Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 735832 - >net-libs/nodejs-14.3.0 on a PaX kernel: mksnapshot_u: Check failed: reservation_.SetPermissions(protect_start, protect_size, permission).
Summary: >net-libs/nodejs-14.3.0 on a PaX kernel: mksnapshot_u: Check failed: reservat...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: The Gentoo Linux Hardened Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-08-04 02:33 UTC by Anton Kochkov
Modified: 2023-10-18 16:37 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
build.log (nodejs-14.3.0-build.log.gz,34.62 KB, application/gzip)
2020-08-04 02:33 UTC, Anton Kochkov
Details
net-libs/nodejs-14.8.0 build log (nodejs_14.8.0_build.log.gz,37.69 KB, application/gzip)
2020-08-19 08:36 UTC, Anton Kochkov
Details
nodejs-14.15.0-r1.ebuild (nodejs-14.15.0-r1.ebuild,5.94 KB, text/plain)
2020-11-18 22:59 UTC, Attila Tóth
Details
nodejs-13.8.0-paxmarking.patch (nodejs-13.8.0-paxmarking.patch,4.11 KB, patch)
2020-11-18 23:00 UTC, Attila Tóth
Details | Diff
nodejs-pax-mark-ebuild.diff (nodejs-pax-mark-ebuild.diff,1.70 KB, patch)
2020-11-18 23:03 UTC, Attila Tóth
Details | Diff
nodejs-15.8.0-paxmarking.patch (nodejs-15.8.0-paxmarking.patch,4.16 KB, patch)
2021-02-24 21:48 UTC, Attila Tóth
Details | Diff
nodejs-16.4.2-paxmarking.patch (nodejs-16.4.2-paxmarking.patch,4.16 KB, patch)
2022-05-03 17:15 UTC, Attila Tóth
Details | Diff
nodejs-18.0.0-paxmarking.patch (nodejs-18.0.0-paxmarking.patch,4.24 KB, patch)
2022-05-03 17:16 UTC, Attila Tóth
Details | Diff
nodejs-20.3.0-paxmarking.patch (nodejs-20.3.0-paxmarking.patch,3.28 KB, patch)
2023-07-06 14:37 UTC, Attila Tóth
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Anton Kochkov 2020-08-04 02:33:47 UTC
Created attachment 652830 [details]
build.log

LD_LIBRARY_PATH=/var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0/out/Release/lib.host:/var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0/out/Release/lib.target:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH; cd ../tools/v8_gypfiles; mkdir -p /var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0/out/Release/obj.target/v8_snapshot/geni; "/var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0/out/Release/mksnapshot_u" --turbo_instruction_scheduling "--target_os=linux" "--target_arch=x64" --startup_src "/var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0/out/Release/obj.target/v8_snapshot/geni/snapshot.cc" --embedded_variant Default --embedded_src "/var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0/out/Release/obj.target/v8_snapshot/geni/embedded.S" --no-native-code-counters


#
# Fatal error in , line 0
# Check failed: reservation_.SetPermissions(protect_start, protect_size, permission).
#
#
#
#FailureMessage Object: 0x77ebe62d9140
==== C stack trace ===============================

