node_code_cache.cc] Error 132 make: *** Waiting for unfinished jobs.... /bin/sh: line 1: 17292 Illegal instruction "/var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/node_mksnapshot" "/var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj/gen/node_snapshot.cc" make: *** [node.target.mk:26: /var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out/Release/obj/gen/node_snapshot.cc] Error 132 rm 3e91ef147741655706c7f24310f142339aff506c.intermediate ae22588cbd35cde23e56c78ddab1aa4ecf59880c.intermediate 02fc2535e7fcde8de8261c3edb8dca4cc07de133.intermediate make: Leaving directory '/var/tmp/portage/net-libs/nodejs-12.10.0/work/node-v12.10.0/out'
Created attachment 589696 [details, diff] node-v12.8.1-mknodecache-node_mksnapshot.patch Proposed patch to take care of pax-marking compile-time binaries. Works for me.
We allready mark it in the ebuild but do we need new one? We have turn of default pax marking in all profiles and we have no ways to test it when we don't have access to pax/grsec. If we need a new take a look on qtwebengine how it is done there.
(In reply to Magnus Granberg from comment #2) > We allready mark it in the ebuild but do we need new one? > We have turn of default pax marking in all profiles and we have > no ways to test it when we don't have access to pax/grsec. > If we need a new take a look on qtwebengine how it is done there. The ebuild marks the build-time executable "mksnapshot". One may simply issue make for that executable and take care of the marking in the ebuild. While these two new build-time executables are different (node_mksnapshot, mkcodecache) and showed up only recently (in nodejs-12.x). I could find a way to mark them the same way as it works for mksnapshot. The current qtwebengine build is a little different, this nodejs thing is close to a previous version (qtwebengine-5.6.1). I'm really afraid, that I will be left alone eventually with these problems because of the lack of people still having access to grsecurity. I may not be able to take care of these forever. However I felt, that I don't want to keep this patch for myself and others might still make use of it just in case...
I can reproduce this issue on a 4.14.142 grsecurity kernel, but the patch does not fix it for me.
(In reply to Patrick McLean from comment #4) > I can reproduce this issue on a 4.14.142 grsecurity kernel, but the patch > does not fix it for me. I have access to beta patches. I'll try to retest it with the latest beta.
(In reply to Attila Tóth from comment #5) > (In reply to Patrick McLean from comment #4) > > I can reproduce this issue on a 4.14.142 grsecurity kernel, but the patch > > does not fix it for me. > > I have access to beta patches. I'll try to retest it with the latest beta. The situation is the same for net-libs/openjs-12.11.0 from the anarchy overlay. It fails without the patch. The proposed patch solves the problem on my systems running grsec beta (5.2.17-201909242038). This is not the latest, because there is a fresh beta from yesterday I will only be able to use later today or tomorrow. But I would expect the same.
The patch faile to applay to nodejs-6-16-2
(In reply to Attila Tóth from comment #6) > (In reply to Attila Tóth from comment #5) > > (In reply to Patrick McLean from comment #4) > > > I can reproduce this issue on a 4.14.142 grsecurity kernel, but the patch > > > does not fix it for me. > > > > I have access to beta patches. I'll try to retest it with the latest beta. > > The situation is the same for net-libs/openjs-12.11.0 from the anarchy > overlay. It fails without the patch. The proposed patch solves the problem > on my systems running grsec beta (5.2.17-201909242038). This is not the > latest, because there is a fresh beta from yesterday I will only be able to > use later today or tomorrow. But I would expect the same. My observations are still the same for nodejs-13.0.1 vs grsec-3.1-5.3.8-201911041113. The attached patch takes care of the issue.
Created attachment 595918 [details, diff] Add actions to pax mark needed files Smaller patch, testing needed. no need to pax mark in src_compile
(In reply to Magnus Granberg from comment #9) > Created attachment 595918 [details, diff] [details, diff] > Add actions to pax mark needed files > > Smaller patch, testing needed. > no need to pax mark in src_compile Patch tested right, but I haven't modified src_compile. Thx: Dw.
Jer is it okay to applay the patch as what is don in qtwebengine?
