Bug 425524

Created attachment 317720 [details]
build.log from emerge -q sandbox

Comment 2 SpanKY 2012-07-10 06:31:35 UTC

i added pre-compiled headers support to sandbox-2.6, so perhaps that's why things are crashing

I'm also seeing this on one of my machines; commenting for the CC.

Comment 4 Magnus Granberg 2012-07-14 10:36:26 UTC

Can you check what your pax flags are on cc1 with paxctl?

Yes of course, here you are:

[...]
coventry ~ # paxctl -v /usr/libexec/gcc/i686-pc-linux-gnu/4.6.3/cc1
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -------x-e-r [/usr/libexec/gcc/i686-pc-linux-gnu/4.6.3/cc1]
        RANDEXEC is disabled
        EMUTRAMP is disabled
        RANDMMAP is disabled
[...]

Comment 6 Magnus Granberg 2012-07-16 17:43:12 UTC

Anything in the logs?

Comment 7 Sven Vermeulen (RETIRED) 2012-07-16 17:52:05 UTC

I'm not able to reproduce on an amd64 (~amd64) with SELinux profile enabled (Portage 2.1.11.5 (hardened/linux/amd64/no-multilib/selinux, gcc-4.6.3, glibc-2.15-r2, 3.2.11-hardened x86_64))

J.C. & Arnim, are those systems both x86 systems?

Yes, Intel(R) Pentium(R) 4 for me.

Oooh, a midair collision :)  That's a first for me.

I don't know what changed between July 9th and July 11th, but it compiled successfully. The only emerge updates between those two dates where:

sys-kernel/linux-headers-3.4-r1
sys-devel/automake-1.12.2
sys-kernel/hardened-sources-3.4.4-r2
app-admin/eselect-php-0.6.7

Yes, it's x86. To be precise:

coventry ~ # uname -a
Linux <snipped.out.hostname> 3.1.1-hardened-r1 #1 SMP Thu Nov 24 10:00:32 CET 2011 i686 Intel(R) Xeon(TM) CPU 2.66GHz GenuineIntel GNU/Linux

It's a Pentium-4, Northwood core.

Comment 11 Magnus Granberg 2012-07-16 21:09:03 UTC

It compiles fine in my chroot
jasmin / # emerge --info
Portage 2.1.11.7 (hardened/linux/x86, gcc-4.6.3, glibc-2.15-r2, 3.4.4-hardened-r2 i686)
=================================================================
System uname: Linux-3.4.4-hardened-r2-i686-Intel-R-_Xeon-R-_CPU_E5420_@_2.50GHz-with-gentoo-2.1
Timestamp of tree: Mon, 16 Jul 2012 02:45:01 +0000
app-shells/bash:          4.2_p36
dev-lang/python:          2.6.5-r3, 2.7.3-r2, 3.1.4-r3, 3.2.3-r1
dev-util/cmake:           2.8.7-r5
dev-util/pkgconfig:       0.27
sys-apps/baselayout:      2.1-r1
sys-apps/openrc:          0.10.5
sys-apps/sandbox:         2.6
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.11.1, 1.12.2
sys-devel/binutils:       2.22-r1
sys-devel/gcc:            4.4.5, 4.5.3-r2, 4.6.3
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r3
sys-kernel/linux-headers: 3.4-r1 (virtual/os-headers)
sys-libs/glibc:           2.15-r2
Repositories: gentoo
ACCEPT_KEYWORDS="x86 ~x86"
ACCEPT_LICENSE="*"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=i686"
CHOST="i686-pc-linux-gnu"
CXXFLAGS="-O2 -pipe -march=i686"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"

Perhaps if you rollback your linux-headers to 3.4 (instead of 3.4-r1) you may be able to reproduce it. That's the only thing that looks like a likely candidate of the 4 portage entries that changed between the time it wouldn't compile to the time it would.