    /var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0/out/Release/mksnapshot_u(v8::base::debug::StackTrace::StackTrace()+0x16) [0x771cbf7a406]
    /var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0/out/Release/mksnapshot_u(+0xb3b2ab) [0x771cb4872ab]
    /var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0/out/Release/mksnapshot_u(V8_Fatal(char const*, ...)+0x172) [0x771cb482202]
    /var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0/out/Release/mksnapshot_u(+0x6a416b) [0x771caff016b]
    /var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0/out/Release/mksnapshot_u(v8::internal::Heap::ProtectUnprotectedMemoryChunks()+0xbd) [0x771caf7bc8d]
    /var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0/out/Release/mksnapshot_u(v8::internal::Factory::CodeBuilder::BuildInternal(bool)+0x55c) [0x771caf5744c]
    /var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0/out/Release/mksnapshot_u(v8::internal::Factory::CodeBuilder::Build()+0xe) [0x771caf574be]
    /var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0/out/Release/mksnapshot_u(+0xda3d6f) [0x771cb6efd6f]
    /var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0/out/Release/mksnapshot_u(v8::internal::SetupIsolateDelegate::PopulateWithPlaceholders(v8::internal::Isolate*)+0x42) [0x771cb6efef2]
    /var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0/out/Release/mksnapshot_u(v8::internal::SetupIsolateDelegate::SetupBuiltinsInternal(v8::internal::Isolate*)+0x1a) [0x771cb6f01ca]
    /var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0/out/Release/mksnapshot_u(v8::internal::Isolate::Init(v8::internal::ReadOnlyDeserializer*, v8::internal::StartupDeserializer*)+0xe09) [0x771caf37729]
    /var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0/out/Release/mksnapshot_u(v8::SnapshotCreator::SnapshotCreator(v8::Isolate*, long const*, v8::StartupData*)+0xbe) [0x771cae85dde]
    /var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0/out/Release/mksnapshot_u(v8::internal::CreateSnapshotDataBlobInternal(v8::SnapshotCreator::FunctionCodeHandling, char const*, v8::Isolate*)+0x49) [0x771cb1d55d9]
    /var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0/out/Release/mksnapshot_u(main+0x2c3) [0x771cae76543]
    /lib64/libc.so.6(__libc_start_main+0xeb) [0x6cf9643c3ceb]
    /var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0/out/Release/mksnapshot_u(_start+0x2a) [0x771cae7e6da]
/bin/sh: line 1: 1407457 Illegal instruction     "/var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0/out/Release/mksnapshot_u" --turbo_instruction_scheduling "--target_os=linux" "--target_arch=x64" --startup_src "/var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0/out/Release/obj.target/v8_snapshot/geni/snapshot.cc" --embedded_variant Default --embedded_src "/var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0/out/Release/obj.target/v8_snapshot/geni/embedded.S" --no-native-code-counters
make: *** [tools/v8_gypfiles/v8_snapshot.target.mk:30: 529bedbc42d3c7288d91dbc45560d13fe245f1a1.intermediate] Error 132
rm 24e7bf9c903baede4030baf7d0b4a73e5a771570.intermediate 529bedbc42d3c7288d91dbc45560d13fe245f1a1.intermediate bee93d3e0d62f1f1fbd3d35c094a0f3e64d6aeb5.intermediate
make: Leaving directory '/var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0/out'
 * ERROR: net-libs/nodejs-14.3.0::gentoo failed (compile phase):
 *   emake failed
 * 
 * If you need support, post the output of `emerge --info '=net-libs/nodejs-14.3.0::gentoo'`,
 * the complete build log and the output of `emerge -pqv '=net-libs/nodejs-14.3.0::gentoo'`.
 * The complete build log is located at '/var/tmp/portage/net-libs/nodejs-14.3.0/temp/build.log'.
 * The ebuild environment file is located at '/var/tmp/portage/net-libs/nodejs-14.3.0/temp/environment'.
 * Working directory: '/var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0'
 * S: '/var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0'


emerge --info output:

Portage 3.0.1 (python 3.6.11-final-0, default/linux/amd64/17.0/no-multilib/hardened, gcc-9.3.0, glibc-2.31-r6, 3.3.2-hardened x86_64)
=================================================================
System uname: Linux-3.3.2-hardened-x86_64-Intel-R-_Core-TM-_i7_CPU_930_@_2.80GHz-with-gentoo-2.7
KiB Mem:     8167824 total,   2135468 free
KiB Swap:   16016792 total,  15751696 free
Timestamp of repository gentoo: Mon, 03 Aug 2020 03:45:01 +0000
Head commit of repository gentoo: b3a865a3abc11ac745af25a95ff341b0be0e00fd
sh bash 5.0_p18
ld GNU ld (Gentoo 2.34 p6) 2.34.0
app-shells/bash:          5.0_p18::gentoo
dev-java/java-config:     2.3.1::gentoo
dev-lang/perl:            5.30.3-r1::gentoo
dev-lang/python:          2.7.18-r1::gentoo, 3.6.11-r2::gentoo, 3.7.8-r2::gentoo, 3.8.5::gentoo, 3.9.0_beta5::gentoo
dev-util/cmake:           3.18.1::gentoo
dev-util/pkgconfig:       0.29.2::gentoo
sys-apps/baselayout:      2.7::gentoo
sys-apps/openrc:          0.42.1::gentoo
sys-apps/sandbox:         2.20::gentoo
sys-devel/autoconf:       2.69-r5::gentoo
sys-devel/automake:       1.14.1-r2::gentoo, 1.15.1-r2::gentoo, 1.16.2::gentoo
sys-devel/binutils:       2.34-r2::gentoo
sys-devel/gcc:            6.4.0-r2::gentoo, 7.3.0-r3::gentoo, 8.1.0-r3::gentoo, 8.2.0-r6::gentoo, 9.3.0-r1::gentoo, 10.2.0::gentoo
sys-devel/gcc-config:     2.3.1::gentoo
sys-devel/libtool:        2.4.6-r6::gentoo
sys-devel/make:           4.3::gentoo
sys-kernel/linux-headers: 5.7::gentoo (virtual/os-headers)
sys-libs/glibc:           2.31-r6::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: rsync
    sync-uri: rsync://rsync.us.gentoo.org/gentoo-portage
    priority: -1000
    sync-rsync-extra-opts: 
    sync-rsync-verify-metamanifest: yes
    sync-rsync-verify-max-age: 24
    sync-rsync-verify-jobs: 1

x-portage
    location: /usr/local/portage
    masters: gentoo
    priority: 0

gentoo-xvilka
    location: /var/lib/layman/gentoo-xvilka
    masters: gentoo
    priority: 1

godin
    location: /var/lib/layman/godin
    masters: gentoo
    priority: 50

ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="@FREE dlj-1.1"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=core2 -mtune=generic -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/bind /var/qmail/alias /var/qmail/control /var/vpopmail/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.6/ext-active/ /etc/php/cgi-php5.6/ext-active/ /etc/php/cli-php5.6/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=core2 -mtune=generic -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j9"
PKGDIR="/var/cache/binpkgs"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="acl amd64 bzip2 crypt cvs git gnutls hardened iconv ipv6 libtirpc lighttpd mercurial mmx ncurses nls nptl openmp pam pcre perl php pie postgresql python readline sbcl seccomp split-usr sse sse2 sse4 ssl ssp ssse3 subversion unicode xattr xml xmlrpc xsl xtpax zlib" ABI_X86="64" ADA_TARGET="gnat_2018" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2" ELIBC="glibc" INPUT_DEVICES="libinput" KERNEL="linux" LCD_DEVICES="ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-2 php7-3" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_7" PYTHON_TARGETS="python2_7 python3_6 python3_7" RUBY_TARGETS="ruby27" USERLAND="GNU" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2020-08-04 10:37:35 UTC
Why 14.3.0? 14.4.0 appears to be running for president and 14.7.0 has also landed.


Looks like the bit after the mksnapshot_u error is more interesting than the error it spits out:
/bin/sh: line 1: 1407457 Illegal instruction     "/var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0/out/Release/mksnapshot_u" --turbo_instruction_scheduling "--target_os=linux" "--target_arch=x64" --startup_src "/var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0/out/Release/obj.target/v8_snapshot/geni/snapshot.cc" --embedded_variant Default --embedded_src "/var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0/out/Release/obj.target/v8_snapshot/geni/embedded.S" --no-native-code-counters

An illegal instruction on an older Intel CPU? Maybe some assembler issue? It's probably a good idea to 1) check if a later 14.x.x release fails to trip up this way, and to 2) notify the upstream people at https://github.com/nodejs/node if it does.
Comment 2 Anton Kochkov 2020-08-05 05:56:11 UTC
> Why 14.3.0? 14.4.0 appears to be running for president and 14.7.0 has also landed.

