Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 473932

Summary: =x11-misc/xlockmore-5.41 is killed by pax on non-hardened profile
Product: Gentoo Linux Reporter: Agostino Sarubbo <ago>
Component: Current packagesAssignee: Desktop Misc. Team <desktop-misc>
Status: CONFIRMED ---    
Severity: normal CC: hardened
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-06-20 15:05:15 UTC
pax.log reports:

Jun 20 12:29:31 devil kernel: PAX: execution attempt in: <anonymous mapping>, a5ddd000-a5e5d000 a5ddd000
Jun 20 12:29:31 devil kernel: PAX: terminating task: /usr/bin/xlock(xlock):28784, uid/euid: 1000/1000, PC: a5ddd010, SP: bed6d5dc
Jun 20 12:29:31 devil kernel: PAX: bytes at PC: 55 89 e5 81 e4 f0 ff ff ff 53 57 56 81 ec 74 07 00 00 8b 45 
Jun 20 12:29:31 devil kernel: PAX: bytes at SP-4: 00000074 a6c3ae14 0c2b5c4c 0c424238 0c2abd48 00000000 00000018 00000074 0c2ab924 00000000 00000014 00000000 00000000 00000004 bed6d6b0 00000007 00000018 00000000 0000000c 00000000 00000000 
Jun 20 15:14:55 devil kernel: PAX: execution attempt in: <anonymous mapping>, a53fd000-a6789000 a53fd000
Jun 20 15:14:55 devil kernel: PAX: terminating task: /usr/bin/xlock(xlock):2639, uid/euid: 1000/1000, PC: a53fd010, SP: b27f1e6c
Jun 20 15:14:55 devil kernel: PAX: bytes at PC: 55 89 e5 81 e4 f0 ff ff ff 53 57 56 81 ec 54 03 00 00 8b 45 
Jun 20 15:14:55 devil kernel: PAX: bytes at SP-4: 00000054 a6c4ce14 0c0c5b24 0c263b08 0c0bbc28 00000000 0000001a 00000054 0c0bb804 00000000 0000000c 00000000 00000000 00000004 b27f1f40 00000003 0000001a 00000000 00000001 00000001 00000000 
Jun 20 15:19:22 devil kernel: PAX: execution attempt in: <anonymous mapping>, 9c70b000-9da97000 9c70b000
Jun 20 15:19:22 devil kernel: PAX: terminating task: /usr/bin/xlock(xlock):8792, uid/euid: 1000/1000, PC: 9c70b010, SP: b29b090c
Jun 20 15:19:22 devil kernel: PAX: bytes at PC: 55 89 e5 81 e4 f0 ff ff ff 53 57 56 81 ec b4 03 00 00 8b 45 
Jun 20 15:19:22 devil kernel: PAX: bytes at SP-4: 00000054 9df5ae14 09705a34 098814d8 096fbb38 00000000 00000034 00000054 096fb714 00000000 00000000 00000000 00000000 00000004 b29b09e0 00000003 00000034 00000000 00000001 00000001 00000000 
Jun 20 15:19:27 devil kernel: PAX: execution attempt in: <anonymous mapping>, a585c000-a58dc000 a585c000
Jun 20 15:19:27 devil kernel: PAX: terminating task: /usr/bin/xlock(xlock):8913, uid/euid: 1000/1000, PC: a585c010, SP: b3ba88bc
Jun 20 15:19:27 devil kernel: PAX: bytes at PC: 55 89 e5 81 e4 f0 ff ff ff 53 57 56 81 ec 74 07 00 00 8b 45 
Jun 20 15:19:27 devil kernel: PAX: bytes at SP-4: 00000074 a66b9e14 0c03b3f4 0c1a98c0 0c0314e8 00000000 00000018 00000074 0c0310c4 00000000 00000014 00000000 00000000 00000004 b3ba8990 00000007 00000018 00000000 0000000c 00000000 00000000 
Jun 20 15:21:48 devil kernel: PAX: execution attempt in: <anonymous mapping>, acf7a000-ad906000 acf7a000
Jun 20 15:21:48 devil kernel: PAX: terminating task: /usr/bin/xlock(xlock):9395, uid/euid: 1000/1000, PC: acf7a010, SP: bcb0b47c
Jun 20 15:21:48 devil kernel: PAX: bytes at PC: 55 89 e5 81 e4 f0 ff ff ff 53 57 56 81 ec 44 06 00 00 8b 45 
Jun 20 15:21:48 devil kernel: PAX: bytes at SP-4: 00000064 addc9e14 0a9c0e2c 0abf6c18 0a9b59f0 00000000 00000004 00000064 0a9b55cc 00000000 00000000 00000000 00000000 00000004 bcb0b550 00000007 00000004 00000000 00000001 00000001 00000000 

