Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 446850 - thunderbird-17.0-r2 fails to install with CONFIG_PAX_MPROTECT enabled
Summary: thunderbird-17.0-r2 fails to install with CONFIG_PAX_MPROTECT enabled
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: AMD64 Linux
: Normal normal (vote)
Assignee: The Gentoo Linux Hardened Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-12-11 08:41 UTC by Octave Berry
Modified: 2019-03-09 15:48 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Octave Berry 2012-12-11 08:41:56 UTC
Compiling thunderbird on a PaX enabled system, its buildsystem gets killed by pax with a segfault.

The following error is found in the kernel log

[23459.632962] grsec: denied RWX mmap of <anonymous mapping> by /var/tmp/portage/mail-client/thunderbird-17.0-r2/work/comm-release/tbird/mozilla/dist/bin/xpcshell[xpcshell:20633] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:20604] uid/euid:0/0 gid/egid:0/0
[23459.651685] grsec: denied RWX mmap of <anonymous mapping> by /var/tmp/portage/mail-client/thunderbird-17.0-r2/work/comm-release/tbird/mozilla/dist/bin/xpcshell[xpcshell:20633] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:20604] uid/euid:0/0 gid/egid:0/0
[23459.668034] grsec: denied RWX mmap of <anonymous mapping> by /var/tmp/portage/mail-client/thunderbird-17.0-r2/work/comm-release/tbird/mozilla/dist/bin/xpcshell[xpcshell:20633] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:20604] uid/euid:0/0 gid/egid:0/0
[23459.668041] xpcshell[20633]: segfault at 78 ip 000002ea7c12e2af sp 000003a431f01aa0 error 6 in libxul.so[2ea7a44d000+25dd000]

paxtcl -m /var/tmp/portage/mail-client/thunderbird-17.0-r2/work/comm-release/tbird/mozilla/dist/bin/xpcshell then relaunching installation works.

Reproducible: Always

Steps to Reproduce:
1. Have a system with CONFIG_PAX_MPROTECT set
2. emerge =mail-client/thunderbird-17.0-r2
Comment 1 Octave Berry 2012-12-11 08:43:41 UTC
Portage 2.1.11.36 (hardened/linux/amd64, gcc-4.7.2, glibc-2.16.0, 3.6.8-hardened x86_64)
=================================================================
System uname: Linux-3.6.8-hardened-x86_64-Intel-R-_Core-TM-_i5-2540M_CPU_@_2.60GHz-with-gentoo-2.2
Timestamp of tree: Mon, 10 Dec 2012 23:15:01 +0000
ld GNU ld (GNU Binutils) 2.23.1
distcc 3.1 x86_64-pc-linux-gnu [enabled]
app-shells/bash:          4.2_p39
dev-java/java-config:     2.1.12-r1
dev-lang/python:          2.7.3-r2, 3.2.3-r1
dev-util/cmake:           2.8.10.2
dev-util/pkgconfig:       0.27.1
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.11.8
sys-apps/sandbox:         2.6
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.11.6, 1.12.5
sys-devel/binutils:       2.23.1
sys-devel/gcc:            4.7.2
sys-devel/gcc-config:     1.8
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.6 (virtual/os-headers)
sys-libs/glibc:           2.16.0
Repositories: gentoo x11 spring paddymac armagetron x-portage
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=corei7-avx -mtune=corei7-avx -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /etc/shorewall /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/maven-bin-3.0/conf /usr/share/openvpn/easy-rsa /usr/share/polkit-1/actions /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /usr/bin/startx"
CXXFLAGS="-march=corei7-avx -mtune=corei7-avx -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--quiet-build=n"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distcc distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch protect-owned sandbox sfperms splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://mirror.switch.ch/ftp/mirror/gentoo/"
LANG="fr_FR.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/x11 /var/lib/layman/Spring /var/lib/layman/paddymac /var/lib/layman/armagetron /usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X a52 aac aalib acl acpi alsa amd64 amr apng avx bash-completion berkdb bluetooth bzip2 cdda cddb cjk cli clock cracklib crypt cscope cups curl cxx dbus dc1394 declarative device-mapper dirac directfb djvu dri dts dvb dvd eap-sim ebook egl embedded encode exif faac fasteap fbcon ffmpeg fftw flac fluidsynth fontconfig frei0r fuse g3dvl gbm gdal gdbm geos gif gles1 gles2 gmp go gpm graphics graphite graphviz gs gstreamer hardened hdri iconv icu ieee1394 imagemagick iproute2 ipv6 jbig jpeg jpeg2k justify kde kerberos lcms libass libnotify libv4l2 llvm lzma mad matroska midi mikmod mmx mng mod modules mp3 mpeg mtp mudflap multilib multitarget mysql ncurses netlink network nls nptl ntfsprogs objc objc++ objc-gc ogg openal openexr opengl openmp openvg osmesa outputs pam pax_kernel pcre pdf pic png postgres pppd proj pstricks pulseaudio python qt3support qt4 raw readline reports rtmp rtsp ruby schroedinger sdl semantic-desktop session shout skins smp sna speex sql sqlite sqlite3 sse sse2 sse3 sse4_1 ssl ssse3 svg system-sqlite taglib tcpd theora threads tiff truetype twolame udev unicode unlock-notify urandom usb utils v4l v4l2 vaapi video vim-pager vim-syntax vorbis vpx wayland webkit webp wma-fixed wmf wps x264 xattr xcb xetex xinerama xml xv xvid xvmc zlib zsh-completion" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias proxy proxy_http" APACHE2_MPMS="event" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" GRUB_PLATFORMS="pc efi-64 multiboot" INPUT_DEVICES="keyboard mouse evdev keyboard mouse evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="fr" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" QEMU_SOFTMMU_TARGETS="arm i386 x86_64 ppc ppc64" QEMU_USER_TARGETS="arm i386 x86_64 ppc ppc64" RUBY_TARGETS="ruby19 ruby18" USERLAND="GNU" VIDEO_CARDS="intel i915 i965" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Comment 2 Delete ME 2012-12-11 10:47:36 UTC
I can confirm the issue.

