Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 573758

Summary: net-libs/serf-1.3.8 "error: can't start new thread" due to denied RWX mmap of <anonymous mapping> by /usr/bin/python2.7
Product: Gentoo Linux Reporter: Marcin Mirosław <bug>
Component: Current packagesAssignee: Arfrever Frehtes Taifersar Arahesis <arfrever.fta>
Status: RESOLVED WORKSFORME    
Severity: normal CC: hardened, miro.rovis
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: messages_170321_1009_g5n
www-client_firefox-52.0.1_20170321-090648.log
emerge--info_4.9.16-hardened

Description Marcin Mirosław 2016-02-03 10:35:06 UTC 
>>> Emerging (1 of 8) net-libs/serf-1.3.8::gentoo
 * serf-1.3.8.tar.bz2 SHA256 SHA512 WHIRLPOOL size ;-) ...                                                                                                                                              [ ok ]
>>> Unpacking source...
>>> Unpacking serf-1.3.8.tar.bz2 to /var/tmp/portage/net-libs/serf-1.3.8/work
>>> Source unpacked in /var/tmp/portage/net-libs/serf-1.3.8/work
>>> Preparing source in /var/tmp/portage/net-libs/serf-1.3.8/work/serf-1.3.8 ...
 * Applying serf-1.3.2-disable_linking_against_unneeded_libraries.patch ...                                                                                                                             [ ok ]
 * Applying serf-1.3.8-scons_variables.patch ...                                                                                                                                                        [ ok ]
 * Applying serf-1.3.8-tests.patch ...                                                                                                                                                                  [ ok ]
>>> Source prepared.
>>> Configuring source in /var/tmp/portage/net-libs/serf-1.3.8/work/serf-1.3.8 ...
>>> Source configured.
>>> Compiling source in /var/tmp/portage/net-libs/serf-1.3.8/work/serf-1.3.8 ...
scons -j2 PREFIX=/usr LIBDIR=/usr/lib64 APR=/usr/bin/apr-1-config APU=/usr/bin/apu-1-config OPENSSL=/usr CC=x86_64-pc-linux-gnu-gcc CPPFLAGS= CFLAGS=-O2 -pipe -march=native         -fno-unwind-tables -fno-as
ynchronous-unwind-tables -fpeel-loops         -ftracer -fuse-linker-plugin LINKFLAGS=-Wl,-O1 -Wl,--as-needed -Wl,--sort-common
scons: Reading SConscript files ...
scons: done reading SConscript files.
error: can't start new thread:
  File "/usr/lib64/python2.7/site-packages/SCons/Script/Main.py", line 1372:
    _exec_main(parser, values)
  File "/usr/lib64/python2.7/site-packages/SCons/Script/Main.py", line 1335:
    _main(parser)
  File "/usr/lib64/python2.7/site-packages/SCons/Script/Main.py", line 1099:
    nodes = _build_targets(fs, options, targets, target_top)
  File "/usr/lib64/python2.7/site-packages/SCons/Script/Main.py", line 1259:
    jobs = SCons.Job.Jobs(num_jobs, taskmaster)
  File "/usr/lib64/python2.7/site-packages/SCons/Job.py", line 92:
    self.job = Parallel(taskmaster, num, stack_size)
  File "/usr/lib64/python2.7/site-packages/SCons/Job.py", line 365:
    self.tp = ThreadPool(num, stack_size, self.interrupted)
  File "/usr/lib64/python2.7/site-packages/SCons/Job.py", line 295:
    worker = Worker(self.requestQueue, self.resultsQueue, interrupted)
  File "/usr/lib64/python2.7/site-packages/SCons/Job.py", line 242:
    self.start()
  File "/usr/lib64/python2.7/threading.py", line 745:
    _start_new_thread(self.__bootstrap, ())
 * ERROR: net-libs/serf-1.3.8::gentoo failed (compile phase):
 *   escons failed.
 * 
 * Call stack:
 *     ebuild.sh, line  133:  Called src_compile
 *   environment, line 2029:  Called escons
 *   environment, line  879:  Called die
 * The specific snippet of code:
 *                   die "escons failed."
 * 
 * If you need support, post the output of `emerge --info '=net-libs/serf-1.3.8::gentoo'`,
 * the complete build log and the output of `emerge -pqv '=net-libs/serf-1.3.8::gentoo'`.
 * The complete build log is located at '/var/tmp/portage/net-libs/serf-1.3.8/temp/build.log'.
 * The ebuild environment file is located at '/var/tmp/portage/net-libs/serf-1.3.8/temp/environment'.
 * Working directory: '/var/tmp/portage/net-libs/serf-1.3.8/work/serf-1.3.8'
 * S: '/var/tmp/portage/net-libs/serf-1.3.8/work/serf-1.3.8'

>>> Failed to emerge net-libs/serf-1.3.8, Log file:



In messages.log is:

2016-02-03T11:31:31.215515+01:00 gentoo-mirror kernel: [6621659.215204] grsec: From 192.168.254.1: denied RWX mmap of <anonymous mapping> by /usr/bin/python2.7[python2.7:11540] uid/euid:250/250 gid/egid:250/250, parent /var/tmp/portage/._portage_reinstall_.dvq2ruow/bin/ebuild.sh[ebuild.sh:11526] uid/euid:250/250 gid/egid:250/250



Reproducible: Always




Portage 2.2.26 (python 3.4.3-final-0, hardened/linux/amd64, gcc-4.9.3, glibc-2.21-r1, 3.17.7-hardened-r1 x86_64)
=================================================================
System uname: Linux-3.17.7-hardened-r1-x86_64-Intel_Xeon_E312xx_-Sandy_Bridge-with-gentoo-2.2
KiB Mem:      890424 total,    103696 free
KiB Swap:     511996 total,    503760 free
Timestamp of repository gentoo: Wed, 03 Feb 2016 05:15:01 +0000
sh bash 4.3_p42-r1
ld GNU gold (Gentoo 2.25.1 p1.1 2.25.1) 1.11
ccache version 3.1.9 [enabled]
app-shells/bash:          4.3_p42-r1::gentoo
dev-lang/perl:            5.20.2::gentoo
dev-lang/python:          2.7.9-r1::gentoo, 3.4.3-r1::gentoo
dev-util/ccache:          3.1.9-r4::gentoo
dev-util/cmake:           3.3.1-r1::gentoo
dev-util/pkgconfig:       0.28-r2::gentoo
sys-apps/baselayout:      2.2::gentoo
sys-apps/openrc:          0.19.1::gentoo
sys-apps/sandbox:         2.10-r1::gentoo
sys-devel/autoconf:       2.69::gentoo
sys-devel/automake:       1.13.4::gentoo, 1.14.1::gentoo, 1.15::gentoo
sys-devel/binutils:       2.25.1-r1::gentoo
sys-devel/gcc:            4.9.3::gentoo
sys-devel/gcc-config:     1.7.3::gentoo
sys-devel/libtool:        2.4.6::gentoo
sys-devel/make:           4.1-r1::gentoo
sys-kernel/linux-headers: 4.3::gentoo (virtual/os-headers)
sys-libs/glibc:           2.21-r1::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: rsync
    sync-uri: rsync://gentoo.prz.rzeszow.pl/gentoo-portage/
    priority: -1000
    sync-rsync-extra-opts: -O

ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=native         -fno-unwind-tables -fno-asynchronous-unwind-tables -fpeel-loops         -ftracer -fuse-linker-plugin"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe -march=native         -fno-unwind-tables -fno-asynchronous-unwind-tables -fpeel-loops         -ftracer -fuse-linker-plugin"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs ccache collision-protect compressdebug config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="pl_PL.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--sort-common"
MAKEOPTS="-j2 -l 3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_EXTRA_OPTS="-O"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
USE="acl acpi amd64 bash-completion caps cli cracklib crypt cxx dri hardened iconv ipv6 justify mmx mmxext modules multilib ncurses nls nptl openmp pax_kernel pcre pie readline seccomp session sse sse2 sse3 ssp ssse3 threads unicode urandom vim-syntax xattr xtpax" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python3_4" RUBY_TARGETS="ruby20 ruby21" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
USE_PYTHON="3.3"
Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS
Comment 1 Magnus Granberg gentoo-dev 2016-02-03 15:29:09 UTC 
Check that you have emutramp enable in the kernel
Comment 2 Marcin Mirosław 2016-02-03 18:33:40 UTC 
# zgrep -i emutr /proc/config.gz
CONFIG_PAX_EMUTRAMP=y
Comment 3 Magnus Granberg gentoo-dev 2016-02-09 19:54:44 UTC 
Check the pax mark on python and what you use in the kernel config for marking.
Comment 4 Magnus Granberg gentoo-dev 2016-02-09 20:46:51 UTC 
>>> Compiling source in /var/tmp/portage/net-libs/serf-1.3.8/work/serf-1.3.8 ...
scons -j6 PREFIX=/usr LIBDIR=/usr/lib64 APR=/usr/bin/apr-1-config APU=/usr/bin/apu-1-config OPENSSL=/usr CC=x86_64-pc-linux-gnu-gcc CPPFLAGS= CFLAGS=-pipe -O2 -march=core2 LINKFLAGS=-Wl,-O1 -Wl,--as-needed
scons: Reading SConscript files ...
scons: done reading SConscript files.
scons: Building targets ...
It works fine for me.
Comment 5 Marcin Mirosław 2016-02-10 14:33:01 UTC 
On a other host it also works for me.
# zgrep -i xattr /proc/config.gz 
CONFIG_TMPFS_XATTR=y
CONFIG_PAX_XATTR_PAX_FLAGS=y

Ok, I've tracked how to fix it. I didn't had set in make.conf variable PAX_MARKINGS. So paxmarking was: 
 paxctl-ng -v /usr/bin/python2.7
/usr/bin/python2.7:
        PT_PAX    : -E---
        XATTR_PAX : -E---

