Without paxctl -p,
thunderbird is killed by my PaX kernel due to a pax violation on startup,
even when compiled with -jit.
Not always, but sometimes - it seems to depend on the mail currently selected?
paxctl -m does not suffice:
It's not an mmap, it seems to be some other execution attempt (stack?):
"Aug 4 20:22:47 lap kernel: PAX: execution attempt in: <anonymous mapping>, 2b75deed000-2b75def0000 2b75deed000
Aug 4 20:22:47 lap kernel: PAX: terminating task: /usr/lib64/thunderbird/thunderbird(thunderbird):21252, uid/euid: 500/500, PC: 000002b75deee274, SP: 000003b2e5128800
Aug 4 20:22:47 lap kernel: PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
Aug 4 20:22:47 lap kernel: PAX: bytes at SP-8: 0000000000000680 fffb82b745187c80 fffb82b75b22df80 000003b2e5128890 0000000000000000 000002b74bb7bed0 000002b75b22df80 0000000000000005 000002b76ffb3b79 000003b2e5128950 000003b2e5128"
If this is really the case, it should be urged upstream: Being forced to run
thunderbird without any exec protection at all is an offense.
Portage 2.2.11-r1 (python 2.7.8-final-0, default/linux/amd64/13.0/no-multilib, gcc-4.8.3, glibc-2.19-r1, 3.15.7-hardened x86_64)
System uname: Linux-3.15.7-hardened-x86_64-Intel-R-_Core-TM-_i7_CPU_Q_820_@_1.73GHz-with-gentoo-2.2
KiB Mem: 8153564 total, 4583524 free
KiB Swap: 33554428 total, 33554428 free
Timestamp of tree: Mon, 04 Aug 2014 17:15:01 +0000
ld GNU ld (Gentoo 2.24 p1.4) 2.24
dev-lang/python: 2.7.8, 3.3.5-r1
sys-devel/autoconf: 2.13, 2.69
sys-devel/automake: 1.11.6, 1.14.1
sys-kernel/linux-headers: 3.16 (virtual/os-headers)
Repositories: gentoo mate-overlay
ACCEPT_LICENSE="* -@EULA dlj-1.1 AdobeFlash-11.x Oracle-BCLA-JavaSE google-chrome googleearth"
CFLAGS="-march=native -mtune=native -O3 -fomit-frame-pointer -fweb -ftracer -fivopts -frename-registers -maccumulate-outgoing-args -pipe"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=native -mtune=native -O3 -fomit-frame-pointer -fweb -ftracer -fivopts -frename-registers -maccumulate-outgoing-args -pipe"
FEATURES="assume-digests binpkg-logs collision-protect config-protect-if-modified distlocks ebuild-locks fixlafiles keeptemp keepwork merge-sync news noclean parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync"
GENTOO_MIRRORS="http://de-mirror.org/distro/gentoo http://gentoo.inode.at http://ftp.halifax.rwth-aachen.de/gentoo/ http://ftp.spline.inf.fu-berlin.de/mirrors/gentoo http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
USE="64bit X a52 aac adobe-cff alsa amd64 apng applet archive ass bzip2 cairo cdda cdparanoia clang cli contrast cups curl cxx dbus dconf demosaic detex devfs-compat dga divx dns dot dri dri3 dts dvd dvdnav dvdr dvi dvipdfm egl encode epspdf exif expat extra faad ffmpeg fftw flac fontconfig foomaticdb fts3 g3dvl gallium gbm gdk-pixbuf gif gimp glamor gles gles1 gles2 glib glibc-omitfp gmp graphics gs gstreamer gtk gtk2 gudev hpn htmlreport http hwdb iconv icu imagemagick inotify jbig jit jpeg jpeg2k kpathsea lasi latex latex3 lcdfilter lcms lensfun libkms libnotify libopts libsamplerate libwww lightning llvm llvm-gcc llvm-shared-libs lzma lzo mad metric midi minizip mmap mms mmx mmxext mng modules mp3 mpeg mpfr mta mudflap multicall natspec ncat ncurses ndiff nping nptl nscd nsplugin offensive ogg oldnet opencl opengl openmax openmp openvg opus orc pam pango pax_kernel pcre pdf pic plugins png postproc postscript ppds pstricks pth quicktime r600-llvm-compiler rar raw readline realmedia rle rpc rtc rule_generator scanner schroedinger scope secure-delete session smp sndfile sound sqlite sqlite3 sse sse2 sse3 sse4 sse4_1 sse4_2 ssh ssl ssse3 svg symlink system-cairo system-icu system-jpeg system-sqlite t1lib texi2html theora threads thunar tiff tools tremor truetype udev unicode unlock-notify unwind usb utils vaapi vdpau vim-with-x vorbis vpx webkit2 webp wmf wmp x264 xa xcb xcomposite xkb xlib-xcb xmp xorg xpm xrandr xulrunner xv xvid xvmc zip zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer pdfimport" LINGUAS="en" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" RUBY_TARGETS="ruby21" SANE_BACKENDS="epson" USERLAND="GNU" VIDEO_CARDS="radeon r600 radeonsi" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset: CPPFLAGS, CTARGET, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
firefox 31 also needs paxctl -p instead of paxctl -m,
but I've compiled firefox with jit.
Not sure if it also needs paxctl -p without jit.