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d3b53be221b0288c4eb5155ad52fa8f27bda083d commit d3b53be221b0288c4eb5155ad52fa8f27bda083d Author: Magnus Granberg <zorry@gentoo.org> AuthorDate: 2019-11-27 21:28:02 +0000 Commit: Magnus Granberg <zorry@gentoo.org> CommitDate: 2019-11-27 21:29:14 +0000 net-libs/nodejs: Fix build on PAX enable kernel (bug 694100) We need to disable mprotect on two bins when we compile bug 694100. Closes: https://bugs.gentoo.org/694100 Reported-by: Attila Tóth <atoth@atoth.sote.hu> Co-developed-by: Attila Tóth <atoth@atoth.sote.hu> Signed-off-by: Magnus Granberg <zorry@gentoo.org> Package-Manager: Portage-2.3.76, Repoman-2.3.16 .../nodejs/files/nodejs-13.2.0-paxmarking.patch | 71 ++++++++++++++++++++++ net-libs/nodejs/metadata.xml | 1 + net-libs/nodejs/nodejs-13.2.0.ebuild | 8 ++- net-libs/nodejs/nodejs-99999999.ebuild | 8 ++- 4 files changed, 82 insertions(+), 6 deletions(-)
(In reply to Larry the Git Cow from comment #12) > The bug has been closed via the following commit(s): > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=d3b53be221b0288c4eb5155ad52fa8f27bda083d > > commit d3b53be221b0288c4eb5155ad52fa8f27bda083d > Author: Magnus Granberg <zorry@gentoo.org> > AuthorDate: 2019-11-27 21:28:02 +0000 > Commit: Magnus Granberg <zorry@gentoo.org> > CommitDate: 2019-11-27 21:29:14 +0000 > > net-libs/nodejs: Fix build on PAX enable kernel (bug 694100) > > We need to disable mprotect on two bins when we compile > bug 694100. > > Closes: https://bugs.gentoo.org/694100 > Reported-by: Attila Tóth <atoth@atoth.sote.hu> > Co-developed-by: Attila Tóth <atoth@atoth.sote.hu> > Signed-off-by: Magnus Granberg <zorry@gentoo.org> > Package-Manager: Portage-2.3.76, Repoman-2.3.16 > > .../nodejs/files/nodejs-13.2.0-paxmarking.patch | 71 > ++++++++++++++++++++++ > net-libs/nodejs/metadata.xml | 1 + > net-libs/nodejs/nodejs-13.2.0.ebuild | 8 ++- > net-libs/nodejs/nodejs-99999999.ebuild | 8 ++- > 4 files changed, 82 insertions(+), 6 deletions(-) Hi Zorry, Unfortunately I have to raise this bug again. The patch takes care of marking node_mksnapshot and mkcodecache during compile. There is a third executable needs marking: mksnapshot, which had been handled by the ebuild previously. By the advent of the patch, those lines handling mksnapshot marking were removed: @@ -124,8 +128,6 @@ src_configure() { } src_compile() { - emake -C out mksnapshot - pax-mark m "out/${BUILDTYPE}/mksnapshot" emake -C out } For this reason nodejs failed to compile again. Either these lines must be reintroduced into the ebuilds or a separate or extended patch should be provided taking care of mksnapshot on top of node_mksnapshot and mkcodecache. What is your opinion about it?
(In reply to Attila Tóth from comment #13) > (In reply to Larry the Git Cow from comment #12) > > The bug has been closed via the following commit(s): > > > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > > ?id=d3b53be221b0288c4eb5155ad52fa8f27bda083d > > > > commit d3b53be221b0288c4eb5155ad52fa8f27bda083d > > Author: Magnus Granberg <zorry@gentoo.org> > > AuthorDate: 2019-11-27 21:28:02 +0000 > > Commit: Magnus Granberg <zorry@gentoo.org> > > CommitDate: 2019-11-27 21:29:14 +0000 > > > > net-libs/nodejs: Fix build on PAX enable kernel (bug 694100) > > > > We need to disable mprotect on two bins when we compile > > bug 694100. > > > > Closes: https://bugs.gentoo.org/694100 > > Reported-by: Attila Tóth <atoth@atoth.sote.hu> > > Co-developed-by: Attila Tóth <atoth@atoth.sote.hu> > > Signed-off-by: Magnus Granberg <zorry@gentoo.org> > > Package-Manager: Portage-2.3.76, Repoman-2.3.16 > > > > .../nodejs/files/nodejs-13.2.0-paxmarking.patch | 71 > > ++++++++++++++++++++++ > > net-libs/nodejs/metadata.xml | 1 + > > net-libs/nodejs/nodejs-13.2.0.ebuild | 8 ++- > > net-libs/nodejs/nodejs-99999999.ebuild | 8 ++- > > 4 files changed, 82 insertions(+), 6 deletions(-) > > Hi Zorry, > > Unfortunately I have to raise this bug again. > The patch takes care of marking node_mksnapshot and mkcodecache during > compile. There is a third executable needs marking: mksnapshot, which had > been handled by the ebuild previously. By the advent of the patch, those > lines handling mksnapshot marking were removed: > @@ -124,8 +128,6 @@ src_configure() { > } > > src_compile() { > - emake -C out mksnapshot > - pax-mark m "out/${BUILDTYPE}/mksnapshot" > emake -C out > } > > For this reason nodejs failed to compile again. Either these lines must be > reintroduced into the ebuilds or a separate or extended patch should be > provided taking care of mksnapshot on top of node_mksnapshot and mkcodecache. > > What is your opinion about it? make a patch that take care of mksnapshot.