Comment 13 Magnus Granberg 2012-07-16 21:26:39 UTC

(In reply to comment #12)
> Perhaps if you rollback your linux-headers to 3.4 (instead of 3.4-r1) you
> may be able to reproduce it. That's the only thing that looks like a likely
> candidate of the 4 portage entries that changed between the time it wouldn't
> compile to the time it would.

Even if i rollback to 3.4 i can't get sandbox to fail.

Well, I can't explain it. As I said, only those 4 packages changed between a failed and succesful emerge of sandbox. The other similarly configured machine compiled it too, so there must be some common denominator.

As a user, I can consider this closed since it's emerged successfully. But it'd sure be nice to know why.

Rolling back headers to 3.4 doesn't solve this for me. It still breaks at the same point:

[...]
  CC     sb_memory.lo
  CC     debug.lo

i686-pc-linux-gnu-gcc: internal compiler error: Segmentation fault (program cc1)
[...]

There is nothing in the logs (no errors/warnings), save for the above.

Comment 16 Kacper Kowalik (Xarthisius) (RETIRED) 2012-07-17 16:00:30 UTC

(In reply to comment #15)
> Rolling back headers to 3.4 doesn't solve this for me. It still breaks at
> the same point:
> 
> [...]
>   CC     sb_memory.lo
>   CC     debug.lo
> 
> i686-pc-linux-gnu-gcc: internal compiler error: Segmentation fault (program
> cc1)
> [...]
> 
> There is nothing in the logs (no errors/warnings), save for the above.

Could you go to build directory and 1) run make V=1, 2) copy failing command and run with additional flag: -save-temps 3) attach output to this bug (filename.i) 4) if given file use precompiled headers (headers.*.gch) please repeat 1-3) for headers.h, you may need to compress this one.
Also attach your emerge --info please.

I'm getting very weird results with that:

[...]
coventry build-default # make V=1
...
libtool: compile:  i686-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I../../sandbox-2.6/libsbutil -I.. -I../../sandbox-2.6 -I../../sandbox-2.6/libsbutil/include -DETCDIR=\"/etc\" -DLIBSANDBOX_PATH=\"/usr/lib\" -DSANDBOX_BASHRC_PATH=\"/usr/share/sandbox\" -D_REENTRANT -march=native -O2 -pipe -fomit-frame-pointer -Wall -Winvalid-pch -fdata-sections -ffunction-sections -MT debug.lo -MD -MP -MF .deps/debug.Tpo -c ../../sandbox-2.6/libsbutil/src/debug.c  -fPIC -DPIC -o .libs/debug.o

i686-pc-linux-gnu-gcc: internal compiler error: Segmentation fault (program cc1)
[...]

However, when I copy that command in the src/ dir, I get no error:
[...]
coventry src # /bin/sh libtool  --tag=CC   --mode=compile i686-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I../../sandbox-2.6/libsbutil -I..  -I../../sandbox-2.6 -I../../sandbox-2.6/libsbutil/include -DETCDIR="\"/etc\"" -DLIBSANDBOX_PATH="\"/usr/lib\"" -DSANDBOX_BASHRC_PATH="\"/usr/share/sandbox\"" -D_REENTRANT  -march=native -O2 -pipe -fomit-frame-pointer -Wall -Winvalid-pch -fdata-sections -ffunction-sections -MT debug.lo -MD -MP -MF .deps/debug.Tpo -c -o debug.lo `test -f 'src/debug.c' || echo '../../sandbox-2.6/libsbutil/'`src/debug.c
libtool: compile:  i686-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I../../sandbox-2.6/libsbutil -I.. -I../../sandbox-2.6 -I../../sandbox-2.6/libsbutil/include -DETCDIR=\"/etc\" -DLIBSANDBOX_PATH=\"/usr/lib\" -DSANDBOX_BASHRC_PATH=\"/usr/share/sandbox\" -D_REENTRANT -march=native -O2 -pipe -fomit-frame-pointer -Wall -Winvalid-pch -fdata-sections -ffunction-sections -MT debug.lo -MD -MP -MF .deps/debug.Tpo -c ../../sandbox-2.6/libsbutil/src/debug.c  -fPIC -DPIC -o .libs/debug.o
libtool: compile:  i686-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I../../sandbox-2.6/libsbutil -I.. -I../../sandbox-2.6 -I../../sandbox-2.6/libsbutil/include -DETCDIR=\"/etc\" -DLIBSANDBOX_PATH=\"/usr/lib\" -DSANDBOX_BASHRC_PATH=\"/usr/share/sandbox\" -D_REENTRANT -march=native -O2 -pipe -fomit-frame-pointer -Wall -Winvalid-pch -fdata-sections -ffunction-sections -MT debug.lo -MD -MP -MF .deps/debug.Tpo -c ../../sandbox-2.6/libsbutil/src/debug.c -o debug.o >/dev/null 2>&1
coventry src #
[...]