It happens sometimes, is not reproducible always

Portage 2.1.12.2 (default/linux/x86/13.0, gcc-4.6.3, glibc-2.15-r3, 3.2.42-hardened-r1 i686)
=================================================================
System uname: Linux-3.2.42-hardened-r1-i686-Intel-R-_Celeron-R-_M_CPU_430_@_1.73GHz-with-gentoo-2.2
KiB Mem:     2060284 total,   1290144 free
KiB Swap:    1048572 total,   1048572 free
Timestamp of tree: Wed, 19 Jun 2013 09:30:01 +0000
ld GNU ld (GNU Binutils) 2.22
app-shells/bash:          4.2_p45
dev-lang/python:          2.7.3-r3
dev-util/cmake:           2.8.10.2-r2
dev-util/pkgconfig:       0.28
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.11.8
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.12.6
sys-devel/binutils:       2.22-r1
sys-devel/gcc:            4.6.3
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.7 (virtual/os-headers)
sys-libs/glibc:           2.15-r3
Repositories: gentoo x-portage
ACCEPT_KEYWORDS="x86"
ACCEPT_LICENSE="*"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=pentium-m -g0"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -march=pentium-m -g0"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -march=i686 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
FFLAGS="-O2 -march=i686 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="it_IT.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/tmp/"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X aac acl alsa berkdb bzip2 cairo cli consolekit cracklib crypt cxx dbus dri fortran gdbm gpm gudev iconv imlib jpeg jpeg2k lame modules mudflap ncurses nptl ogg opengl openmp pam pax_kernel pcre png policykit readline session ssl tcpd tiff unicode vorbis wicd x86 zlib" ABI_X86="32" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7" RUBY_TARGETS="ruby19 ruby18" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
USE_PYTHON="2.7"
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-06-20 18:09:07 UTC
So are you using a pax enabled kernel on a non-pax profile?  That would cause problems.  I don't think that is something supportable though.
Comment 2 Agostino Sarubbo gentoo-dev 2013-06-20 18:27:51 UTC
(In reply to Matthew Thode ( prometheanfire ) from comment #1)
> So are you using a pax enabled kernel on a non-pax profile?  That would
> cause problems.  I don't think that is something supportable though.

I don't understand what you mean by pax-profile
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-06-20 20:06:29 UTC
(In reply to Agostino Sarubbo from comment #2)
> (In reply to Matthew Thode ( prometheanfire ) from comment #1)
> > So are you using a pax enabled kernel on a non-pax profile?  That would
> > cause problems.  I don't think that is something supportable though.
> 
> I don't understand what you mean by pax-profile

s/pax/hardened

do we expect pax to work on non-hardened profiles?
Comment 4 Agostino Sarubbo gentoo-dev 2013-06-20 20:09:53 UTC
(In reply to Matthew Thode ( prometheanfire ) from comment #3)
> (In reply to Agostino Sarubbo from comment #2)
> > (In reply to Matthew Thode ( prometheanfire ) from comment #1)
> > > So are you using a pax enabled kernel on a non-pax profile?  That would
> > > cause problems.  I don't think that is something supportable though.
> > 
> > I don't understand what you mean by pax-profile
> 
> s/pax/hardened
> 
> do we expect pax to work on non-hardened profiles?

Why not?

For what you are saying, pax should be able to work only on gentoo..
Comment 5 Anthony Basile gentoo-dev 2013-06-21 00:23:18 UTC
(In reply to Matthew Thode ( prometheanfire ) from comment #3)
> (In reply to Agostino Sarubbo from comment #2)
> > (In reply to Matthew Thode ( prometheanfire ) from comment #1)
> > > So are you using a pax enabled kernel on a non-pax profile?  That would
> > > cause problems.  I don't think that is something supportable though.
> > 
> > I don't understand what you mean by pax-profile
> 
> s/pax/hardened
> 
> do we expect pax to work on non-hardened profiles?

