Bug 457146

Summary:	=gnome-base/gnome-shell-3.6.2-r1 segfaults with dev-libs/libffi-3.0.12[pax_kernel]
Product:	Gentoo Linux	Reporter:	Charles Svitlik <staticsunn>
Component:	[OLD] GNOME	Assignee:	Gentoo Toolchain Maintainers <toolchain>
Status:	RESOLVED DUPLICATE
Severity:	normal	CC:	gnome, hardened
Priority:	Normal
Version:	unspecified
Hardware:	AMD64
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	Log of abrt report @0 from amd64 system abrt log from intel system

Description Charles Svitlik 2013-02-13 19:16:44 UTC

I updated a few packages yesterday and now I cannot log into GNOME shell, GDM doesn't even show a login screen.

Reproducible: Always

Steps to Reproduce:
1. /etc/init.d/xdm start
2. wait a few seconds
Actual Results:  
GNOME's "An error has occurred! ... Please contact a system administrator." screen appears, without even getting to a gdm login screen. 

Expected Results:  
gdm should have given me a prompt to log in.

Portage 2.1.11.51 (hardened/linux/amd64, gcc-4.7.2, glibc-2.17, 3.7.5-hardened x86_64)
=================================================================
System uname: Linux-3.7.5-hardened-x86_64-Intel-R-_Core-TM-2_Duo_CPU_P7350_@_2.00GHz-with-gentoo-2.2
KiB Mem:     3874788 total,    359544 free
KiB Swap:    2097144 total,   2052564 free
Timestamp of tree: Wed, 13 Feb 2013 17:30:01 +0000
ld GNU ld (GNU Binutils) 2.23.1
app-shells/bash:          4.2_p42
dev-java/java-config:     2.1.12-r1
dev-lang/python:          2.7.3-r3, 3.2.3-r2
dev-util/cmake:           2.8.10.2-r1
dev-util/pkgconfig:       0.28
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.11.8
sys-apps/sandbox:         2.6
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.10.3, 1.11.6, 1.13.1
sys-devel/binutils:       2.23.1
sys-devel/gcc:            4.7.2
sys-devel/gcc-config:     1.8
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.7 (virtual/os-headers)
sys-libs/glibc:           2.17
Repositories: gentoo elementary x11 ubuntu gamerlay
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA Q3AEULA Oracle-BCLA-JavaSE"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe -flto"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=native -O2 -pipe -flto"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--jobs 2"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs candy compress-build-logs config-protect-if-modified distlocks ebuild-locks fakeroot fixlafiles merge-sync news parallel-fetch parallel-install preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-flto"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/elementary /var/lib/layman/x11 /var/lib/layman/ubuntu /var/lib/layman/gamerlay"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X Xaw3d aalib acl acpi alsa amd64 autoipd avahi berkdb bindist bluetooth bzip2 cairo caps cdda cjk cleartype cli consolekit corefonts cracklib crypt cue cups cvs cxx dbus dconf dga directfb djvu dri dvd exif fbcon ffmpeg fftw flac fontconfig fuse gconf gdbm gdu gif gmp gnome gnome-keyring gnome-online-accounts gnome-shell gnutls gpm gstreamer gtk gtk3 hardened http i18n iconv icu imagemagick imlib infinality ipv6 jabber jack jit joystick jpeg justify l10n lame laptop libcaca libnotify mad mmx mmxext modules mp3 mpeg msn mudflap multilib nautilus ncurses networkmanager nls nptl nsplugin nss offensive ogg openal opengl openmp pam pax_kernel pcre pdf perl pic png policykit pulseaudio python qt3support readline realtime rss samba sdl session smp spell sqlite sse sse2 ssl startup-notification subversion svg taglib tcpd theora threads tiff tls truetype udev udisks unicode upnp urandom usb v4l vala vim-syntax vorbis vpx webkit wifi wxwidgets x264 xcb xft xinerama xml xorg xpm xv xvid zlib zsh-completion" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" GRUB_PLATFORMS="pc default" INPUT_DEVICES="keyboard mouse synaptics evdev joystick" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en en_US" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" RUBY_TARGETS="ruby19" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON

dmesg says:
[ 5502.014445] PAX: execution attempt in: <anonymous mapping>, 33acc001000-33acc002000 33acc001000
[ 5502.014452] PAX: terminating task: /usr/bin/gnome-shell(gnome-shell):9680, uid/euid: 110/110, PC: 0000033acc001010, SP: 000003ff9916cfb8
[ 5502.014455] PAX: bytes at PC: 49 bb 2e a0 33 d8 3a 03 00 00 49 ba 10 10 00 cc 3a 03 00 00 
[ 5502.014468] PAX: bytes at SP-8: 000003ff9916d000 0000033ade16b9fc 0000033ae4e4cd90 0000033ac8007680 0000000100000001 0000033ac8007680 0000033ae4876a50 0000033ae4e4cd90 0000033ae4714930 bed49c53378a1000 000003ff9916d050 

If I paxctl -pemrxs /usr/bin/gnome-shell it segfaults anyways.

List of packages updated: http://pastebin.com/3R0ni5h6
Xorg.0.log: http://pastebin.com/3R0ni5h6

Comment 1 Alexandre Rostovtsev (RETIRED) gentoo-dev

2013-02-13 19:45:36 UTC

> If I paxctl -pemrxs /usr/bin/gnome-shell it segfaults anyways.

