Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 195688

Summary: mpost from tetex and (soon to be comitted) texlive gets killed by hardened kernel
Product: Gentoo Linux Reporter: Alexis Ballier <aballier>
Component: HardenedAssignee: The Gentoo Linux Hardened Team <hardened>
Status: RESOLVED FIXED    
Severity: normal CC: anton.kochkov, atoth, Hugo.Mildenberger, jamesb.fe80, jeremyhu, nail2001, navid.zamani, tex
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: We use the C code when __PIC__ is defined
Use C code when -fPIC and on x86

Description Alexis Ballier gentoo-dev 2007-10-13 10:28:10 UTC 
$ mpost 
mpost: error while loading shared libraries: cannot make segment writable for relocation: Permission denied


I'm a noob with hardened so I dunno what's the cause, doesn't seem to be textrels

[ebuild   R   ] app-text/tetex-3.0_p1-r4  USE="X motif -Xaw3d -doc -lesstif -neXt -tk" 0 kB 


 emerge --info
Portage 2.1.3.12 (hardened/x86/2.6, gcc-3.4.6, glibc-2.6.1-r0, 2.6.22-hardened-r7 i686)
=================================================================
System uname: 2.6.22-hardened-r7 i686 AMD Athlon(tm) XP 2200+
Timestamp of tree: Unknown
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
app-shells/bash:     3.2_p17-r1
dev-lang/python:     2.5.1-r2
dev-python/pycrypto: 2.0.1-r5
sys-apps/baselayout: 1.12.10-r5
sys-apps/sandbox:    1.2.18.1
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.22-r2
ACCEPT_KEYWORDS="x86 ~x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=athlon-xp -O2 -pipe -fforce-addr"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-march=athlon-xp -O2 -pipe -fforce-addr"
DISTDIR="/mnt/distfiles"
FEATURES="collision-protect distlocks fixpackages metadata-transfer parallel-fetch sandbox sfperms strict unmerge-orphans userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LDFLAGS="-Wl,--as-needed"
LINGUAS="en_US en fr"
MAKEOPTS="-j2"
PKGDIR="/usr/local/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage /mnt/texlive-overlay"
SYNC="rsync://192.168.0.2/gentoo-portage"
USE="3dnow X a52 alsa bash-completion berkdb cjk cracklib crypt dbus dts dv dvd dvdread ffmpeg flac fontconfig gif glibc-omitfp gtk hal hardened httpd iconv id3tag ipv6 ithreads jpeg live lua lzo matroska midi mjpeg mmx mod motif mp3 mpeg musepack musicbrainz ncurses nls nptl nptlonly ogg opengl pam pic png python quicktime readline sse ssl taglib tcpd tetex theora threads truetype twolame unicode urandom vim-syntax vorbis wxwindows x264 x86 xcb xml xorg xpm xvid zlib" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en_US en fr" USERLAND="GNU" VIDEO_CARDS="vesa radeon vga"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS



this has probably been unnoticed for ages because tetex was building its format files with texmf-update, as I've changed it a bit for texlive, they are now built in src_compile, that will cause packages building their formats with mpost to fail


I had been suggested that would be mpost trying to execute its stack, but I didn't investigate this more; I'm just opening a bug now to keep track of this
Comment 1 Alexis Ballier gentoo-dev 2007-12-18 07:37:42 UTC 
What I did not notice at first:

 * QA Notice: The following files contain runtime text relocations
 *  Text relocations force the dynamic linker to perform extra
 *  work at startup, waste system resources, and may pose a security
 *  risk.  On some architectures, the code may not even function
 *  properly, if at all.
 *  For more information, see http://hardened.gentoo.org/pic-fix-guide.xml
 *  Please include this file in your report:
 *  /var/tmp/portage/app-text/texlive-core-2007-r11/temp/scanelf-textrel.log
 * TEXTREL usr/bin/mpost
TEXTREL usr/bin/mf
TEXTREL usr/bin/mf-nowin


that reminds me the ocaml stuff... I'll investigate it.
Comment 2 Alexis Ballier gentoo-dev 2009-03-27 19:18:23 UTC 
*** Bug 263986 has been marked as a duplicate of this bug. ***
Comment 3 James Browning 2009-04-12 20:14:25 UTC 
I had a similar problem with '/usr/bin/mf-nowin'.
I solved it by running 'paxctl -m' as a sufficiently elevated account. (requires kernel soft mode support)
I had a hack that'd paxctl binaries before install, but the maintainers said to fix the software not add more hacks.
Comment 4 Jeremy Huddleston Sequoia 2009-06-21 03:27:57 UTC 
This is fairly important... any ETA on a real fix?
Comment 5 Magnus Granberg gentoo-dev 2010-07-17 16:38:23 UTC 
Do we still have the probs in app-text/texlive-core-2009?
on amd64 i don't see any textrel and x86 should be clean to.
jasmin / # scanelf -a usr/bin/mpost
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN ---xe- 0755 LE RW- R-- RW-    -      -   NOW usr/bin/mpost 
jasmin / # scanelf -a usr/bin/mf   
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN ---xe- 0755 LE RW- R-- RW-    -      -   NOW usr/bin/mf 
jasmin / # scanelf -a usr/bin/mf-nowin 
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN ---xe- 0755 LE RW- R-- RW-    -      -   NOW usr/bin/mf-nowin
Comment 6 Radoslaw Madej (radegand) 2010-07-19 11:28:33 UTC 
(In reply to comment #5)
> Do we still have the probs in app-text/texlive-core-2009?
> on amd64 i don't see any textrel and x86 should be clean to.