After that, it errors with the same compiler segfault on `environ.c' again (when I make V=1).

The output of debug.i is 10498 lines, do you still need me to paste that or offer it online in some fashion?

Can someone else confirm my findings of the above?

Comment 19 SpanKY 2012-07-31 13:40:03 UTC

*** Bug 428782 has been marked as a duplicate of this bug. ***

Will this bug be fixed? It's still broken in my current environment.

I'm also seeing this on my machine (hardened,i686, Intel T2300)

It's been there for quite some time now (since sandbox-2.6) as far as I can remember.

Someone told me to report this after they couldn't help me in a forum. 
Can provide build.log emerge --info. Other than that I#m just a noob - sorry

(In reply to comment #21)

workaround from the Forum[german] http://www.gentooforum.de/artikel/20912/failed-to-emerge-sys-apps-sandbox-2-6-mal-wieder.html is:
build sandbox-2.6 with a non-hardened Kernel

Comment 23 SpanKY 2012-11-17 19:16:55 UTC

the next release will have a configure flag which should let you disable pch (since it's just a build-time optimization)

http://git.overlays.gentoo.org/gitweb/?p=proj/sandbox.git;a=commitdiff;h=f2500f5954611d110ac18e9990f42d5a915f8101

Comment 24 Jory A. Pratt 2013-06-02 21:01:48 UTC

(In reply to SpanKY from comment #23)
> the next release will have a configure flag which should let you disable pch
> (since it's just a build-time optimization)
> 
> http://git.overlays.gentoo.org/gitweb/?p=proj/sandbox.git;a=commitdiff;
> h=f2500f5954611d110ac18e9990f42d5a915f8101

7 months and still no release, what is the expected time frame on this update?

Comment 25 Jory A. Pratt 2013-06-27 02:56:03 UTC

*** Bug 474880 has been marked as a duplicate of this bug. ***

Comment 26 SpanKY 2013-06-27 20:46:25 UTC

*** Bug 474958 has been marked as a duplicate of this bug. ***

So it looks like we have multiple duplicate bugs that land us to this page. Any updates to this issue?

My bug was reported here:
https://bugs.gentoo.org/show_bug.cgi?id=474880

Comment 28 SpanKY 2013-06-30 22:15:56 UTC

this isn't a bug in sandbox.  gcc (when hardening is enabled) is broken.  disabling pch in sandbox doesn't fix gcc.

Comment 29 Anthony Basile 2013-06-30 23:03:48 UTC

(In reply to SpanKY from comment #28)
> this isn't a bug in sandbox.  gcc (when hardening is enabled) is broken. 
> disabling pch in sandbox doesn't fix gcc.

its not gcc, but PaX's randmmap, so even a vanilla gcc with a pax enabled kernel would hit this.  if we pax-mark cc1 and cc1plus -r, then randmmap is disable and it works.  i just tested to convince myself.

@those hitting this do the following:

1) Check that your running a pax hardened kernel and where the kernel is looking for the markings:

   zcat /proc/config.gz | grep _PAX_FLAGS

2) If you are using the traditional PT_PAX then check

   paxctl -v /usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.3/cc1*

and make sure RANDMMAP is disabled.

