Summary: | x11-drivers/xf86-video-{ati,intel}[glamor] don't work when a hardened profile is used | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Herbert Wantesh <rauchwolke> |
Component: | Hardened | Assignee: | The Gentoo Linux Hardened Team <hardened> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | alexander, erhard_f, kingjon3377, renesanso, x11 |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: |
glamor-0.5.1.ebuild.patch
xorg.log from the crash append lazy if now (hardened compiler) |
Description
Herbert Wantesh
2013-10-21 16:49:52 UTC
IIRC I had the same problem with radeon. Currently I'm using the following workaround (load fb before glamoregl): $ cat /etc/X11/xorg.conf.d/10-glamor.conf Section "Module" Load "dri2" Load "fb" Load "glamoregl" EndSection I suspect "DRIVER=yes" is needed in ebuild (before inherit xorg-2) or "append-ldflags -Wl,-z,lazy". But I didn't test it yet. Created attachment 361844 [details, diff] glamor-0.5.1.ebuild.patch This patch fixes the issue. (In reply to Alexander Tsoy from comment #2) > I suspect "DRIVER=yes" is needed in ebuild (before inherit xorg-2) Not a good idea since DRIVER is not an eclass variable. I can confirm the bug with the radeon driver on hardened profile. [ 8.546] (II) LoadModule: "radeon" [ 8.546] (II) Loading /usr/lib/xorg/modules/drivers/radeon_drv.so [ 8.570] (EE) Failed to load /usr/lib/xorg/modules/drivers/radeon_drv.so: /usr/lib64/libglamor.so.0: undefined symbol: fbCopyPlane [ 8.570] (II) UnloadModule: "radeon" [ 8.570] (II) Unloading radeon [ 8.570] (EE) Failed to load module "radeon" (loader failed, 7) I can also confirm that the glamor-0.5.1.ebuild.patch work with the radeon driver, without any modifications to /etc/X11/xorg.conf.d/10-glamor.conf after the latest update i get x11 crashes: xorg.log is attached glamor is merged like this [ebuild N ] x11-libs/glamor-0.5.1 USE="-gles -static-libs" 0 kB in /var/log/messages i have stuff like this: [34684.401079] grsec: denied resource overstep by requesting 21 for RLIMIT_NICE against limit 0 for /usr/bin/xinit[xinit:10402] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/startx[startx:10386] uid/euid:1000/1000 gid/egid:1000/1000 only one line of the xinit message but more of this [34692.475814] grsec: denied resource overstep by requesting 31 for RLIMIT_NICE against limit 0 for /usr/bin/pulseaudio[pulseaudio:10573] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/pulseaudio[pulseaudio:10572] uid/euid:1000/1000 gid/egid:1000/1000 [34692.477905] grsec: denied resource overstep by requesting 30 for RLIMIT_NICE against limit 0 for /usr/bin/pulseaudio[pulseaudio:10573] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/pulseaudio[pulseaudio:10572] uid/euid:1000/1000 gid/egid:1000/1000 [34692.478161] grsec: denied resource overstep by requesting 29 for RLIMIT_NICE against limit 0 for /usr/bin/pulseaudio[pulseaudio:10573] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/pulseaudio[pulseaudio:10572] uid/euid:1000/1000 gid/egid:1000/1000 [34692.478400] grsec: denied resource overstep by requesting 28 for RLIMIT_NICE against limit 0 for /usr/bin/pulseaudio[pulseaudio:10573] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/pulseaudio[pulseaudio:10572] uid/euid:1000/1000 gid/egid:1000/1000 [34692.478633] grsec: denied resource overstep by requesting 27 for RLIMIT_NICE against limit 0 for /usr/bin/pulseaudio[pulseaudio:10573] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/pulseaudio[pulseaudio:10572] uid/euid:1000/1000 gid/egid:1000/1000 [34692.478853] grsec: denied resource overstep by requesting 26 for RLIMIT_NICE against limit 0 for /usr/bin/pulseaudio[pulseaudio:10573] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/pulseaudio[pulseaudio:10572] uid/euid:1000/1000 gid/egid:1000/1000 [34692.479069] grsec: more alerts, logging disabled for 10 seconds Created attachment 361988 [details]
