Bug 432520

Summary:	media-libs/mesa-8.0.3: segfault in nouveau_dri (?) due to RWX mmap
Product:	Gentoo Linux	Reporter:	Maxim Kammerer <mk>
Component:	Hardened	Assignee:	The Gentoo Linux Hardened Team <hardened>
Status:	RESOLVED FIXED
Severity:	normal	CC:	dschridde+gentoobugs, nikoli, x11
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugs.freedesktop.org/show_bug.cgi?id=73473
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	glxgears strace http://cgit.freedesktop.org/mesa/mesa/patch/?id=4dd445f1cf80292f10eda53665cefc2a674d838d

Description Maxim Kammerer 2012-08-24 05:19:05 UTC

An RWX mmap in, apparently, /usr/lib/dri/nouveau_dri.so (could also be libdrm_nouveau?) is causing segfault under hardened kernel 3.4.7:

grsec: denied RWX mmap of <anonymous mapping> by /usr/bin/glxgears[glxgears:4379] uid/euid:2101/2101 gid/egid:9000/9000, parent /usr/bin/strace[strace:4377] uid/euid:2101/2101 gid/egid:9000/9000
grsec: Segmentation fault occurred at ffffffff in /usr/bin/glxgears[glxgears:4379] uid/euid:2101/2101 gid/egid:9000/9000, parent /usr/bin/strace[strace:4377] uid/euid:2101/2101 gid/egid:9000/9000

media-libs/mesa-8.0.3 was built with the following:
USE="classic gallium nptl pax_kernel pic shared-dricore shared-glapi xa -bindist -d3d -debug -egl -g3dvl -gbm -gles1 -gles2 -llvm -openvg -osmesa (-selinux) -vdpau (-wayland) -xvmc" VIDEO_CARDS="intel nouveau radeon vmware -i915 -i965 -r100 -r200 -r300 -r600"

x11-libs/libdrm-2.4.33 was built with the following:
USE="libkms -static-libs" VIDEO_CARDS="intel nouveau radeon vmware -omap"

sys-devel/gcc-4.5.3-r2 was built with the following:
USE="cxx hardened nls nptl openmp (-altivec) -bootstrap -build -doc (-fixed-point) -fortran -gcj -graphite -gtk (-libssp) -lto -mudflap (-multilib) -multislot -nocxx -nopie -nossp -objc -objc++ -objc-gc -test -vanilla"
CFLAGS="-O2 -march=pentium3 -mtune=core2 -pipe"
CXXFLAGS="-O2 -march=pentium3 -mtune=core2 -pipe"

Comment 1 Maxim Kammerer 2012-08-24 05:19:45 UTC

Created attachment 322062 [details]
glxgears strace

Comment 2 Nikoli 2014-03-11 20:31:30 UTC

Created attachment 372412 [details, diff]
http://cgit.freedesktop.org/mesa/mesa/patch/?id=4dd445f1cf80292f10eda53665cefc2a674d838d

Comment 3 Nikoli 2014-03-11 20:32:15 UTC

media-libs/mesa-9.2.5-r1 still has this bug, so i asked upstream in #nouveau@freenode:
[18:03:08] <xexaxo> iirc there was a case where gallium/tasm did not check the return value of mmap although that one should affect every gallium user
[18:03:58] <xexaxo> fwiw the commit that fixes that is 4dd445f1cf, although...
[18:04:38] <Nikoli> xexaxo, which mesa release is it?
[18:05:00] <Nikoli> or is this commit only in git master?
[18:05:49] <xexaxo> should have landed in 10.1 and I've CC'd stable (9.1, 9.2 10.0) although I'm guessing that only 10.0 may have it
[18:07:04] <xexaxo> present in 10.0.3 and 10.1+
[18:10:24] <Nikoli> xexaxo, will this patch work with 9.2.5? http://cgit.freedesktop.org/mesa/mesa/patch/?id=4dd445f1cf80292f10eda53665cefc2a674d838d
[18:10:32] <Nikoli> or it needs editing?
[18:14:45] <xexaxo> Nikoli: cannot see why it would fail. tasm has not been touched (with a few 10+ commits aside) for 2+ years
[18:15:01] <xexaxo> *gallium/tasm
[18:15:35] <xexaxo> if it does not the conflicts should be trivial