- /var/log/pax.log shows

Dec 11 11:37:52 localhost kernel: PAX: execution attempt in: <anonymous mapping>, 32eeef3f000-32eeef4f000 32eeef3f000
Dec 11 11:37:52 localhost kernel: PAX: terminating task: /var/tmp/portage/mail-client/thunderbird-17.0-r2/work/comm-release/tbird/mozilla/dist/bin/xpcshell(xpcshell):9476, uid/euid: 0/0, PC: 0000032eeef3ff38, SP: 000003b87f1601c8
Dec 11 11:37:52 localhost kernel: PAX: bytes at PC: 55 48 89 e5 53 89 31 48 83 ec 08 83 c6 01 39 d6 0f 87 f7 00 
Dec 11 11:37:52 localhost kernel: PAX: bytes at SP-8: 0000000000000005 0000032eed547ea3 0000400500000002 0000032ed9f30b70 000003b87f160330 000003b87f160270 0000032edaded060 a3dc7e324a7a6c00 0000032edaded060 0000032ee0d6b4c0 000003b87f160330 

box ~ # emerge --info
Portage 2.1.11.31 (hardened/linux/amd64, gcc-4.5.4, glibc-2.15-r3, 3.6.8-hardened-v1 x86_64)
=================================================================
System uname: Linux-3.6.8-hardened-v1-x86_64-Intel-R-_Core-TM-_i7-3770T_CPU_@_2.50GHz-with-gentoo-2.1
Timestamp of tree: Tue, 11 Dec 2012 00:45:01 +0000
ld GNU ld (GNU Binutils) 2.22
app-shells/bash:          4.2_p37
dev-java/java-config:     2.1.11-r3
dev-lang/python:          2.7.3-r2, 3.2.3
dev-util/cmake:           2.8.9
dev-util/pkgconfig:       0.27.1
sys-apps/baselayout:      2.1-r1
sys-apps/openrc:          0.11.6
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.13, 2.68
sys-devel/automake:       1.11.6
sys-devel/binutils:       2.22-r1
sys-devel/gcc:            4.5.4
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r3
sys-kernel/linux-headers: 3.6 (virtual/os-headers)
sys-libs/glibc:           2.15-r3
Repositories: gentoo x-portage
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=core2 -mcx16 -msahf -maes -mpclmul -mpopcnt -mavx --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=8192 -mtune=core2 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=core2 -mcx16 -msahf -maes -mpclmul -mpopcnt -mavx --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=8192 -mtune=core2 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--with-bdeps=y"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch webrsync-gpg xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="de_DE.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j8"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC=""
USE="X aac acl acpi alsa amd64 apng bash-completion berkdb branding bzip2 cairo cdr clamav clamdtop cli consolekit cracklib crypt css curl cxx dbus device-mapper dhcpcd dri dts dvd dvdr encode exif expat extras ffmpeg fftw flac fontconfig ftp gdbm gdu gif git gnutls gphoto2 gpm gsm gtk gtkhtml gudev gzip hardened hwdb iconv icu idn ieee1394 imagemagick imap imlib ipc ipv6 iscsi java javascript jpeg jpeg2k justify kvm lame libkms libnotify llvm lm_sensors lock lvm lzma lzo mad mem-scramble memlimit mime mmap mmx mng modules mozilla mp3 mp4 mpeg mplayer mudflap multilib natspec ncurses networkmanager nfs nls nptl nsplugin ogg openal opengl openmp pam pax_kernel pcre pdf pdfimport perl pkcs11 png policykit posix postscript ppp pppd python qemu quicktime rar raw rdesktop readline sdl session sharedmem smartcard smp sna sockets socks5 sound speex sse sse2 sse3 sse4 sse4_1 ssl ssse3 startup-notification subversion svg syslog-ng szip tcpd theora threads thunar tiff tls truetype udev unicode urandom usb vaapi virt-network virtfs vnc vorbis webm win32 wmf x264 xattr xft xml xorg xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="de en" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" QEMU_SOFTMMU_TARGETS="i386 x86_64" QEMU_USER_TARGETS="i386 x86_64" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Comment 3 Delete ME 2012-12-14 17:52:48 UTC
The change on 2012/12/11 03:11:48 by axs has solved the issue.

11 Dec 2012; Ian Stakenvicius (axs) thunderbird-17.0-r2.ebuild:
Put them back again as the js engine needs them

http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/mail-client/thunderbird/thunderbird-17.0-r2.ebuild?r1=1.2&r2=1.3
Comment 4 Thomas Deutschmann gentoo-dev Security 2019-03-09 15:48:20 UTC
Closed as resolved as per comment #3.