Does the dmesg message change in this case?

> List of packages updated: http://pastebin.com/3R0ni5h6

Please attach files to the bug report as attachments, not in pastebin. (First, pastebins are automatically deleted after some time, but we sometimes need to refer to a bug report months later. Second, pastebin.com specifically is blocked by many company firewalls.)

In any case, we need a gdb backtrace to diagnose the crash.

Please 
1. re-emerge dev-libs/glib, spidermonkey, gjs, cogl, clutter, mutter, and gnome-shell with -ggdb in CFLAGS and splitdebug in FEATURES (see http://www.gentoo.org/proj/en/qa/backtraces.xml for more information);
2. install app-admin/abrt, do /etc/init.d/abrt start
3. make gnome-shell crash
4. obtain the backtrace from abrt (you can use abrt-gui or abrt-cli), and add it to this bug report as attachment.

Comment 2 Charles Svitlik 2013-02-14 00:17:41 UTC

Created attachment 338816 [details]
Log of abrt report @0 from amd64 system

OK.

I guess I should also mention that I have two systems - one is Intel and one is AMD64. When I filed this bug report I filed it from my Intel system, but marked the Architecture field as AMD64. I am having this problem on both systems, both of which are PaX kernels.

This abrt log is from my AMD64 system.

Also, I rebuilt the Intel kernel with grsec/pax disabled, and am still having this issue. I will attach abrt output from the Intel system shortly.

Comment 3 Charles Svitlik 2013-02-14 00:57:56 UTC

Created attachment 338822 [details]
abrt log from intel system

This one seems like it could be more helpful...

Comment 4 iGentoo 2013-02-14 01:43:02 UTC

The problem may be here:

/usr/lib64/libffi.so.6.0.1

Comment 5 Alexandre Rostovtsev (RETIRED) gentoo-dev

2013-02-14 03:35:12 UTC

(In reply to comment #3)
> Created attachment 338822 [details]
> abrt log from intel system
> 
> This one seems like it could be more helpful...

Thanks. This one contains enough detail, but it presents a scenario that simply makes no sense.

gnome-shell, via gjs, spidermonkey, and libffi, calls clutter_actor_add_constraint(), which calls _clutter_meta_group_add_meta to append the new constrain to actor's constraint list, which after doing the appending, in turn calls _clutter_actor_meta_set_actor to point the new constraint's actor field to our actor.

So far so good.

Now, _clutter_actor_meta_set_actor looks like this:

void
_clutter_actor_meta_set_actor (ClutterActorMeta *meta,
                               ClutterActor     *actor)
{
  g_return_if_fail (CLUTTER_IS_ACTOR_META (meta));
  g_return_if_fail (actor == NULL || CLUTTER_IS_ACTOR (actor));

  CLUTTER_ACTOR_META_GET_CLASS (meta)->set_actor (meta, actor);
}

We pass the first two lines, which means "meta" is a valid constraint pointer, and "actor" is a valid actor pointer. Which means CLUTTER_ACTOR_META_GET_CLASS (meta)->set_actor (meta, actor) simply cannot fail.

But the next function call is to address 0x00007ff0f360a010, which (as you may notice) is not in libclutter's memory mapping range at all. In fact, 0x00007ff0f360a010 is the address of the address of some class (I am guessing a wrapper for manipulating the actor via javascript) in libmozjs in spidermonkey!

In other words, at some point, "meta"'s set_actor field got changed from a valid function pointer to a pointer to a spidermonkey javascript class. And since a javascript class is not a C function, this results in a crash.

There is a memory access bug somewhere, but I have no idea where. Could be libffi, could be spidermonkey, could be gjs, could be clutter :/

Comment 6 Alexandre Rostovtsev (RETIRED) gentoo-dev

2013-02-14 03:39:20 UTC

(In reply to comment #5)
Corrections:

> Which means
> CLUTTER_ACTOR_META_GET_CLASS (meta)->set_actor (meta, actor) simply cannot
> fail
as long as set_actor points to the right place

> 0x00007ff0f360a010 is the address of the address of some class

should be: is the address of a structure representing some javascript class.

Comment 7 Charles Svitlik 2013-02-14 06:17:13 UTC

I think it's libffi. I downgraded to libffi-3.0.11 on both systems and re-merged all the packages you mentioned (clutter, mutter, glib, ...) as well as updated to the latest unstable video card drivers (mesa-9999, llvm-9999, libdrm-9999, and xf86-video-intel-9999 on the intel system, and xf86-video-radeon-9999 on the amd64 system), and am able to log in, everything is back to normal.

While chatting in #gentoo-hardened, someone mentioned something about PaX markings, then I noticed that libffi-3.0.11 has USE=(-pax_kernel) and libffi-3.0.12 has USE=pax_kernel.

Maybe they're connected? Maybe not? I don't know either, sorry!

Anyways, I'm able to use my system as normal again. I guess you can close this bug? I'm more than willing to help figure out what's up, if anything.

Thanks for all your help.

Comment 8 Alexandre Rostovtsev (RETIRED) gentoo-dev

2013-02-14 13:46:57 UTC

Assigning to libffi maintainers.

Comment 9 SpanKY gentoo-dev

2013-02-18 06:16:00 UTC


*** This bug has been marked as a duplicate of bug 457194 ***