xorg.log from the crash
sorry on this machine x11-drivers/xf86-video-intel-2.99.905 was merged which was triggering the crashes. but it was merged without glamor use flag enabled. 903 still gives me with glamor enabled - [ 37690.531] (II) Module glx: vendor="X.Org Foundation" [ 37690.531] compiled for 1.14.3, module version = 1.0.0 [ 37690.531] ABI class: X.Org Server Extension, version 7.0 [ 37690.531] (==) AIGLX enabled [ 37690.531] Loading extension GLX [ 37690.531] (II) LoadModule: "intel" [ 37690.531] (II) Loading /usr/lib64/xorg/modules/drivers/intel_drv.so [ 37690.532] (EE) Failed to load /usr/lib64/xorg/modules/drivers/intel_drv.so: /usr/lib64/libglamor.so.0: undefined symbol: fbCopyPlane [ 37690.532] (II) UnloadModule: "intel" [ 37690.532] (II) Unloading intel [ 37690.532] (EE) Failed to load module "intel" (loader failed, 7) [ 37690.532] (EE) No drivers available. [ 37690.532] (EE) Fatal server error: [ 37690.533] (EE) no screens found(EE) [ 37690.533] (EE) Please consult the The X.Org Foundation support at http://wiki.x.org for help. [ 37690.535] (EE) Please also check the log file at "/var/log/Xorg.0.log" for additional information. [ 37690.536] (EE) current setup which doesnt work: [ebuild R ~] x11-drivers/xf86-video-intel-2.99.903 USE="dri sna udev uxa xvmc -glamor" 0 kB [ebuild R ] x11-libs/glamor-0.5.1 USE="gles -static-libs" 0 kB current setup which work: [ebuild R ~] x11-drivers/xf86-video-intel-2.99.903 USE="dri sna udev uxa xvmc -glamor" 0 kB [ebuild R ] x11-libs/glamor-0.5.1 USE="gles -static-libs" 0 kB this setup doesn't: [ebuild R ~] x11-drivers/xf86-video-intel-2.99.903 USE="dri sna udev uxa xvmc glamor" 0 kB [ebuild R ] x11-libs/glamor-0.5.1 USE="gles -static-libs" 0 kB sorry for the noise (In reply to Alexander Tsoy from comment #3) > Created attachment 361844 [details, diff] [details, diff] > glamor-0.5.1.ebuild.patch > > This patch fixes the issue. @x11: Please, take a look. The same ldflags are appended for xorg-server and all drivers. Related lines from xorg-2.eclass: [[ ${PN} == xf86-video-* || ${PN} == xf86-input-* ]] && DRIVER="yes" ... [[ ${PN} = xorg-server || -n ${DRIVER} ]] && append-ldflags -Wl,-z,lazy same problem here with x11-drivers/xf86-video-intel-2.99.905-r1 [glamor] but 905-r1 brings in a new regression that creates random xorg crashes (with the glamor use flag disabled can't test with galmor as xorg doesnt come up ...) *** Bug 490074 has been marked as a duplicate of this bug. *** problem still not fixed with x11-drivers/xf86-video-intel-2.99.906 (In reply to puchu from comment #13) > problem still not fixed with x11-drivers/xf86-video-intel-2.99.906 This is actually a glamor bug. Please try the attached patch, which disables full RELRO. applying the patch fixes the problem. another question - the only completly working intel driver is 903, 905 has random crashes and 906 some drawin problems in at least claws-mail. should i create a bug report on gentoo or on freedesktop? Created attachment 363898 [details, diff]
append lazy if now (hardened compiler)
We check if we have the hardened compiler and append
lazy when linking.
x11 is this okay?
Looks ok to me. Feel free to apply. glamor 0.5.1 fixed in cvs This needed a revbump. I moved the change to 0.5.1-r1. *** Bug 497928 has been marked as a duplicate of this bug. *** |