Created attachment 599250 [details, diff] mksnapshot_paxmark.patch Separate patch to handle mksnapshot.
(In reply to Magnus Granberg from comment #14) > (In reply to Attila Tóth from comment #13) > > (In reply to Larry the Git Cow from comment #12) > > > The bug has been closed via the following commit(s): > > > > > > > For this reason nodejs failed to compile again. Either these lines must be > > reintroduced into the ebuilds or a separate or extended patch should be > > provided taking care of mksnapshot on top of node_mksnapshot and mkcodecache. > > > > What is your opinion about it? > > make a patch that take care of mksnapshot. There it is!
Created attachment 599974 [details, diff] Updated patch to pax mark needed files Can some one test this
The patch applies, but the build still fails. Now with mksnapshot_u instead of mksnapshot.
paxctrl-ng -v out/Release/mksnapshot_u reports XATTR_PAX : not found Manually running paxctl-ng -l -m on that file produces (with -v) XATTR_PAX : -em-- Manually running paxmark.sh m on that file does not create the XATTR_PAX entry. Apparently paxmark.sh expects the variable PAX_MARKINGS to be set in make.conf, but no such variable is present and thus it silently fails while not knowing how to proceed.
(the build works after adding PAX_MARKINGS definition to make.conf)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7beac2cd42801fc3ef9a1c81b9922d850e17a1c1 commit 7beac2cd42801fc3ef9a1c81b9922d850e17a1c1 Author: Magnus Granberg <zorry@gentoo.org> AuthorDate: 2020-02-17 00:33:45 +0000 Commit: Magnus Granberg <zorry@gentoo.org> CommitDate: 2020-02-17 00:37:31 +0000 net-libs/nodejs: Fix building on pax enable kernel Closes: https://bugs.gentoo.org/694100 Signed-off-by: Magnus Granberg <zorry@gentoo.org> Package-Manager: Portage-2.3.84, Repoman-2.3.16 .../nodejs/files/nodejs-13.8.0-paxmarking.patch | 111 +++++++++++++++++++++ net-libs/nodejs/nodejs-13.8.0.ebuild | 2 +- 2 files changed, 112 insertions(+), 1 deletion(-)
Created attachment 776576 [details, diff] nodejs-16.4.2-paxmarking.patch Updated patch for nodejs-16.4.2
Created attachment 776579 [details, diff] nodejs-18.0.0-paxmarking.patch Updated patch for nodejs-18.0.0
In future, please file a new bug w/ the needed patches and reference this one. Let's use bug 735832 as it has all 3 patches, not just 2. Thank you for sharing them!
Please file issues or pull requests upstream [1] and see if they will accept your patches. If they do, that means we don't have to keep carrying patches. Thanks, William [1] https://github.com/nodejs/node
I saw a short conversation on irc that points out why we may not be able to do thi, so never mind for now.
Created attachment 783803 [details, diff] nodejs-18.3.0-paxmarking.patch nodejs-18.3.0 removed some relevant pieces of the gyp, therefore the patch created for 18.0.0 fails to apply cleanly. This is an updated patch adapted to 18.3.0.
Created attachment 872243 [details, diff] nodejs-20.3.0-paxmarking.patch nodejs-20.3.0-paxmarking.patch
