An RWX mmap in, apparently, /usr/lib/dri/nouveau_dri.so (could also be libdrm_nouveau?) is causing segfault under hardened kernel 3.4.7: grsec: denied RWX mmap of <anonymous mapping> by /usr/bin/glxgears[glxgears:4379] uid/euid:2101/2101 gid/egid:9000/9000, parent /usr/bin/strace[strace:4377] uid/euid:2101/2101 gid/egid:9000/9000 grsec: Segmentation fault occurred at ffffffff in /usr/bin/glxgears[glxgears:4379] uid/euid:2101/2101 gid/egid:9000/9000, parent /usr/bin/strace[strace:4377] uid/euid:2101/2101 gid/egid:9000/9000 media-libs/mesa-8.0.3 was built with the following: USE="classic gallium nptl pax_kernel pic shared-dricore shared-glapi xa -bindist -d3d -debug -egl -g3dvl -gbm -gles1 -gles2 -llvm -openvg -osmesa (-selinux) -vdpau (-wayland) -xvmc" VIDEO_CARDS="intel nouveau radeon vmware -i915 -i965 -r100 -r200 -r300 -r600" x11-libs/libdrm-2.4.33 was built with the following: USE="libkms -static-libs" VIDEO_CARDS="intel nouveau radeon vmware -omap" sys-devel/gcc-4.5.3-r2 was built with the following: USE="cxx hardened nls nptl openmp (-altivec) -bootstrap -build -doc (-fixed-point) -fortran -gcj -graphite -gtk (-libssp) -lto -mudflap (-multilib) -multislot -nocxx -nopie -nossp -objc -objc++ -objc-gc -test -vanilla" CFLAGS="-O2 -march=pentium3 -mtune=core2 -pipe" CXXFLAGS="-O2 -march=pentium3 -mtune=core2 -pipe"
Created attachment 322062 [details] glxgears strace
Created attachment 372412 [details, diff] http://cgit.freedesktop.org/mesa/mesa/patch/?id=4dd445f1cf80292f10eda53665cefc2a674d838d
media-libs/mesa-9.2.5-r1 still has this bug, so i asked upstream in #nouveau@freenode: [18:03:08] <xexaxo> iirc there was a case where gallium/tasm did not check the return value of mmap although that one should affect every gallium user [18:03:58] <xexaxo> fwiw the commit that fixes that is 4dd445f1cf, although... [18:04:38] <Nikoli> xexaxo, which mesa release is it? [18:05:00] <Nikoli> or is this commit only in git master? [18:05:49] <xexaxo> should have landed in 10.1 and I've CC'd stable (9.1, 9.2 10.0) although I'm guessing that only 10.0 may have it [18:07:04] <xexaxo> present in 10.0.3 and 10.1+ [18:10:24] <Nikoli> xexaxo, will this patch work with 9.2.5? http://cgit.freedesktop.org/mesa/mesa/patch/?id=4dd445f1cf80292f10eda53665cefc2a674d838d [18:10:32] <Nikoli> or it needs editing? [18:14:45] <xexaxo> Nikoli: cannot see why it would fail. tasm has not been touched (with a few 10+ commits aside) for 2+ years [18:15:01] <xexaxo> *gallium/tasm [18:15:35] <xexaxo> if it does not the conflicts should be trivial Attached patch is from http://cgit.freedesktop.org/mesa/mesa/patch/?id=4dd445f1cf80292f10eda53665cefc2a674d838d , mesa builds and works fine with it :) I tested in 3 hardened systems: all of them work fine with this patch and do not need pax marking anymore. Please commit this patch as mesa-9.2.5-r2.ebuild P.S. I tested these apps: KDE session, mpv -vo opengl, glxgears, stellarium, celestia, gltron, ksudoku.
Is this bug fixed already?
You can use revdep-pax to find and mark programs depending on it, other than that there is little else we can do.
(In reply to Francisco Blas Izquierdo Riera from comment #5) > You can use revdep-pax to find and mark programs depending on it, other than > that there is little else we can do. I was asking, because the upstream bug [1] is marked RESOLVED/FIXED and <media-libs/mesa-9.1 is p-masked. Nikoli has a fix for 9.2.5 (can it be backported to reach the oldest stable, 9.1.6, too?) - what is wrong with that patch? [1]: https://bugs.freedesktop.org/show_bug.cgi?id=73473
(In reply to Dennis Schridde from comment #6) > (In reply to Francisco Blas Izquierdo Riera from comment #5) > > You can use revdep-pax to find and mark programs depending on it, other than > > that there is little else we can do. > > I was asking, because the upstream bug [1] is marked RESOLVED/FIXED and > <media-libs/mesa-9.1 is p-masked. > > Nikoli has a fix for 9.2.5 (can it be backported to reach the oldest stable, > 9.1.6, too?) - what is wrong with that patch? > > [1]: https://bugs.freedesktop.org/show_bug.cgi?id=73473 We have two possibilities: 1) the RWX mapping was fixed in nouveau_dri.so in which case this bug is done. 2) the RWX mapping is not fixed, in which case you get the seg fault. The only thing we can do then is to use revdep-pax (from the sys-app/elfix package) to find all the consumers of nouveau_dri.so and mark them. In either case, we have a working solution to this problem. It sounds like you want a mask removed? Where is this mask?
(In reply to Anthony Basile from comment #7) > It sounds like you want a mask removed? Where is this mask? I do not want any mask removed. I was just mentioning that the version this was originally reported against is already masked for security vulnerabilities.
Yes, this is fixed upstream: no pax marking is required now when using nouveau drivers. Mesa releases 10.0.4, 10.2.8 are marked stable and include commit 4dd445f1cf80292f10eda53665cefc2a674d838d
(In reply to Nikoli from comment #9) > Yes, this is fixed upstream: no pax marking is required now when using > nouveau drivers. Mesa releases 10.0.4, 10.2.8 are marked stable and include > commit 4dd445f1cf80292f10eda53665cefc2a674d838d Thanks.