Same for firefox: Even when emerged with -jit,
it needs paxctl -p (not just -m), otherwise it is killed on startup:
"Aug 5 10:48:13 lap kernel: PAX: execution attempt in: <anonymous mapping>, 292d3d05000-292d3d0c000 292d3d05000
Aug 5 10:48:13 lap kernel: PAX: terminating task: /usr/lib64/firefox/firefox(firefox):1510, uid/euid: 9999/9999, PC: 00000292d3d072b0, SP: 00000398fba05028
Aug 5 10:48:13 lap kernel: PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
Aug 5 10:48:13 lap kernel: PAX: bytes at SP-8: 00000292c3622c66 00000292d4d88748 0000000000000202 00000292be9cda60 0000000000000001 fffb8292a68c7d00 fff9000000000000 00000398fba05110 00000292a67b0060 00000292c3622cac 0000000000000a01 "
1.) You mis-changed the summary:
Both USE=jit and USE=-jit require paxctl -p.
For USE=jit, this is expected,
but USE=-jit should work without paxctl -p.
2.) The offender seems to be some kind of trampoline code:
At least without jit (I didn't try it with jit),
both firefox and thunderbird work with paxctl -PE,
i.e. exec protection on and trampoline emulation on.
However, just from judging from responsiveness and CPU load,
this makes firefox noticeably slower.
Forget item 2 in my last comment.
firefox seems to get killed by pax less often with emutramp enabled,
but it still gets killed now and then.
It really needs -p.
Fixed in -31.1*
(In reply to Klaus Kusche from comment #4)
> Forget item 2 in my last comment.
> firefox seems to get killed by pax less often with emutramp enabled,
> but it still gets killed now and then.
> It really needs -p.
Do tests show that 31.1 and above need -p even when USE="-jit" ?? I was under the impression that it was fine if jit was completely disabled (whether it was being disasbled properly before or not, I can't be certain; I believe it wasn't the same as it wasn't on firefox)
I'm already on firefox 32.0, and I don't want to downgrade
(I'm compiling on a notebook).
I kicked thunderbird off my systems completely.
32.0: As I assumed that firefox needs -p anyway,
I switched from -jit to +jit before emerging 32.0 last weekend.
The 32.0 ebuild worked fine out of the box with my pax kernel,
with +jit and pax flags -p---m-x-e-- set automatically by the ebuild.
Shall I try -jit and then enable execute protection?
Not sure if I'll find the time (offline tomorrow, very busy on sunday,
winter term starts on monday here).
Problem was definitly introduced with 31, both firefox and thunderbird.
30 (and the corresponding thunderbird) was fine with -jit
and execute protection.
I can't tell if the problem was caused by a change in the ebuild
or a change in firefox.
(In reply to Klaus Kusche from comment #7)
> Concerning 31.1:
> I'm already on firefox 32.0, and I don't want to downgrade
> (I'm compiling on a notebook).
> I kicked thunderbird off my systems completely.
> 32.0: As I assumed that firefox needs -p anyway,
> I switched from -jit to +jit before emerging 32.0 last weekend.
> The 32.0 ebuild worked fine out of the box with my pax kernel,
> with +jit and pax flags -p---m-x-e-- set automatically by the ebuild.
> Shall I try -jit and then enable execute protection?
> Not sure if I'll find the time (offline tomorrow, very busy on sunday,
> winter term starts on monday here).
> Problem was definitly introduced with 31, both firefox and thunderbird.
> 30 (and the corresponding thunderbird) was fine with -jit
> and execute protection.
> I can't tell if the problem was caused by a change in the ebuild
> or a change in firefox.
Firefox-32 is fine, it doesn't need to be downgraded or anything. It's more thunderbird-31.1.1 (and firefox-32) that I'm worried about with USE="-jit" and pax-mark -p not being applied. So, yes, if you could test either or both of those with USE="-jit" I would very much appreciate it.
(if 'pax-mark -p' is needed even with USE="-jit" then mozilla team is going to have to sort this with a patch somehow)
It seems that the problem was caused by the ebuild and not by firefox itself:
I recompiled firefox 32.0 with -jit.
The ebuild installed the binaries with pax flags -----m-x-e--,
and they seem to work fine: No kills by the pax kernel up to now,
even with exec protection enabled.
As I said, I no longer use thunderbird.
Interesting.. thunderbird-31.1.1[jit] works fine on my system and does not require 'pax-mark -p'
The original bug report was for thunderbird 31.0.
I think pax handling has been changed since then.
firefox 31.0 also needed paxctl -p, firefox 32.0 does not.
As I still don't have a hardened test environment, could someone check if pax-mark -p is still required for www-client/firefox-31.2[jit] and mail-client/thunderbird-31.2[jit] please? I would like to drop that from the ebuilds if at all possible.
Yes, pax-mark -p is still required for both :(. So you should add it to thunderbird ebuild and leave firefox ebuild as is.
OK. thunderbird-31.2 revbumped with the additional pax-mark -p.
the actual reason was dug out by one of our users: https://forums.grsecurity.net/viewtopic.php?f=3&t=3980#p14306 for the gory details. in short, someone at mozilla made the rather insane decision to make their JIT engine behave the same way as shellcode execution based exploits (see the discussion at https://bugzilla.mozilla.org/show_bug.cgi?id=864220) that PaX will obviously never allow. until that code is reverted/rewritten, PaX cannot be enabled on their products.