373029 – Firefox 5 doesn't compile on hardened systems due to a RWX mapping triggered by JIT

Bug 373029 - Firefox 5 doesn't compile on hardened systems due to a RWX mapping triggered by JIT

Summary: Firefox 5 doesn't compile on hardened systems due to a RWX mapping triggered ...

Status:	RESOLVED DUPLICATE of bug 372947

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Linux bug wranglers

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-06-25 19:42 UTC by Radoslaw Madej (radegand)
Modified:	2011-06-26 17:03 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
proposed ebuild (firefox-5.0.ebuild,9.30 KB, text/plain) 2011-06-25 19:43 UTC, Radoslaw Madej (radegand)	Details
original build log (www-client:firefox-5.0:20110625-090834.log.gz,315.74 KB, text/plain) 2011-06-25 19:45 UTC, Radoslaw Madej (radegand)	Details
emerge --info (emerge.info,5.21 KB, text/plain) 2011-06-25 19:48 UTC, Radoslaw Madej (radegand)	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Radoslaw Madej (radegand) 2011-06-25 19:42:26 UTC

Hi,

Firefox 5 doesn't compile on grsec enabled kernels due to the jit optimization which creates RWX memory mapping not liked by PaX :)

To compile it under a hardened kernel, one need to disable jit during source configuration, please see the attached ebuild. Once jit is disabled, firefox compiles and runs fine.

I've added jit flag to the ebuild which is automatically disabled on hardened profiles. The additional positive outcome of that is that firefox runs fine with mprotect enabled, however Java or Flash plugins will crash it.

I realize that from user experience point of view, it's better to have mprotect disabled, but maybe at least it's worth giving the end user information that it would be possible if they're not going to use java or flash?

Thanks,
radegand

Reproducible: Always

Steps to Reproduce:
Emerge firefox 5 on a hardened system running Gentoo hardened-sources.
Actual Results:  
Emerge is killed with the following error from PaX:
grsec: denied RWX mmap of <anonymous mapping> by /var/tmp/portage/www-client/firefox-5.0/work/mozilla-release/obj-x86_64-unknown-linux-gnu/dist/bin/xpcshell[xpcshell:10891] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:10882] uid/euid:0/0 gid/egid:0/0                                                                                                            
xpcshell[10891]: segfault at 41ea0ddc ip 00006b9475051ed4 sp 000078b37e81b6f0 error 4 in libxul.so[6b9474031000+1823000]
grsec: Segmentation fault occurred at 0000000041ea0ddc in /var/tmp/portage/www-client/firefox-5.0/work/mozilla-release/obj-x86_64-unknown-linux-gnu/dist/bin/xpcshell[xpcshell:10891] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:10882] uid/euid:0/0 gid/egid:0/0                                                                                                   
grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /var/tmp/portage/www-client/firefox-5.0/work/mozilla-release/obj-x86_64-unknown-linux-gnu/dist/bin/xpcshell[xpcshell:10891] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:10882] uid/euid:0/0 gid/egid:0/0


Expected Results:  
Successful compilation of Firefox :)

Comment 1 Radoslaw Madej (radegand) 2011-06-25 19:43:15 UTC

Created attachment 278123 [details]
proposed ebuild

Comment 2 Radoslaw Madej (radegand) 2011-06-25 19:45:51 UTC

Created attachment 278125 [details]
original build log

Comment 3 Radoslaw Madej (radegand) 2011-06-25 19:48:15 UTC

Created attachment 278127 [details]
emerge --info

Comment 4 PaX Team 2011-06-26 09:53:31 UTC

(In reply to comment #0)
> I've added jit flag to the ebuild which is automatically disabled on hardened
> profiles. The additional positive outcome of that is that firefox runs fine
> with mprotect enabled, however Java or Flash plugins will crash it.

hmm, where are they crashing exactly? not allowing runtime codegen should be
gracefully handled by both java and flash these days, so something's still not
right somewhere if you see the whole app crash...

Comment 5 Jory A. Pratt gentoo-dev

2011-06-26 17:03:14 UTC


*** This bug has been marked as a duplicate of bug 372947 ***