Summary: | mail-client/thunderbird-31.0 www-client/firefox-31.0 Both USE=-jit and USE=jit require pax-mark -p on the principal binaries | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Klaus Kusche <klaus.kusche> |
Component: | Current packages | Assignee: | Mozilla Gentoo Team <mozilla> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | alexander, creideiki+gentoo-bugzilla, pageexec, prometheanfire |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Klaus Kusche
2014-08-04 18:30:57 UTC
firefox 31 also needs paxctl -p instead of paxctl -m, but I've compiled firefox with jit. Not sure if it also needs paxctl -p without jit. Same for firefox: Even when emerged with -jit, it needs paxctl -p (not just -m), otherwise it is killed on startup: "Aug 5 10:48:13 lap kernel: PAX: execution attempt in: <anonymous mapping>, 292d3d05000-292d3d0c000 292d3d05000 Aug 5 10:48:13 lap kernel: PAX: terminating task: /usr/lib64/firefox/firefox(firefox):1510, uid/euid: 9999/9999, PC: 00000292d3d072b0, SP: 00000398fba05028 Aug 5 10:48:13 lap kernel: PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? Aug 5 10:48:13 lap kernel: PAX: bytes at SP-8: 00000292c3622c66 00000292d4d88748 0000000000000202 00000292be9cda60 0000000000000001 fffb8292a68c7d00 fff9000000000000 00000398fba05110 00000292a67b0060 00000292c3622cac 0000000000000a01 " 1.) You mis-changed the summary: Both USE=jit and USE=-jit require paxctl -p. For USE=jit, this is expected, but USE=-jit should work without paxctl -p. 2.) The offender seems to be some kind of trampoline code: At least without jit (I didn't try it with jit), both firefox and thunderbird work with paxctl -PE, i.e. exec protection on and trampoline emulation on. However, just from judging from responsiveness and CPU load, this makes firefox noticeably slower. Forget item 2 in my last comment. firefox seems to get killed by pax less often with emutramp enabled, but it still gets killed now and then. It really needs -p. Fixed in -31.1* (In reply to Klaus Kusche from comment #4) > Forget item 2 in my last comment. > firefox seems to get killed by pax less often with emutramp enabled, > but it still gets killed now and then. > It really needs -p. Do tests show that 31.1 and above need -p even when USE="-jit" ?? I was under the impression that it was fine if jit was completely disabled (whether it was being disasbled properly before or not, I can't be certain; I believe it wasn't the same as it wasn't on firefox) Concerning 31.1: I'm already on firefox 32.0, and I don't want to downgrade (I'm compiling on a notebook). I kicked thunderbird off my systems completely. 32.0: As I assumed that firefox needs -p anyway, I switched from -jit to +jit before emerging 32.0 last weekend. The 32.0 ebuild worked fine out of the box with my pax kernel, with +jit and pax flags -p---m-x-e-- set automatically by the ebuild. Shall I try -jit and then enable execute protection? Not sure if I'll find the time (offline tomorrow, very busy on sunday, winter term starts on monday here). Problem was definitly introduced with 31, both firefox and thunderbird. 30 (and the corresponding thunderbird) was fine with -jit and execute protection. I can't tell if the problem was caused by a change in the ebuild or a change in firefox. (In reply to Klaus Kusche from comment #7) > Concerning 31.1: > I'm already on firefox 32.0, and I don't want to downgrade > (I'm compiling on a notebook). > I kicked thunderbird off my systems completely. > > 32.0: As I assumed that firefox needs -p anyway, > I switched from -jit to +jit before emerging 32.0 last weekend. > The 32.0 ebuild worked fine out of the box with my pax kernel, > with +jit and pax flags -p---m-x-e-- set automatically by the ebuild. > > Shall I try -jit and then enable execute protection? > Not sure if I'll find the time (offline tomorrow, very busy on sunday, > winter term starts on monday here). > > Problem was definitly introduced with 31, both firefox and thunderbird. > 30 (and the corresponding thunderbird) was fine with -jit > and execute protection. > I can't tell if the problem was caused by a change in the ebuild > or a change in firefox. Firefox-32 is fine, it doesn't need to be downgraded or anything. It's more thunderbird-31.1.1 (and firefox-32) that I'm worried about with USE="-jit" and pax-mark -p not being applied. So, yes, if you could test either or both of those with USE="-jit" I would very much appreciate it. (if 'pax-mark -p' is needed even with USE="-jit" then mozilla team is going to have to sort this with a patch somehow) It seems that the problem was caused by the ebuild and not by firefox itself: I recompiled firefox 32.0 with -jit. The ebuild installed the binaries with pax flags -----m-x-e--, and they seem to work fine: No kills by the pax kernel up to now, even with exec protection enabled. As I said, I no longer use thunderbird. Interesting.. thunderbird-31.1.1[jit] works fine on my system and does not require 'pax-mark -p' The original bug report was for thunderbird 31.0. I think pax handling has been changed since then. firefox 31.0 also needed paxctl -p, firefox 32.0 does not. As I still don't have a hardened test environment, could someone check if pax-mark -p is still required for www-client/firefox-31.2[jit] and mail-client/thunderbird-31.2[jit] please? I would like to drop that from the ebuilds if at all possible. Yes, pax-mark -p is still required for both :(. So you should add it to thunderbird ebuild and leave firefox ebuild as is. OK. thunderbird-31.2 revbumped with the additional pax-mark -p. the actual reason was dug out by one of our users: https://forums.grsecurity.net/viewtopic.php?f=3&t=3980#p14306 for the gory details. in short, someone at mozilla made the rather insane decision to make their JIT engine behave the same way as shellcode execution based exploits (see the discussion at https://bugzilla.mozilla.org/show_bug.cgi?id=864220) that PaX will obviously never allow. until that code is reverted/rewritten, PaX cannot be enabled on their products. |