Why would xlock, compiled with a vanilla toolchain die with exec attempts in anon mappings whereas xlock compiled with a hardened toolchain be fine?  its not clear what's at the bottom of this.  i have not tried to reproduce.
Comment 6 Francisco Blas Izquierdo Riera gentoo-dev 2013-06-21 00:48:51 UTC
(In reply to Anthony Basile from comment #5)
> (In reply to Matthew Thode ( prometheanfire ) from comment #3)
> > (In reply to Agostino Sarubbo from comment #2)
> > > (In reply to Matthew Thode ( prometheanfire ) from comment #1)
> > > > So are you using a pax enabled kernel on a non-pax profile?  That would
> > > > cause problems.  I don't think that is something supportable though.
> > > 
> > > I don't understand what you mean by pax-profile
> > 
> > s/pax/hardened
> > 
> > do we expect pax to work on non-hardened profiles?
> 
> Why would xlock, compiled with a vanilla toolchain die with exec attempts in
> anon mappings whereas xlock compiled with a hardened toolchain be fine?  its
> not clear what's at the bottom of this.  i have not tried to reproduce.

Ago, can you paste the ldd output of your xlock? Mainly to see if it is linked against one of the usual offenders.
Comment 7 Anthony Basile gentoo-dev 2013-06-21 01:17:44 UTC
(In reply to Francisco Blas Izquierdo Riera from comment #6)
> (In reply to Anthony Basile from comment #5)
> > (In reply to Matthew Thode ( prometheanfire ) from comment #3)
> > > (In reply to Agostino Sarubbo from comment #2)
> > > > (In reply to Matthew Thode ( prometheanfire ) from comment #1)
> > > > > So are you using a pax enabled kernel on a non-pax profile?  That would
> > > > > cause problems.  I don't think that is something supportable though.
> > > > 
> > > > I don't understand what you mean by pax-profile
> > > 
> > > s/pax/hardened
> > > 
> > > do we expect pax to work on non-hardened profiles?
> > 
> > Why would xlock, compiled with a vanilla toolchain die with exec attempts in
> > anon mappings whereas xlock compiled with a hardened toolchain be fine?  its
> > not clear what's at the bottom of this.  i have not tried to reproduce.
> 
> Ago, can you paste the ldd output of your xlock? Mainly to see if it is
> linked against one of the usual offenders.

Its a long list below, but if it linked against one of the offenders, it would equally fail if built under a hardened profile unless USE=jit or one of those flags were on, and I asked ago to turn off those, as well as enable pax_kernel.

	linux-vdso.so.1 (0x00007fff51342000)
	libXpm.so.4 => /usr/lib64/libXpm.so.4 (0x00007f6fea021000)
	libMagickCore.so.5 => /usr/lib64/libMagickCore.so.5 (0x00007f6fe9b5e000)
	libftgl.so.2 => /usr/lib64/libftgl.so.2 (0x00007f6fe992b000)
	libGL.so.1 => /usr/lib64/libGL.so.1 (0x00007f6fe96a0000)
	libGLU.so.1 => /usr/lib64/libGLU.so.1 (0x00007f6fe9413000)
	libXext.so.6 => /usr/lib64/libXext.so.6 (0x00007f6fe91ff000)
	libXinerama.so.1 => /usr/lib64/libXinerama.so.1 (0x00007f6fe8ffc000)
	libaudio.so.2 => /usr/lib64/libaudio.so.2 (0x00007f6fe8ddf000)
	libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f6fe8ba8000)
	libX11.so.6 => /usr/lib64/libX11.so.6 (0x00007f6fe8856000)
	libstdc++.so.6 => /usr/lib/gcc/x86_64-pc-linux-gnu/4.6.3/libstdc++.so.6 (0x00007f6fe8538000)
	libm.so.6 => /lib64/libm.so.6 (0x00007f6fe8242000)
	libgcc_s.so.1 => /usr/lib/gcc/x86_64-pc-linux-gnu/4.6.3/libgcc_s.so.1 (0x00007f6fe802b000)
	libc.so.6 => /lib64/libc.so.6 (0x00007f6fe7c82000)
	libfftw3.so.3 => /usr/lib64/libfftw3.so.3 (0x00007f6fe78ec000)
	libfontconfig.so.1 => /usr/lib64/libfontconfig.so.1 (0x00007f6fe76b0000)
	libfreetype.so.6 => /usr/lib64/libfreetype.so.6 (0x00007f6fe7403000)
	libbz2.so.1 => /lib64/libbz2.so.1 (0x00007f6fe71f3000)
	libz.so.1 => /lib64/libz.so.1 (0x00007f6fe6fdc000)
	libgomp.so.1 => /usr/lib/gcc/x86_64-pc-linux-gnu/4.6.3/libgomp.so.1 (0x00007f6fe6dcb000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f6fe6bae000)
	libltdl.so.7 => /usr/lib64/libltdl.so.7 (0x00007f6fe69a2000)
	libglapi.so.0 => /usr/lib64/libglapi.so.0 (0x00007f6fe674d000)
	libXdamage.so.1 => /usr/lib64/libXdamage.so.1 (0x00007f6fe654a000)
	libXfixes.so.3 => /usr/lib64/libXfixes.so.3 (0x00007f6fe6343000)
	libX11-xcb.so.1 => /usr/lib64/libX11-xcb.so.1 (0x00007f6fe6141000)
	libxcb-glx.so.0 => /usr/lib64/libxcb-glx.so.0 (0x00007f6fe5f21000)
	libxcb-dri2.so.0 => /usr/lib64/libxcb-dri2.so.0 (0x00007f6fe5d1b000)
	libxcb.so.1 => /usr/lib64/libxcb.so.1 (0x00007f6fe5af3000)
	libXxf86vm.so.1 => /usr/lib64/libXxf86vm.so.1 (0x00007f6fe58ed000)
	libdrm.so.2 => /usr/lib64/libdrm.so.2 (0x00007f6fe56df000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007f6fe54db000)
	libXt.so.6 => /usr/lib64/libXt.so.6 (0x00007f6fe526b000)
	libXau.so.6 => /usr/lib64/libXau.so.6 (0x00007f6fe5067000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f6fea234000)
	libexpat.so.1 => /usr/lib64/libexpat.so.1 (0x00007f6fe4e39000)
	librt.so.1 => /lib64/librt.so.1 (0x00007f6fe4c30000)
	libXdmcp.so.6 => /usr/lib64/libXdmcp.so.6 (0x00007f6fe4a29000)
	libSM.so.6 => /usr/lib64/libSM.so.6 (0x00007f6fe4820000)
	libICE.so.6 => /usr/lib64/libICE.so.6 (0x00007f6fe4603000)
	libuuid.so.1 => /lib64/libuuid.so.1 (0x00007f6fe43fe000)
Comment 8 Agostino Sarubbo gentoo-dev 2013-06-21 07:14:44 UTC
(In reply to Francisco Blas Izquierdo Riera from comment #6)
> Ago, can you paste the ldd output of your xlock? Mainly to see if it is
> linked against one of the usual offenders.

