Bug 589828

Summary:	dev-lang/python-3.5.2 requires disabled MPROTECT during install phase
Product:	Gentoo Linux	Reporter:	Attila Tóth <atoth>
Component:	Hardened	Assignee:	The Gentoo Linux Hardened Team <hardened>
Status:	RESOLVED INVALID
Severity:	normal	CC:	pageexec, python
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Attila Tóth 2016-07-27 09:41:17 UTC

dev-lang/python-3.5.2:
/usr/lib/portage/python3.5/ebuild-helpers/xattr/install -c -m 644 /var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/Include/fileobject.h /usr/include/python3.5m
Traceback (most recent call last):
  File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/setup.py", line 2299, in <module>
    main()
  File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/setup.py", line 2293, in main
    "Tools/scripts/2to3", "Tools/scripts/pyvenv"]
  File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/Lib/distutils/core.py", line 148, in setup
    dist.run_commands()
  File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/Lib/distutils/dist.py", line 955, in run_commands
    self.run_command(cmd)
  File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/Lib/distutils/dist.py", line 974, in run_command
    cmd_obj.run()
  File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/Lib/distutils/command/build.py", line 135, in run
    self.run_command(cmd_name)
  File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/Lib/distutils/cmd.py", line 313, in run_command
    self.distribution.run_command(command)
  File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/Lib/distutils/dist.py", line 974, in run_command
    cmd_obj.run()
  File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/Lib/distutils/command/build_ext.py", line 338, in run
    self.build_extensions()
  File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/setup.py", line 289, in build_extensions
    build_ext.build_extensions(self)
  File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/Lib/distutils/command/build_ext.py", line 445, in build_extensions
    self._build_extensions_parallel()
  File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/Lib/distutils/command/build_ext.py", line 464, in _build_extensions_parallel
    for ext in self.extensions]
  File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/Lib/distutils/command/build_ext.py", line 464, in <listcomp>
/usr/lib/portage/python3.5/ebuild-helpers/xattr/install -c -m 644 /var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/Include/fileutils.h /usr/include/python3.5m
    for ext in self.extensions]
  File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/Lib/concurrent/futures/thread.py", line 113, in submit
    self._adjust_thread_count()
  File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/Lib/concurrent/futures/thread.py", line 129, in _adjust_thread_count
    t.start()
  File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/Lib/threading.py", line 844, in start
    _start_new_thread(self._bootstrap, ())
RuntimeError: can't start new thread
Makefile:615: recipe for target 'sharedmods' failed
make: *** [sharedmods] Error 1
make: *** Waiting for unfinished jobs....

In the mean time kernel logs show this:
Jul 27 09:21:29 kernel: grsec: From X.Y.Z.V: (admin:S:/) denied RWX mmap of <anonymous mapping> by /var/tmp/portage/dev-lang/python-3.5.2/work/x86_64-pc-linux-gnu/python[python:26031] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:26030] uid/euid:0/0 gid/egid:0/0

If I manually disable mprotect on the binary shown in the logs (/var/tmp/portage/dev-lang/python-3.5.2/work/x86_64-pc-linux-gnu/python), the install can sucessfully finish.

At this time I have both PT_PAX and XT_PAX enabled in the kernel and in my userland. The markings on the python binaries seem to be all right otherwise (explicit E for EMUTRAMP).

Sidenote: some packages requiring python-2.7 also started failing for reasons seem to be kinda similar.
media-sound/mixxx-2.0.0-r1:
scons: done reading SConscript files.
error: can't start new thread:
  File "/usr/lib64/python2.7/site-packages/SCons/Script/Main.py", line 1372:
    _exec_main(parser, values)
  File "/usr/lib64/python2.7/site-packages/SCons/Script/Main.py", line 1335:
    _main(parser)
  File "/usr/lib64/python2.7/site-packages/SCons/Script/Main.py", line 1099:
    nodes = _build_targets(fs, options, targets, target_top)
  File "/usr/lib64/python2.7/site-packages/SCons/Script/Main.py", line 1259:
    jobs = SCons.Job.Jobs(num_jobs, taskmaster)
  File "/usr/lib64/python2.7/site-packages/SCons/Job.py", line 92:
    self.job = Parallel(taskmaster, num, stack_size)
  File "/usr/lib64/python2.7/site-packages/SCons/Job.py", line 365:
    self.tp = ThreadPool(num, stack_size, self.interrupted)
  File "/usr/lib64/python2.7/site-packages/SCons/Job.py", line 295:
    worker = Worker(self.requestQueue, self.resultsQueue, interrupted)
  File "/usr/lib64/python2.7/site-packages/SCons/Job.py", line 242:
    self.start()
  File "/usr/lib64/python2.7/threading.py", line 736:
    _start_new_thread(self.__bootstrap, ())
 * ERROR: media-sound/mixxx-2.0.0-r1::gentoo failed (compile phase):
 *   escons failed.

Jul 27 09:04:13 kernel: grsec: From X.Y.Z.V: (admin:S:/) denied RWX mmap of <anonymous mapping> by /usr/bin/python2.7[python2.7:12192] uid/euid:250/250 gid/egid:250/250, parent /usr/lib64/portage/python2.7/ebuild.sh[ebuild.sh:12101] uid/euid:250/250 gid/egid:250/250

Disabling mprotect on the python binary could solve the issue (it fails in another way now, unrelated to this issue).

Another package triggers RWX mapping: media-video/mpv-0.18.1 - I'm not sure if I should open separate bugs on these...

Comment 1 Attila Tóth 2016-07-27 10:12:17 UTC

dev-lang/python-3.4 seems to work well without mprotect.
It might be some python-3.5 module?

Comment 2 Attila Tóth 2016-07-27 10:22:38 UTC

(In reply to Attila Tóth from comment #1)
> dev-lang/python-3.4 seems to work well without mprotect.
> It might be some python-3.5 module?

python-3.5.1-r2 and python-3.5.1-r3 are also affected.

Comment 3 PaX Team 2016-07-27 11:43:15 UTC

the question is what code wants to allocate rwx maps and for what purpose. can you extract and strace a failing command to see what the exact request is? also check that the failing program doesn't load any libraries with a bad GNU_STACK header.

Comment 4 Attila Tóth 2016-08-04 10:33:06 UTC

(In reply to PaX Team from comment #3)
> the question is what code wants to allocate rwx maps and for what purpose.
> can you extract and strace a failing command to see what the exact request
> is? also check that the failing program doesn't load any libraries with a
> bad GNU_STACK header.

I'm having trouble reproducing the problem. Sending an email about some details.

Comment 5 Attila Tóth 2016-08-11 15:37:35 UTC

Reason was: toolchain generated binaries without GNU_STACK header. The issue is no longer present on my system and I cannot reproduce it.