3) If you are using the new and sexy XATTR_PAX_FLAGS, then

  paxctl-ng -v /usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.3/cc1*


Having said that, I'm not a great fan of pch.  I'm not sure what the gain is on small projects.  I'd prefer to leave -r off cc1 and cc1plus and not deal with pch, but that's not the world we live in.

I'm still running across this problem, but no PAX enabled on my end...

cat /usr/src/linux/.config | grep _PAX_FLAGS
# CONFIG_PAX_PT_PAX_FLAGS is not set
# CONFIG_PAX_XATTR_PAX_FLAGS is not set

Tried paxctl just for kicks:

- PaX flags: -------x-e-r [/usr/libexec/gcc/i686-pc-linux-gnu/4.6.3/cc1]
        RANDEXEC is disabled
        EMUTRAMP is disabled
        RANDMMAP is disabled
- PaX flags: -------x-e-r [/usr/libexec/gcc/i686-pc-linux-gnu/4.6.3/cc1plus]
        RANDEXEC is disabled
        EMUTRAMP is disabled
        RANDMMAP is disabled

Current gcc set:
[20] i686-pc-linux-gnu-4.6.3 *

Result...

i686-pc-linux-gnu-gcc: internal compiler error: Segmentation fault (program cc1)
Please submit a full bug report,
with preprocessed source if appropriate.
See <http://bugs.gentoo.org/> for instructions.
make[2]: *** [debug.lo] Error 1
make[2]: *** Waiting for unfinished jobs....
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2
emake failed
 * ERROR: sys-apps/sandbox-2.6-r1 failed (compile phase):
 *   (no error message)


Thanks!

Comment 31 Anthony Basile 2013-07-01 18:12:49 UTC

(In reply to lou from comment #30)
> I'm still running across this problem, but no PAX enabled on my end...
> 
> cat /usr/src/linux/.config | grep _PAX_FLAGS
> # CONFIG_PAX_PT_PAX_FLAGS is not set
> # CONFIG_PAX_XATTR_PAX_FLAGS is not set
> 
> Tried paxctl just for kicks:
> 
> - PaX flags: -------x-e-r [/usr/libexec/gcc/i686-pc-linux-gnu/4.6.3/cc1]
>         RANDEXEC is disabled
>         EMUTRAMP is disabled
>         RANDMMAP is disabled
> - PaX flags: -------x-e-r [/usr/libexec/gcc/i686-pc-linux-gnu/4.6.3/cc1plus]
>         RANDEXEC is disabled
>         EMUTRAMP is disabled
>         RANDMMAP is disabled
> 
> Current gcc set:
> [20] i686-pc-linux-gnu-4.6.3 *
> 
> Result...
> 
> i686-pc-linux-gnu-gcc: internal compiler error: Segmentation fault (program
> cc1)
> Please submit a full bug report,
> with preprocessed source if appropriate.
> See <http://bugs.gentoo.org/> for instructions.
> make[2]: *** [debug.lo] Error 1
> make[2]: *** Waiting for unfinished jobs....
> make[1]: *** [all-recursive] Error 1
> make: *** [all] Error 2
> emake failed
>  * ERROR: sys-apps/sandbox-2.6-r1 failed (compile phase):
>  *   (no error message)
> 
> 
> Thanks!

I'm not sure you don't have pax there, just not the markings.  Try vanilla-sources or gentoo-sources.  I bet you the problem will go away :)

Really? I have hardened-sources with no PAX markings, and I need to change kernel?

Comment 33 Anthony Basile 2013-07-01 21:54:41 UTC

(In reply to lou from comment #32)
> Really? I have hardened-sources with no PAX markings, and I need to change
> kernel?

No pax markins doesn't mean pax is not enforced.

Comment 34 SpanKY 2013-07-02 23:39:09 UTC

(In reply to Anthony Basile from comment #29)

i'm not familiar with pch internals.  i guess the issue is that pch is compiled and then expected to get mmap-ed back at the same address ?  and if it doesn't (because of say randmmap), it goes boom ?