	linux-gate.so.1 (0xa09fd000)
	libXpm.so.4 => /usr/lib/libXpm.so.4 (0xa09df000)
	libGL.so.1 => /usr/lib/libGL.so.1 (0xa0981000)
	libGLU.so.1 => /usr/lib/libGLU.so.1 (0xa08f9000)
	libXext.so.6 => /usr/lib/libXext.so.6 (0xa08e6000)
	libpam.so.0 => /lib/libpam.so.0 (0xa08d7000)
	libX11.so.6 => /usr/lib/libX11.so.6 (0xa0793000)
	libstdc++.so.6 => /usr/lib/gcc/i686-pc-linux-gnu/4.6.3/libstdc++.so.6 (0xa06ab000)
	libm.so.6 => /lib/libm.so.6 (0xa0680000)
	libgcc_s.so.1 => /usr/lib/gcc/i686-pc-linux-gnu/4.6.3/libgcc_s.so.1 (0xa0662000)
	libc.so.6 => /lib/libc.so.6 (0xa04be000)
	libglapi.so.0 => /usr/lib/libglapi.so.0 (0xa04a8000)
	libXdamage.so.1 => /usr/lib/libXdamage.so.1 (0xa04a4000)
	libXfixes.so.3 => /usr/lib/libXfixes.so.3 (0xa049e000)
	libX11-xcb.so.1 => /usr/lib/libX11-xcb.so.1 (0xa049b000)
	libxcb-glx.so.0 => /usr/lib/libxcb-glx.so.0 (0xa0481000)
	libxcb-dri2.so.0 => /usr/lib/libxcb-dri2.so.0 (0xa047b000)
	libxcb.so.1 => /usr/lib/libxcb.so.1 (0xa0458000)
	libXxf86vm.so.1 => /usr/lib/libXxf86vm.so.1 (0xa0451000)
	libdrm.so.2 => /usr/lib/libdrm.so.2 (0xa0444000)
	libpthread.so.0 => /lib/libpthread.so.0 (0xa0428000)
	libdl.so.2 => /lib/libdl.so.2 (0xa0423000)
	/lib/ld-linux.so.2 (0xa09fe000)
	libXau.so.6 => /usr/lib/libXau.so.6 (0xa041f000)
	libXdmcp.so.6 => /usr/lib/libXdmcp.so.6 (0xa0418000)
	librt.so.1 => /lib/librt.so.1 (0xa040e000)