Attached patch is from http://cgit.freedesktop.org/mesa/mesa/patch/?id=4dd445f1cf80292f10eda53665cefc2a674d838d , mesa builds and works fine with it :) I tested in 3 hardened systems: all of them work fine with this patch and do not need pax marking anymore. Please commit this patch as mesa-9.2.5-r2.ebuild
P.S. I tested these apps: KDE session, mpv -vo opengl, glxgears, stellarium, celestia, gltron, ksudoku.

Comment 4 Dennis Schridde 2015-02-10 19:46:10 UTC

Is this bug fixed already?

Comment 5 Francisco Blas Izquierdo Riera (RETIRED) gentoo-dev

2015-02-10 19:59:16 UTC

You can use revdep-pax to find and mark programs depending on it, other than that there is little else we can do.

Comment 6 Dennis Schridde 2015-02-10 20:40:56 UTC

(In reply to Francisco Blas Izquierdo Riera from comment #5)
> You can use revdep-pax to find and mark programs depending on it, other than
> that there is little else we can do.

I was asking, because the upstream bug [1] is marked RESOLVED/FIXED and <media-libs/mesa-9.1 is p-masked.

Nikoli has a fix for 9.2.5 (can it be backported to reach the oldest stable, 9.1.6, too?) - what is wrong with that patch?

[1]: https://bugs.freedesktop.org/show_bug.cgi?id=73473

Comment 7 Anthony Basile gentoo-dev

2015-02-10 21:13:12 UTC

(In reply to Dennis Schridde from comment #6)
> (In reply to Francisco Blas Izquierdo Riera from comment #5)
> > You can use revdep-pax to find and mark programs depending on it, other than
> > that there is little else we can do.
> 
> I was asking, because the upstream bug [1] is marked RESOLVED/FIXED and
> <media-libs/mesa-9.1 is p-masked.
> 
> Nikoli has a fix for 9.2.5 (can it be backported to reach the oldest stable,
> 9.1.6, too?) - what is wrong with that patch?
> 
> [1]: https://bugs.freedesktop.org/show_bug.cgi?id=73473

We have two possibilities:

1) the RWX mapping was fixed in nouveau_dri.so in which case this bug is done.

2) the RWX mapping is not fixed, in which case you get the seg fault.  The only thing we can do then is to use revdep-pax (from the sys-app/elfix package) to find all the consumers of nouveau_dri.so and mark them.

In either case, we have a working solution to this problem.

It sounds like you want a mask removed?  Where is this mask?

Comment 8 Dennis Schridde 2015-02-10 22:30:07 UTC

(In reply to Anthony Basile from comment #7)
> It sounds like you want a mask removed?  Where is this mask?

I do not want any mask removed. I was just mentioning that the version this was originally reported against is already masked for security vulnerabilities.

Comment 9 Nikoli 2015-02-11 01:39:49 UTC

Yes, this is fixed upstream: no pax marking is required now when using nouveau drivers. Mesa releases 10.0.4, 10.2.8 are marked stable and include commit 4dd445f1cf80292f10eda53665cefc2a674d838d

Comment 10 Anthony Basile gentoo-dev

2015-02-11 04:20:58 UTC

(In reply to Nikoli from comment #9)
> Yes, this is fixed upstream: no pax marking is required now when using
> nouveau drivers. Mesa releases 10.0.4, 10.2.8 are marked stable and include
> commit 4dd445f1cf80292f10eda53665cefc2a674d838d

Thanks.