Comment 35 Magnus Granberg 2013-07-03 00:33:33 UTC

(In reply to SpanKY from comment #34)
> (In reply to Anthony Basile from comment #29)
> 
> i'm not familiar with pch internals.  i guess the issue is that pch is
> compiled and then expected to get mmap-ed back at the same address ?  and if
> it doesn't (because of say randmmap), it goes boom ?
bug #301299 comment 31
The only way around i see is to add use flag for pch.
If that don't work we need to get a bt on the error.

Comment 36 Anthony Basile 2013-07-03 01:24:22 UTC

(In reply to SpanKY from comment #34)
> (In reply to Anthony Basile from comment #29)
> 
> i'm not familiar with pch internals.  i guess the issue is that pch is
> compiled and then expected to get mmap-ed back at the same address ?  and if
> it doesn't (because of say randmmap), it goes boom ?

basically yes

I have come across this same bug, although compilation breaks at a different
point:

---
  CC     sb_memory.lo
  CC     debug.lo
  CC     string.lo
  CC     file.lo
  CC     config.lo
  CC     dynbuf.lo

x86_64-pc-linux-gnu-gcc: internal compiler error: Segmentation fault (program cc1)
---

I have three boxes with hardened sources. Sandbox does not emerge in one of
the boxes, but it successfully compiles in the others.  The three boxes have
similar PAX configuration, so I wonder if this is really PAX related. 

These are the three boxes. I get the bug in the first box:

1 Linux 3.9.5-hardened #4 SMP Fri Jul 19 14:59:10 CEST
  2013 x86_64 AMD Opteron(tm) Processor 4180 AuthenticAMD GNU/Linux
  CFLAGS="-march=native -O2 -pipe"
  sandbox-2.5 emerges correctly
  sandbox-2.6.r1 fails to emerge


2 Linux 3.9.5-hardened #1 SMP Thu Jul 11 21:19:21 CEST 2013 x86_64
  Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz GenuineIntel GNU/Linux
  CFLAGS="-march=core2 -O2 -pipe"
3 Linux 3.9.5-hardened_GNT #6 SMP Fri Jul 19 21:20:29 CEST 2013
  x86_64 Six-Core AMD Opteron(tm) Processor 2431 AuthenticAMD GNU/Linux
  CFLAGS="-march=native -O2 -pipe"


The three boxes have this same PAX configuration:
zcat /proc/config.gz | grep PAX
CONFIG_PAX_USERCOPY_SLABS=y
CONFIG_PAX=y
# CONFIG_PAX_SOFTMODE is not set
# CONFIG_PAX_PT_PAX_FLAGS is not set
# CONFIG_PAX_XATTR_PAX_FLAGS is not set
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_MPROTECT_COMPAT is not set
# CONFIG_PAX_ELFRELOCS is not set
# CONFIG_PAX_KERNEXEC is not set
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD=""
CONFIG_PAX_ASLR=y
# CONFIG_PAX_RANDKSTACK is not set
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
# CONFIG_PAX_MEMORY_SANITIZE is not set
# CONFIG_PAX_MEMORY_STACKLEAK is not set
# CONFIG_PAX_MEMORY_STRUCTLEAK is not set
# CONFIG_PAX_MEMORY_UDEREF is not set
# CONFIG_PAX_REFCOUNT is not set
# CONFIG_PAX_USERCOPY is not set
# CONFIG_PAX_SIZE_OVERFLOW is not set
# CONFIG_PAX_LATENT_ENTROPY is not set

Same gcc version:
gcc-config -l
 [1] x86_64-pc-linux-gnu-4.6.3 *
 [2] x86_64-pc-linux-gnu-4.6.3-hardenednopie
 [3] x86_64-pc-linux-gnu-4.6.3-hardenednopiessp
 [4] x86_64-pc-linux-gnu-4.6.3-hardenednossp
 [5] x86_64-pc-linux-gnu-4.6.3-vanilla

That bug happened to me and it seems that Anthony is quite right. My system had PAX enabled but my kernel was not reading the ELF flags nor the FS flags so basically, the flags were always ignored. I fixed my kernel to read XATTR_FLAGS and then updated my pax flags using `migrate-pax -m` and that solved the problem.

