Summary: | >net-libs/nodejs-14.3.0 on a PaX kernel: mksnapshot_u: Check failed: reservation_.SetPermissions(protect_start, protect_size, permission). | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Anton Kochkov <anton.kochkov> |
Component: | Current packages | Assignee: | The Gentoo Linux Hardened Team <hardened> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | sam, williamh |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=694100 https://bugs.gentoo.org/show_bug.cgi?id=903916 |
||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: |
build.log
net-libs/nodejs-14.8.0 build log nodejs-14.15.0-r1.ebuild nodejs-13.8.0-paxmarking.patch nodejs-pax-mark-ebuild.diff nodejs-15.8.0-paxmarking.patch nodejs-16.4.2-paxmarking.patch nodejs-18.0.0-paxmarking.patch nodejs-20.3.0-paxmarking.patch |
Description
Anton Kochkov
2020-08-04 02:33:47 UTC
Why 14.3.0? 14.4.0 appears to be running for president and 14.7.0 has also landed. Looks like the bit after the mksnapshot_u error is more interesting than the error it spits out: /bin/sh: line 1: 1407457 Illegal instruction "/var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0/out/Release/mksnapshot_u" --turbo_instruction_scheduling "--target_os=linux" "--target_arch=x64" --startup_src "/var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0/out/Release/obj.target/v8_snapshot/geni/snapshot.cc" --embedded_variant Default --embedded_src "/var/tmp/portage/net-libs/nodejs-14.3.0/work/node-v14.3.0/out/Release/obj.target/v8_snapshot/geni/embedded.S" --no-native-code-counters An illegal instruction on an older Intel CPU? Maybe some assembler issue? It's probably a good idea to 1) check if a later 14.x.x release fails to trip up this way, and to 2) notify the upstream people at https://github.com/nodejs/node if it does. > Why 14.3.0? 14.4.0 appears to be running for president and 14.7.0 has also landed.
I have some restriction on ICU version for another package, which in turns limits nodejs version.
Created attachment 655464 [details]
net-libs/nodejs-14.8.0 build log
I updated the system to latest hardened kernel 4.9.24 and GCC 9.3, also removed ICU and NodeJS mask, so tried to build 14.8.0, error is still the same (full log attached)
#
# Fatal error in , line 0
# Check failed: reservation_.SetPermissions(protect_start, protect_size, permission).
#
#
#
#FailureMessage Object: 0x70761b58f650
==== C stack trace ===============================
/var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u(v8::base::debug::StackTrace::StackTrace()+0x16) [0x88d6f6aaf26]
/var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u(+0xba2ddb) [0x88d6edfaddb]
/var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u(V8_Fatal(char const*, ...)+0x172) [0x88d6edf5c72]
/var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u(+0x66af53) [0x88d6e8c2f53]
/var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u(v8::internal::Heap::ProtectUnprotectedMemoryChunks()+0xbd) [0x88d6e866a9d]
/var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u(v8::internal::Factory::CodeBuilder::BuildInternal(bool)+0x57c) [0x88d6e84125c]
/var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u(v8::internal::Factory::CodeBuilder::Build()+0xe) [0x88d6e8412ce]
/var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u(+0xe2c79f) [0x88d6f08479f]
/var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u(v8::internal::SetupIsolateDelegate::PopulateWithPlaceholders(v8::internal::Isolate*)+0x42) [0x88d6f084922]
/var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u(v8::internal::SetupIsolateDelegate::SetupBuiltinsInternal(v8::internal::Isolate*)+0x1a) [0x88d6f084bfa]
/var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u(v8::internal::Isolate::Init(v8::internal::ReadOnlyDeserializer*, v8::internal::StartupDeserializer*)+0xe09) [0x88d6e81e739]
/var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u(v8::SnapshotCreator::SnapshotCreator(v8::Isolate*, long const*, v8::StartupData*)+0xbe) [0x88d6e7672ce]
/var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u(v8::internal::CreateSnapshotDataBlobInternal(v8::SnapshotCreator::FunctionCodeHandling, char const*, v8::Isolate*)+0x49) [0x88d6eae9879]