I have some restriction on ICU version for another package, which in turns limits nodejs version.
Comment 3 Anton Kochkov 2020-08-19 08:36:54 UTC
Created attachment 655464 [details]
net-libs/nodejs-14.8.0 build log

I updated the system to latest hardened kernel 4.9.24 and GCC 9.3, also removed ICU and NodeJS mask, so tried to build 14.8.0, error is still the same (full log attached)

#
# Fatal error in , line 0
# Check failed: reservation_.SetPermissions(protect_start, protect_size, permission).
#
#
#
#FailureMessage Object: 0x70761b58f650
==== C stack trace ===============================

    /var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u(v8::base::debug::StackTrace::StackTrace()+0x16) [0x88d6f6aaf26]
    /var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u(+0xba2ddb) [0x88d6edfaddb]
    /var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u(V8_Fatal(char const*, ...)+0x172) [0x88d6edf5c72]
    /var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u(+0x66af53) [0x88d6e8c2f53]
    /var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u(v8::internal::Heap::ProtectUnprotectedMemoryChunks()+0xbd) [0x88d6e866a9d]
    /var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u(v8::internal::Factory::CodeBuilder::BuildInternal(bool)+0x57c) [0x88d6e84125c]
    /var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u(v8::internal::Factory::CodeBuilder::Build()+0xe) [0x88d6e8412ce]
    /var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u(+0xe2c79f) [0x88d6f08479f]
    /var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u(v8::internal::SetupIsolateDelegate::PopulateWithPlaceholders(v8::internal::Isolate*)+0x42) [0x88d6f084922]
    /var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u(v8::internal::SetupIsolateDelegate::SetupBuiltinsInternal(v8::internal::Isolate*)+0x1a) [0x88d6f084bfa]
    /var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u(v8::internal::Isolate::Init(v8::internal::ReadOnlyDeserializer*, v8::internal::StartupDeserializer*)+0xe09) [0x88d6e81e739]
    /var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u(v8::SnapshotCreator::SnapshotCreator(v8::Isolate*, long const*, v8::StartupData*)+0xbe) [0x88d6e7672ce]
    /var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u(v8::internal::CreateSnapshotDataBlobInternal(v8::SnapshotCreator::FunctionCodeHandling, char const*, v8::Isolate*)+0x49) [0x88d6eae9879]
    /var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u(main+0x2c0) [0x88d6e7572e0]
    /lib64/libc.so.6(__libc_start_main+0xeb) [0x6688e81d7e4b]
    /var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u(_start+0x2a) [0x88d6e75fb7a]
/bin/sh: line 1: 21218 Illegal instruction     "/var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u" --turbo_instruction_scheduling "--target_os=linux" "--target_arch=x64" --startup_src "/var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/obj.target/v8_snapshot/geni/snapshot.cc" --embedded_variant Default --embedded_src "/var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/obj.target/v8_snapshot/geni/embedded.S" --no-native-code-counters
make: *** [tools/v8_gypfiles/v8_snapshot.target.mk:30: 317743e6124a2962d75e8f35009db77621041030.intermediate] Error 132
rm 0d2164f4fa85865823af7d93d2fc95fd608f0df3.intermediate 317743e6124a2962d75e8f35009db77621041030.intermediate bc484948995d41658d78470718d89ce39cfdc90f.intermediate
make: Leaving directory '/var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out'
Comment 4 Marek Szuba (RETIRED) archtester gentoo-dev 2020-11-09 15:27:18 UTC
Is this still a problem with 14.15.0?
Comment 5 Hans de Graaff gentoo-dev Security 2020-11-15 08:27:46 UTC
(In reply to Marek Szuba from comment #4)
> Is this still a problem with 14.15.0?

