Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 100507

Summary: net-im/skype- - skype.bin gets terminated by PaX with execution attempt
Product: Gentoo Linux Reporter: Daniel Seyffer <gentoo-bugs>
Component: HardenedAssignee: Gentoo Net-im project <net-im>
Severity: major    
Priority: High    
Version: unspecified   
Hardware: x86   
OS: Linux   
Package list:
Runtime testing required: ---
Bug Depends on: 130999    
Bug Blocks:    
Attachments: Relaxes mprotect() restrictions for PaX usage

Description Daniel Seyffer 2005-07-27 12:15:04 UTC

Skype gets terminated by PaX on my Gentoo Hardened laptop.

I can hardly believe this has not been reported as a bug before since I see this
behaviour for a while now. But I could not find a bug report for this one plus
it's not fixed yet so... ;)

As described below skype gets terminated by PaX with execution attempt. 
The problem can be resolved/mitigated by setting PaX flags to remove mprotect()
restrictions. Therefore I recommend adding an entry to /etc/conf.d/chpax:

# default is:
  chpax -v /opt/skype/skype.bin
  ----[ chpax 0.7 : Current flags for /opt/skype/skype.bin (PeMRxS) ]----
-> Skype crashes

# disabling mprotect() ;-(
  chpax -m /opt/skype/skype.bin

-> Skype works fine. 

Thanks for you great work with Gentoo Hardened! (even got it quite working on my
Sparc box. *g*)

Reproducible: Always
Steps to Reproduce:
1. execute skype under a hardened (PaX, grsec) kernel

Actual Results:  
-------------- shell ---------------------
# skype
Running artsd found
/usr/bin/skype: line 50: 15599 Killed                  ${skypecmd} ${progopts}
>>${logfile} 2>>${logfile}

--------- dmesg -------------------------------------------
PAX: execution attempt in: /opt/skype/skype.bin, 08048000-08685000 00000000
PAX: terminating task: /opt/skype/skype.bin(skype.bin):15599, uid/euid:
1001/1001, PC: 080645d0, SP: 5ea1db4c
PAX: bytes at PC: ff 25 e0 37 68 08 68 38 0a 00 00 e9 70 eb ff ff ff 25 e4 37
PAX: bytes at SP: 22ef4a22 08784a28 22fde760 5ea1db98 22ef38d6 22fde760 00000101
08784a18 00000068 f27ad336 556bf7c8 556bf974 232b523b f27ad336 556bf974 556bbe68
23170a50 00000001 22fde760 5ea1dbf8

Portage (hardened/x86/2.6, gcc-3.4.4, glibc-2.3.5-r0,
2.6.11-hardened-r15 i686)
System uname: 2.6.11-hardened-r15 i686 Intel(R) Pentium(R) M processor 1400MHz
Gentoo Base System version 1.6.13
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
ccache version 2.4 [enabled]
dev-lang/python:     2.3.5, 2.4.1-r1
sys-apps/sandbox:    1.2.10
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.5
sys-devel/binutils:  2.16.1
sys-devel/libtool:   1.5.18-r1
virtual/os-headers:  2.6.11-r2
CFLAGS="-march=pentium-m -O2 -pipe -fomit-frame-pointer -fstack-protector-all"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.2/share/config
/usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown
/usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown
/usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-march=pentium-m -O2 -pipe -fomit-frame-pointer -fstack-protector-all"
FEATURES="autoconfig ccache distlocks sandbox sfperms strict userpriv usersandbox"
USE="X a52 aalib acpi alsa apache2 arts avi bash-completion berkdb bitmap-fonts
bluetooth cdr crypt cups curl dga directfb divx4linux dlloader dvd dvdr eds esd
ethereal evo fam fbcon flac freetype ftp gd gdbm gif gimpprint gnokii gphoto2
gpm gps gtk gtk2 gtkhtml hardened hbci icq imagemagick imap imlib irda java
javascript jpeg kde ldap mad maildir mikmod mmx monkey motif moznocompose
moznoirc moznomail mozp3p mozsvg mplayer mysql ncurses nls nptl nptlonly ntlm
ogg opengl pam pcmcia perl pic png posix python qt radeon readline real rtc
samba sdl slang sms sse sse2 ssl svga tcltk tcpd tiff truetype truetype-fonts
type1-fonts usb userlocales vcd vorbis wifi win32codecs x86 xine xinerama xml
xml2 xmms xv xvid zlib linguas_de userland_GNU kernel_linux elibc_glibc"
Comment 1 Kevin F. Quinn (RETIRED) gentoo-dev 2005-07-27 12:38:06 UTC
Created attachment 64456 [details, diff]
Relaxes mprotect() restrictions for PaX usage
Comment 2 Kevin F. Quinn (RETIRED) gentoo-dev 2005-07-27 12:58:23 UTC
net-im: the patch posted above adds a call to /sbin/chpax during installation of
the binary to the ebuild, to relax PaX's mprotect() restrictions. 
Reassigning to package maintainer for action.

We've avoided suggesting ebuild patches for packages that need PaX flag
management, until someone bugs about it.  This one is simple enough and is as ok
 as the java ebuilds for example, but in general adding calls to chpax/paxctl
are not satisfactory for all users.  For example the chpax method only works if
the CONFIG_PAX_EI_PAX is enabled in the kernel.

Work is ongoing on a more satisfactory way of managing PaX flags from within the
hardened profile which will enable the hardened team to support this without
having to badger package maintainers; once this reaches a satisfactory state
ebuilds like this which just need permissions to be managed won't need any black
Comment 3 Kevin F. Quinn (RETIRED) gentoo-dev 2006-01-06 06:01:27 UTC
For the record; recent versions of Skype are built with a compiler that support
GNU_STACK; hardened users preferring paxctl over chpax can now set the 'm'
flag for it with '/sbin/paxctl -cm /opt/skype/skype.bin'.
Comment 4 Gustavo Felisberto (RETIRED) gentoo-dev 2006-07-02 16:08:23 UTC
Fixed in 1.3 version