$ mpost mpost: error while loading shared libraries: cannot make segment writable for relocation: Permission denied I'm a noob with hardened so I dunno what's the cause, doesn't seem to be textrels [ebuild R ] app-text/tetex-3.0_p1-r4 USE="X motif -Xaw3d -doc -lesstif -neXt -tk" 0 kB emerge --info Portage 2.1.3.12 (hardened/x86/2.6, gcc-3.4.6, glibc-2.6.1-r0, 2.6.22-hardened-r7 i686) ================================================================= System uname: 2.6.22-hardened-r7 i686 AMD Athlon(tm) XP 2200+ Timestamp of tree: Unknown distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] app-shells/bash: 3.2_p17-r1 dev-lang/python: 2.5.1-r2 dev-python/pycrypto: 2.0.1-r5 sys-apps/baselayout: 1.12.10-r5 sys-apps/sandbox: 1.2.18.1 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.22-r2 ACCEPT_KEYWORDS="x86 ~x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=athlon-xp -O2 -pipe -fforce-addr" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-march=athlon-xp -O2 -pipe -fforce-addr" DISTDIR="/mnt/distfiles" FEATURES="collision-protect distlocks fixpackages metadata-transfer parallel-fetch sandbox sfperms strict unmerge-orphans userfetch userpriv usersandbox" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LDFLAGS="-Wl,--as-needed" LINGUAS="en_US en fr" MAKEOPTS="-j2" PKGDIR="/usr/local/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage /mnt/texlive-overlay" SYNC="rsync://192.168.0.2/gentoo-portage" USE="3dnow X a52 alsa bash-completion berkdb cjk cracklib crypt dbus dts dv dvd dvdread ffmpeg flac fontconfig gif glibc-omitfp gtk hal hardened httpd iconv id3tag ipv6 ithreads jpeg live lua lzo matroska midi mjpeg mmx mod motif mp3 mpeg musepack musicbrainz ncurses nls nptl nptlonly ogg opengl pam pic png python quicktime readline sse ssl taglib tcpd tetex theora threads truetype twolame unicode urandom vim-syntax vorbis wxwindows x264 x86 xcb xml xorg xpm xvid zlib" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en_US en fr" USERLAND="GNU" VIDEO_CARDS="vesa radeon vga" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS this has probably been unnoticed for ages because tetex was building its format files with texmf-update, as I've changed it a bit for texlive, they are now built in src_compile, that will cause packages building their formats with mpost to fail I had been suggested that would be mpost trying to execute its stack, but I didn't investigate this more; I'm just opening a bug now to keep track of this
What I did not notice at first: * QA Notice: The following files contain runtime text relocations * Text relocations force the dynamic linker to perform extra * work at startup, waste system resources, and may pose a security * risk. On some architectures, the code may not even function * properly, if at all. * For more information, see http://hardened.gentoo.org/pic-fix-guide.xml * Please include this file in your report: * /var/tmp/portage/app-text/texlive-core-2007-r11/temp/scanelf-textrel.log * TEXTREL usr/bin/mpost TEXTREL usr/bin/mf TEXTREL usr/bin/mf-nowin that reminds me the ocaml stuff... I'll investigate it.
*** Bug 263986 has been marked as a duplicate of this bug. ***
I had a similar problem with '/usr/bin/mf-nowin'. I solved it by running 'paxctl -m' as a sufficiently elevated account. (requires kernel soft mode support) I had a hack that'd paxctl binaries before install, but the maintainers said to fix the software not add more hacks.
This is fairly important... any ETA on a real fix?