Yes, I can reproduce this with 14.15.0. Looks like it might be pax-related. bug 694100 described a similar issue.
Comment 6 Marek Szuba (RETIRED) archtester gentoo-dev 2020-11-15 19:24:52 UTC
Hmm, this does look like exactly the same problem - which unfortunately means it will not be fixed because as per the relevant discussions on the mailing lists, Gentoo no longer supports GRSecurity.
Comment 7 Patrick McLean gentoo-dev 2020-11-17 04:57:15 UTC
There is still unofficial support for Grsecurity/PaX. I will take a look at this when I have some time.
Comment 8 Attila Tóth 2020-11-18 22:59:28 UTC
Created attachment 672667 [details]
nodejs-14.15.0-r1.ebuild

The most recent nodejs kernel I'm using with pax-enabled kernel.
Comment 9 Attila Tóth 2020-11-18 23:00:53 UTC
Created attachment 672670 [details, diff]
nodejs-13.8.0-paxmarking.patch

Pax marking patch the ebuild uses.
Related bug:
https://bugs.gentoo.org/694100
Comment 10 Attila Tóth 2020-11-18 23:03:49 UTC
Created attachment 672673 [details, diff]
nodejs-pax-mark-ebuild.diff

This is a diff showing the difference between the in-tree nodejs ebuild and the pax-enabled ebuild. Works for me.
Note, that although it works for me, I'm using a more recent grsec kernel (beta). So your milage may vary with the latest kernel accessible for the community...
Comment 11 Larry the Git Cow gentoo-dev 2020-11-20 20:28:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9ce9b123961a4dc19932e4cc81908b624eeba282

commit 9ce9b123961a4dc19932e4cc81908b624eeba282
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2020-11-20 20:21:46 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2020-11-20 20:24:47 +0000

    net-libs/nodejs: add PaX support to 14.15.1
    
    Bug: https://bugs.gentoo.org/735832
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 net-libs/nodejs/nodejs-14.15.1.ebuild | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3e4294ea80a70435fa09c3579da81c428fa15efc

commit 3e4294ea80a70435fa09c3579da81c428fa15efc
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-11-20 19:16:17 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2020-11-20 20:23:32 +0000

    net-libs/nodejs: restore PaX support
    
    Reverts: 19add7ba6500e6c60c8699b6bdda397744dfa73b
    Bug: https://bugs.gentoo.org/735832
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 .../nodejs/files/nodejs-13.2.0-paxmarking.patch    |  71 +++++++++++++
 .../nodejs/files/nodejs-13.8.0-paxmarking.patch    | 111 +++++++++++++++++++++
 net-libs/nodejs/metadata.xml                       |   3 +-
 net-libs/nodejs/nodejs-12.18.4-r1.ebuild           |   5 +-
 net-libs/nodejs/nodejs-12.19.1.ebuild              |   5 +-
 net-libs/nodejs/nodejs-14.2.0.ebuild               |  10 +-
 net-libs/nodejs/nodejs-99999999.ebuild             |  10 +-
 7 files changed, 208 insertions(+), 7 deletions(-)
Comment 12 Attila Tóth 2021-02-24 21:48:02 UTC
Created attachment 688272 [details, diff]
nodejs-15.8.0-paxmarking.patch

updated patch for net-libs/nodejs-15.8.0
Comment 13 Attila Tóth 2022-05-03 17:15:56 UTC
Created attachment 776570 [details, diff]
nodejs-16.4.2-paxmarking.patch

Updated patch for nodejs-16.4.2
Comment 14 Attila Tóth 2022-05-03 17:16:45 UTC
Created attachment 776573 [details, diff]
nodejs-18.0.0-paxmarking.patch

Updated patch for nodejs-18.0.0
Comment 15 Attila Tóth 2023-07-06 14:37:44 UTC
Created attachment 865211 [details, diff]
nodejs-20.3.0-paxmarking.patch

Recent net-libs/nodejs-20.3.0|1 needed some modifications again for the patch to apply cleanly.