Next I set PAX_MARKINGS="XT", so python2.7 received such flags:
 paxctl-ng -v /usr/bin/python2.7
/usr/bin/python2.7:
        PT_PAX    : not found
        XATTR_PAX : -E---

Now scons has no problem with working.
Bug in kernel when both PT_PAX and XATTR_PAX flags are set?
Comment 6 miro.rovis 2017-03-21 10:39:23 UTC 
Created attachment 467778 [details]
messages_170321_1009_g5n

When installing Firefox
(
Pls., I don't use Firefox anymore, I use Palemoon. I'm only following Firefox
out of curiosity and spite after they ruined it all for me with:
Require PulseAudio to play sound on Linux
https://bugzilla.mozilla.org/show_bug.cgi?id=1247056
)

So, [when installing Firefox] this happened, (from /var/log/messages):

Mar 21 10:08:26 g5n kernel: [172037.447577] grsec: (admin:S:/) exec of
/var/tmp/portage/www-client/firefox-52.0.1/work/firefox-52.0.1/ff/_virtualenv/bin/python2.7
(/var/tmp/portage/www-client/firefox-52.0.1/work/firefox-52.0.1/ff/_virtualenv/bin/python2.7
- setuptools pip wheel ) by
/var/tmp/portage/www-client/firefox-52.0.1/work/firefox-52.0.1/ff/_virtualenv/bin/python2.7[python2.7:15256]
uid/euid:250/250 gid/egid:250/250, parent /usr/bin/python2.7[python2.7:15254]
uid/euid:250/250 gid/egid:250/250

Mar 21 10:08:26 g5n kernel: [172037.765438] grsec: (admin:S:/) denied RWX mmap
of <anonymous mapping> by
/var/tmp/portage/www-client/firefox-52.0.1/work/firefox-52.0.1/ff/_virtualenv/bin/python2.7[python2.7:15256]
uid/euid:250/250 gid/egid:250/250, parent /usr/bin/python2.7[python2.7:15254]
uid/euid:250/250 gid/egid:250/250

See all of it (and more, I only partly understand it) in the attachment:
messages_170321_1009_g5n

And in the other attachment (that I'll post with the next comment):
www-client_firefox-52.0.1_20170321-090648.log

find:

checking for PIE support... no
configure: error: --enable-pie requires PIE support from the linker.

The two excerpts above, to my best understanding belong to the same event.

PIE means, IIUC, position independent executable (the way in
which binaries are installed in a hardened system, like mine).

I do have in /etc/portage/make.conf :

PAX_MARKINGS="XT"

So this:

# paxctl-ng -v /usr/bin/python2.7
/usr/bin/python2.7:
	PT_PAX    : not found
	XATTR_PAX : -E---
#

[so this] is all regular.

I also have:

CONFIG_TMPFS_XATTR=y
CONFIG_PAX_XATTR_PAX_FLAGS=y

in all my hardened kernels (including the running one).

When installing firefox-51.0.1 some three weeks ago I didn't have any issues,
excerpt from the log in /var/log/portage/<firefox-51.0.1>.log :

checking for shmat... yes
checking for IceConnectionNumber in -lICE... yes
checking for --noexecstack option to as... yes
checking for -z noexecstack option to ld... yes
checking for -z text option to ld... yes
checking for --ignore-unresolved-symbol option to ld... yes
checking if toolchain supports -mssse3 option... yes
checking if toolchain supports -msse4.1 option... yes
checking for x86 AVX2 asm support in compiler... yes
checking for PIE support... yes
                ^^^^^^^^^^^^^
                |||||||||||||
See the PIE support... yes above.

How's that not working now?
Comment 7 miro.rovis 2017-03-21 10:41:04 UTC 
Created attachment 467782 [details]
www-client_firefox-52.0.1_20170321-090648.log

(the attachment promised in the previous post)
Comment 8 miro.rovis 2017-03-21 12:13:39 UTC 
Created attachment 467788 [details]
emerge--info_4.9.16-hardened

It doesn't work (all the errors are the same) with all the latest updates, including the hardened kernel.
Comment 9 Magnus Granberg gentoo-dev 2017-03-21 20:22:49 UTC 
The firefox bug is not the same as this so open a new one
Comment 10 miro.rovis 2017-03-22 05:56:15 UTC 
(In reply to Magnus Granberg from comment #9)
> The firefox bug is not the same as this so open a new one

Sorry! I tried to mend by posting at:

PIE support in linker missing, reason: denied RWX mmap of by /var/tmp/...firefox-52.0.1/_virtualenv/bin/python2.7
https://bugs.gentoo.org/show_bug.cgi?id=613452

Regards!
Comment 11 Arfrever Frehtes Taifersar Arahesis 2019-08-07 23:02:45 UTC 
(In reply to Marcin Mirosław from comment #5)
> Now scons has no problem with working.