Do we still have the probs in app-text/texlive-core-2009? on amd64 i don't see any textrel and x86 should be clean to. jasmin / # scanelf -a usr/bin/mpost TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE ET_DYN ---xe- 0755 LE RW- R-- RW- - - NOW usr/bin/mpost jasmin / # scanelf -a usr/bin/mf TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE ET_DYN ---xe- 0755 LE RW- R-- RW- - - NOW usr/bin/mf jasmin / # scanelf -a usr/bin/mf-nowin TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE ET_DYN ---xe- 0755 LE RW- R-- RW- - - NOW usr/bin/mf-nowin
(In reply to comment #5) > Do we still have the probs in app-text/texlive-core-2009? > on amd64 i don't see any textrel and x86 should be clean to. while it does not get killed on x86 anymore, there might still be an issue of a TEXTRELs :( see below (same version texlive-core-2009 used): g44_x86 ~ # scanelf -a /usr/bin/mpost TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE ET_DYN ---xe- 0755 LE RW- R-- RW- - - NOW /usr/bin/mpost g44_x86 ~ # scanelf -a /usr/bin/mf TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE ET_DYN ---xe- 0755 LE RW- R-- RW- TEXTREL - NOW /usr/bin/mf g44_x86 ~ # scanelf -a /usr/bin/mf-nowin TYPE PAX PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE ET_DYN ---xe- 0755 LE RW- R-- RW- TEXTREL - NOW /usr/bin/mf-nowin g44_x86 ~ # scanelf -T /usr/bin/mf TYPE TEXTRELS FILE mf: aritherror [0x7B01] in (optimized out: previous _init) [0x74B8] mf: aritherror [0x7B9A] in (optimized out: previous _init) [0x74B8] ET_DYN /usr/bin/mf g44_x86 ~ # scanelf -T /usr/bin/mf-nowin TYPE TEXTRELS FILE mf-nowin: aritherror [0x7B01] in (optimized out: previous _init) [0x74B8] mf-nowin: aritherror [0x7B9A] in (optimized out: previous _init) [0x74B8] ET_DYN /usr/bin/mf-nowin
jasmin / # scanelf -qT /var/tmp/portage/app-text/texlive-core-2009-r2/image/usr/bin/mf mf: .L4069 [0x7B01] in (optimized out: previous LL3) [0x7AFA] mf: .L4069 [0x7B9A] in (optimized out: previous LL34) [0x7B93] /var/tmp/portage/app-text/texlive-core-2009-r2/image/usr/bin/mf The asm code look like this in texk/web2c/lib/mfmpi386.asm LL3: movl $0x7fffffff,%eax #ifdef ASM_NEEDS_UNDERSCORE movb $1,_aritherror #else movb $1,aritherror #endif ...... LL34: movl $0x7fffffff,%eax #ifdef ASM_NEEDS_UNDERSCORE movb $1,_aritherror #else movb $1,aritherror #endif objdump -d mf and you get 00007afa <LL3>: 7afa: b8 ff ff ff 7f mov $0x7fffffff,%eax 7aff: c6 05 00 00 00 00 01 movb $0x1,0x0 ..... 00007b93 <LL34>: 7b93: b8 ff ff ff 7f mov $0x7fffffff,%eax 7b98: c6 05 00 00 00 00 01 movb $0x1,0x0
Created attachment 239877 [details, diff] We use the C code when __PIC__ is defined This patch fix the textrel. It use the C functions instead of the asm functions, for the asm code is not PIC/PIE friendly writhen and need alot of work to get it work and i not asm coder.
Big thanks for the fix! How I hate TEXTRELs...
*** Bug 371685 has been marked as a duplicate of this bug. ***
Created attachment 281455 [details, diff] Use C code when -fPIC and on x86 New patch that is sended to the tex-live ml
*** Bug 295451 has been marked as a duplicate of this bug. ***
Until this is properly fixed upstream, is it possible to get the patch included in the gentoo version of texlive? Currently it prevents building the stable version of texlive-basic on gentoo hardened x86. Thanks
http://tug.org/svn/texlive?view=revision&revision=23365 Added upstream. tex@gentoo okay to add patch to tree?
(In reply to comment #14) > http://tug.org/svn/texlive?view=revision&revision=23365 > Added upstream. > tex@gentoo okay to add patch to tree? i'll do it; but once i get a more reliable internet access meanwhile you can add it to the patchset in gentoo/src/patchsets cvs tree if you manage to get your way through it and dont break the quilt stuff (the series file) so that i'll just have to validate it and make a new tarball
*** Bug 379179 has been marked as a duplicate of this bug. ***
fixed in stable and ~arch; ~arch version revbumped, stable not, thanks for the patch!