(In reply to Mounir Lamouri from comment #38)
> That bug happened to me and it seems that Anthony is quite right. My system
> had PAX enabled but my kernel was not reading the ELF flags nor the FS flags
> so basically, the flags were always ignored. I fixed my kernel to read
> XATTR_FLAGS and then updated my pax flags using `migrate-pax -m` and that
> solved the problem.

You are right! Enabling CONFIG_PAX_XATTR_PAX_FLAGS allows sandbox to emerge. 

# zcat /proc/config.gz  | grep XATTR_PAX
CONFIG_PAX_XATTR_PAX_FLAGS=y

Thanks!

I was running into the exact same problem as everyone else, with cc1 segfault on file.o. So I noticed that I didn't have CONFIG_PAX_XATTR_PAX_FLAGS set in my kernel, and set that and recompiled. I then did 'migrate-pax -m' as recommended in comment #38 but this was not enough to make it work. I had to do

paxctl-ng -p -e -m -r -s /usr/libexec/gcc/i486-pc-linux-gnu/4.6.4/cc1*

to get sandbox to compile. I removed -p, -m, and -s afterwards, to put it back the way it was (just -e and -r).

I have to say it's very frustrating running into this kind of thing and people automatically say that you have faulty hardware. That said, thanks to everyone who helped with solutions to this problem. Seems like this is more of a stopgap though than a real solution, FWIW.

I had this same issue pop up today when building a test setup on a vm and doing the "emerge world -uDN," but I was showing a segfault with cc1 at debug.lo.

What I had done exactly, was build a semi-usable kernel that will get the system loaded while I tinker the rest of it into place.  It is important to note that I did not do my homework and enabled: CONFIG_PAX_PT_PAX_FLAGS=y at this point, where had I read: http://www.gentoo.org/proj/en/hardened/pax-migrate-xattr.xml?style=printable, I would have seen that PT_PAX is depricated.  After booting into the new system, I saw SELinux working, and I proceeded to relabel the filesystem and get the rest of the system set up.  Of course I mixed variables and modified the features in grsec and inadvertently broke the flags.  I believe this is where the problem was since I added:

CONFIG_PAX_XATTR_PAX_FLAGS=y

After running:
     "migrate-pax -m"

and setting CONFIG_PAX_PT_PAX_FLAGS=n, it worked.

Comment 42 Rick Farina (Zero_Chaos) 2013-11-26 14:00:08 UTC

So, this is killing infra's build box for amd64 and x86 right now.  When the hardened box tries to build a default stage we get an ice which the kernel then freaks out and locks the portage account which obviously ends the autobuilds.  Personally, I would just remove the pre-compiled headers entirely as the milliseconds saved on the build hardly seem worth it.  But I'd be perfectly happy with a use flag disabled per default.

Comment 43 SpanKY 2013-11-28 00:52:54 UTC

Commit message: Disable pch logic for now
http://sources.gentoo.org/sys-apps/sandbox/files/sandbox-2.6-no-pch.patch?rev=1.1
http://sources.gentoo.org/sys-apps/sandbox/sandbox-2.6-r1.ebuild?r1=1.14&r2=1.15

Comment 44 Magnus Granberg 2015-01-26 21:01:13 UTC

Close?

Comment 45 Michael Orlitzky 2015-01-28 23:02:58 UTC

(In reply to Magnus Granberg from comment #44)
> Close?

I haven't seen this issue in a long time, so +1 from me.

Comment 46 SpanKY 2016-01-18 09:52:50 UTC

the issue went away because we disabled pch usage in the sandbox-2.6-r1, not because anything was actually fixed

*** This bug has been marked as a duplicate of bug 301299 ***