| Summary: | kde-base/kate-4.3.4 crashed with qt-script JIT code on hardened | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Hugo Mildenberger <Hugo.Mildenberger> |
| Component: | Hardened | Assignee: | The Gentoo Linux Hardened Team <hardened> |
| Status: | RESOLVED NEEDINFO | ||
| Severity: | normal | CC: | esigra, kde, qt |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | x86 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 313999 | ||
| Attachments: |
emerge --info =kde-base/kate-4.3.4
gdb backtrace and more |
||
Created attachment 213112 [details]
emerge --info =kde-base/kate-4.3.4
Created attachment 213121 [details]
gdb backtrace and more
Running c++filt to demangle some gdb output, I guess the problem is at or below QTJSC::EvalExecutable::generateJITCode(QTJSC::ExecState*, QTJSC::ScopeChainNode*). As JIT code is mostly incompatible with hardened (and you wonder why an editor needs to compile javascript), there should be a build option to disable it. I could not find one. And konqueror-4.3.4 runs fine with Javascript enabled.
gdb) x/10a $esp-4
0x5bfba278: 0x88ab12b2 0x4f3a9f36 <ctiTrampoline+22> 0x4ea054b0 0x0
0x5bfba288: 0x5bfba2c8 0x4f42b38e <QTJSC::EvalExecutable::generateJITCode(QTJSC::ExecState*, QTJSC::ScopeChainNode*)+208> 0x4ea19600 0x4ea00400
0x5bfba298: 0x4ea01e10 0x4ea401c8
Can some one on the kde herd take a look on this? What's the status with 4.3.5 or 4.4.2? This looks like it is a QT problem, so I am cc'ing the qt herd. Anyone with more hardened experience there?! QT 4.6.0 is gone from the tree for some time... Please update to QT 4.6.3 and try again. if the problem persists please reopen the bug! |
An update to kde-4.3.4 on hardened Gentoo (running 2.6.31.7-grsec), which also includes an update of qt-scripts to version 4.6.0 resulted in the situation that the KDE editors kwrite and kate get killed by signal 9. Analyzing core, it turned out that both program use a QT java script engine, partly implemented in assembly language, and that both fail at the same positon. Both run fine with vanilla kernel 2.6.32. paxctl -m $(which kwrite) $(which kate) fixes the issue. Here are some of the topmost stackframes: #0 0x494ee1a8 in ?? () #1 0x49ec0f36 in ctiTrampoline () from /usr/lib/qt4/libQtScript.so.4 #2 0x49eead45 in QTJSC::Interpreter::execute (this=0x4951c488, eval=0x5b827de8, callFrame=0x10a22234, # thisObj=0x49080000, globalRegisterOffset=9, scopeChain=0x495571c8, exception=0x5b827d44) at ../3rdparty/javascriptcore/JavaScriptCore/jit/JITCode.h:79 Will attach the complete gdb backtrace later. According to gdb, 0x494ee1a8 is not covered by any function. The dissassembly lookś like the CPU is sitting in the forest. Except from kernel, gcc and glibc, the whole system is compiled with -fstack-protector-all applied, though I don't believe that this is an issue here. Below is the code from ctiTrampoline(). I copied this from qt-everywhere-opensourcesrc-4.6.0/src/3rdparty/ javascriptcore/JavaScriptCore/jit/JITStubs.cpp, which is part of the x11-libs/qt-script-4.6.0 package. 106 asm volatile ( 107 ".globl " SYMBOL_STRING(ctiTrampoline) "\n" 108 HIDE_SYMBOL(ctiTrampoline) "\n" 109 SYMBOL_STRING(ctiTrampoline) ":" "\n" 110 "pushl %ebp" "\n" 111 "movl %esp, %ebp" "\n" 112 "pushl %esi" "\n" 113 "pushl %edi" "\n" 114 "pushl %ebx" "\n" 115 "subl $0x3c, %esp" "\n" 116 "movl $512, %esi" "\n" 117 "movl 0x58(%esp), %edi" "\n" 118 "call *0x50(%esp)" "\n" 119 "addl $0x3c, %esp" "\n" 120 "popl %ebx" "\n" 121 "popl %edi" "\n" 122 "popl %esi" "\n" 123 "popl %ebp" "\n" 124 "ret" "\n" 125 ); If you have difficulties to reproduce this, see bug #281988, and scroll down for a patch for plasma-4.3.4, else you probably even won't be able to login into kde (I possibly should post that issue on a new report targeting x11-libs/solid-4.3.4-r1.)