/var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u(main+0x2c0) [0x88d6e7572e0]
/lib64/libc.so.6(__libc_start_main+0xeb) [0x6688e81d7e4b]
/var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u(_start+0x2a) [0x88d6e75fb7a]
/bin/sh: line 1: 21218 Illegal instruction "/var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/mksnapshot_u" --turbo_instruction_scheduling "--target_os=linux" "--target_arch=x64" --startup_src "/var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/obj.target/v8_snapshot/geni/snapshot.cc" --embedded_variant Default --embedded_src "/var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out/Release/obj.target/v8_snapshot/geni/embedded.S" --no-native-code-counters
make: *** [tools/v8_gypfiles/v8_snapshot.target.mk:30: 317743e6124a2962d75e8f35009db77621041030.intermediate] Error 132
rm 0d2164f4fa85865823af7d93d2fc95fd608f0df3.intermediate 317743e6124a2962d75e8f35009db77621041030.intermediate bc484948995d41658d78470718d89ce39cfdc90f.intermediate
make: Leaving directory '/var/tmp/portage/net-libs/nodejs-14.8.0/work/node-v14.8.0/out'
Is this still a problem with 14.15.0? (In reply to Marek Szuba from comment #4) > Is this still a problem with 14.15.0? Yes, I can reproduce this with 14.15.0. Looks like it might be pax-related. bug 694100 described a similar issue. Hmm, this does look like exactly the same problem - which unfortunately means it will not be fixed because as per the relevant discussions on the mailing lists, Gentoo no longer supports GRSecurity. There is still unofficial support for Grsecurity/PaX. I will take a look at this when I have some time. Created attachment 672667 [details]
nodejs-14.15.0-r1.ebuild
The most recent nodejs kernel I'm using with pax-enabled kernel.
Created attachment 672670 [details, diff] nodejs-13.8.0-paxmarking.patch Pax marking patch the ebuild uses. Related bug: https://bugs.gentoo.org/694100 Created attachment 672673 [details, diff]
nodejs-pax-mark-ebuild.diff
This is a diff showing the difference between the in-tree nodejs ebuild and the pax-enabled ebuild. Works for me.
Note, that although it works for me, I'm using a more recent grsec kernel (beta). So your milage may vary with the latest kernel accessible for the community...
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9ce9b123961a4dc19932e4cc81908b624eeba282 commit 9ce9b123961a4dc19932e4cc81908b624eeba282 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2020-11-20 20:21:46 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2020-11-20 20:24:47 +0000 net-libs/nodejs: add PaX support to 14.15.1 Bug: https://bugs.gentoo.org/735832 Signed-off-by: William Hubbs <williamh@gentoo.org> net-libs/nodejs/nodejs-14.15.1.ebuild | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3e4294ea80a70435fa09c3579da81c428fa15efc commit 3e4294ea80a70435fa09c3579da81c428fa15efc Author: Sam James <sam@gentoo.org> AuthorDate: 2020-11-20 19:16:17 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2020-11-20 20:23:32 +0000 net-libs/nodejs: restore PaX support Reverts: 19add7ba6500e6c60c8699b6bdda397744dfa73b Bug: https://bugs.gentoo.org/735832 Package-Manager: Portage-3.0.9, Repoman-3.0.2 Signed-off-by: Sam James <sam@gentoo.org> Signed-off-by: William Hubbs <williamh@gentoo.org> .../nodejs/files/nodejs-13.2.0-paxmarking.patch | 71 +++++++++++++ .../nodejs/files/nodejs-13.8.0-paxmarking.patch | 111 +++++++++++++++++++++ net-libs/nodejs/metadata.xml | 3 +- net-libs/nodejs/nodejs-12.18.4-r1.ebuild | 5 +- net-libs/nodejs/nodejs-12.19.1.ebuild | 5 +- net-libs/nodejs/nodejs-14.2.0.ebuild | 10 +- net-libs/nodejs/nodejs-99999999.ebuild | 10 +- 7 files changed, 208 insertions(+), 7 deletions(-) Created attachment 688272 [details, diff]
nodejs-15.8.0-paxmarking.patch
updated patch for net-libs/nodejs-15.8.0
Created attachment 776570 [details, diff]
nodejs-16.4.2-paxmarking.patch
Updated patch for nodejs-16.4.2
Created attachment 776573 [details, diff]
nodejs-18.0.0-paxmarking.patch
Updated patch for nodejs-18.0.0
Created attachment 865211 [details, diff]
nodejs-20.3.0-paxmarking.patch
Recent net-libs/nodejs-20.3.0|1 needed some modifications again for the patch to apply cleanly.
|