while it does not get killed on x86 anymore, there might still be an issue of a TEXTRELs :( see below (same version texlive-core-2009 used):

g44_x86 ~ # scanelf -a /usr/bin/mpost
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN ---xe- 0755 LE RW- R-- RW-    -      -   NOW /usr/bin/mpost 
g44_x86 ~ # scanelf -a /usr/bin/mf
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN ---xe- 0755 LE RW- R-- RW- TEXTREL   -   NOW /usr/bin/mf 
g44_x86 ~ # scanelf -a /usr/bin/mf-nowin
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN ---xe- 0755 LE RW- R-- RW- TEXTREL   -   NOW /usr/bin/mf-nowin 
g44_x86 ~ # scanelf -T /usr/bin/mf
 TYPE   TEXTRELS FILE 
  mf: aritherror [0x7B01] in (optimized out: previous _init) [0x74B8]
  mf: aritherror [0x7B9A] in (optimized out: previous _init) [0x74B8]
ET_DYN  /usr/bin/mf 
g44_x86 ~ # scanelf -T /usr/bin/mf-nowin
 TYPE   TEXTRELS FILE 
  mf-nowin: aritherror [0x7B01] in (optimized out: previous _init) [0x74B8]
  mf-nowin: aritherror [0x7B9A] in (optimized out: previous _init) [0x74B8]
ET_DYN  /usr/bin/mf-nowin
Comment 7 Magnus Granberg gentoo-dev 2010-07-19 23:58:32 UTC 
jasmin / # scanelf -qT /var/tmp/portage/app-text/texlive-core-2009-r2/image/usr/bin/mf
  mf: .L4069 [0x7B01] in (optimized out: previous LL3) [0x7AFA]
  mf: .L4069 [0x7B9A] in (optimized out: previous LL34) [0x7B93]
  /var/tmp/portage/app-text/texlive-core-2009-r2/image/usr/bin/mf

The asm code look like this in texk/web2c/lib/mfmpi386.asm
LL3:     movl $0x7fffffff,%eax
#ifdef ASM_NEEDS_UNDERSCORE
        movb $1,_aritherror
#else
        movb $1,aritherror
#endif
......
LL34:    movl $0x7fffffff,%eax
#ifdef ASM_NEEDS_UNDERSCORE
        movb $1,_aritherror
#else
        movb $1,aritherror
#endif

objdump -d mf and you get
00007afa <LL3>:
    7afa:       b8 ff ff ff 7f          mov    $0x7fffffff,%eax
    7aff:       c6 05 00 00 00 00 01    movb   $0x1,0x0
.....
00007b93 <LL34>:
    7b93:       b8 ff ff ff 7f          mov    $0x7fffffff,%eax
    7b98:       c6 05 00 00 00 00 01    movb   $0x1,0x0
Comment 8 Magnus Granberg gentoo-dev 2010-07-23 01:01:52 UTC 
Created attachment 239877 [details, diff]
We use the C code when __PIC__ is defined

This patch fix the textrel. It use the C functions instead of the asm functions, for the asm code is not PIC/PIE friendly writhen and need alot of work to get it work and i not asm coder.
Comment 9 Attila Tóth 2010-08-12 12:13:52 UTC 
Big thanks for the fix!
How I hate TEXTRELs...
Comment 10 Alexis Ballier gentoo-dev 2011-06-15 17:06:58 UTC 
*** Bug 371685 has been marked as a duplicate of this bug. ***
Comment 11 Magnus Granberg gentoo-dev 2011-07-29 14:14:20 UTC 
Created attachment 281455 [details, diff]
Use C code when -fPIC and on x86

New patch that is sended to the tex-live ml
Comment 12 Magnus Granberg gentoo-dev 2011-07-29 14:23:32 UTC 
*** Bug 295451 has been marked as a duplicate of this bug. ***
Comment 13 David Durrleman 2011-08-14 17:36:29 UTC 
Until this is properly fixed upstream, is it possible to get the patch included in the gentoo version of texlive?

Currently it prevents building the stable version of texlive-basic on gentoo hardened x86.

Thanks
Comment 14 Magnus Granberg gentoo-dev 2011-08-15 01:13:01 UTC 
http://tug.org/svn/texlive?view=revision&revision=23365
Added upstream.
tex@gentoo okay to add patch to tree?
Comment 15 Alexis Ballier gentoo-dev 2011-08-15 07:45:39 UTC 
(In reply to comment #14)
> http://tug.org/svn/texlive?view=revision&revision=23365
> Added upstream.
> tex@gentoo okay to add patch to tree?

i'll do it; but once i get a more reliable internet access
meanwhile you can add it to the patchset in gentoo/src/patchsets cvs tree if you manage to get your way through it and dont break the quilt stuff (the series file) so that i'll just have to validate it and make a new tarball
Comment 16 Alexis Ballier gentoo-dev 2011-08-15 07:51:23 UTC 
*** Bug 379179 has been marked as a duplicate of this bug. ***
Comment 17 Alexis Ballier gentoo-dev 2011-08-19 18:52:21 UTC 
fixed in stable and ~arch; ~arch version revbumped, stable not, thanks for the patch!