Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 373029

Summary: Firefox 5 doesn't compile on hardened systems due to a RWX mapping triggered by JIT
Product: Gentoo Linux Reporter: Radoslaw Madej (radegand) <radegand>
Component: Current packagesAssignee: Gentoo Linux bug wranglers <bug-wranglers>
Status: RESOLVED DUPLICATE    
Severity: normal CC: pageexec
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: proposed ebuild
original build log
emerge --info

Description Radoslaw Madej (radegand) 2011-06-25 19:42:26 UTC 
Hi,

Firefox 5 doesn't compile on grsec enabled kernels due to the jit optimization which creates RWX memory mapping not liked by PaX :)

To compile it under a hardened kernel, one need to disable jit during source configuration, please see the attached ebuild. Once jit is disabled, firefox compiles and runs fine.

I've added jit flag to the ebuild which is automatically disabled on hardened profiles. The additional positive outcome of that is that firefox runs fine with mprotect enabled, however Java or Flash plugins will crash it.

I realize that from user experience point of view, it's better to have mprotect disabled, but maybe at least it's worth giving the end user information that it would be possible if they're not going to use java or flash?

Thanks,
radegand

Reproducible: Always

Steps to Reproduce:
Emerge firefox 5 on a hardened system running Gentoo hardened-sources.
Actual Results:  
Emerge is killed with the following error from PaX:
grsec: denied RWX mmap of <anonymous mapping> by /var/tmp/portage/www-client/firefox-5.0/work/mozilla-release/obj-x86_64-unknown-linux-gnu/dist/bin/xpcshell[xpcshell:10891] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:10882] uid/euid:0/0 gid/egid:0/0                                                                                                            
xpcshell[10891]: segfault at 41ea0ddc ip 00006b9475051ed4 sp 000078b37e81b6f0 error 4 in libxul.so[6b9474031000+1823000]
grsec: Segmentation fault occurred at 0000000041ea0ddc in /var/tmp/portage/www-client/firefox-5.0/work/mozilla-release/obj-x86_64-unknown-linux-gnu/dist/bin/xpcshell[xpcshell:10891] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:10882] uid/euid:0/0 gid/egid:0/0                                                                                                   
grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /var/tmp/portage/www-client/firefox-5.0/work/mozilla-release/obj-x86_64-unknown-linux-gnu/dist/bin/xpcshell[xpcshell:10891] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:10882] uid/euid:0/0 gid/egid:0/0


Expected Results:  
Successful compilation of Firefox :)
Comment 1 Radoslaw Madej (radegand) 2011-06-25 19:43:15 UTC 
Created attachment 278123 [details]
proposed ebuild
Comment 2 Radoslaw Madej (radegand) 2011-06-25 19:45:51 UTC 
Created attachment 278125 [details]
original build log
Comment 3 Radoslaw Madej (radegand) 2011-06-25 19:48:15 UTC 
Created attachment 278127 [details]
emerge --info
Comment 4 PaX Team 2011-06-26 09:53:31 UTC 
(In reply to comment #0)
> I've added jit flag to the ebuild which is automatically disabled on hardened
> profiles. The additional positive outcome of that is that firefox runs fine
> with mprotect enabled, however Java or Flash plugins will crash it.

hmm, where are they crashing exactly? not allowing runtime codegen should be
gracefully handled by both java and flash these days, so something's still not
right somewhere if you see the whole app crash...
Comment 5 Jory A. Pratt gentoo-dev 2011-06-26 17:03:14 UTC 

*** This bug has been marked as a duplicate of bug 372947 ***