Comment 1 Magnus Granberg 2015-10-07 20:33:54 UTC

What pax flags is set on the active python?
Check you kernel Grsec/Pax logs them should have more info.
Lib libffi and cffi is allready fixed and it use CONFIG_PAX_EMUTRAMP if the
bins is correctly setup. Check so you don't have any jit enable on any libs that
calibre use.
emerge --info

Thanks for your reply!

#paxctl-ng -v /usr/bin/python2.7
/usr/bin/python2.7:
	PT_PAX    : -e---
	XATTR_PAX : -E---

#paxctl-ng -v /usr/bin/python3.4
/usr/bin/python3.4:
	PT_PAX    : -e---
	XATTR_PAX : -E---

#eselect python list
Available Python interpreters:
  [1]   python2.7
  [2]   python3.4 *

#dmesg (Only the line related to the problem)
[ 3925.641370] ebook-viewer[2747]: segfault at bbadbeef ip 000003c688d6988e sp 000003cd50f82e00 error 6 in libQt5WebKit.so.5.4.2[3c686fb9000+2427000]

My make.conf settings for Pax
PAX_MARKINGS="XT"
PAXUSE="ptpax xattr xtpax"

My make.conf settings for Python
PYTHON_TARGETS="python3_4 python2_7"
PYTHON_SINGLE_TARGET="python2_7"
USE_PYTHON="3.4 2.7"emerge 

After installation of the Pax-Kernel and with these make .conf settings I made a "emerge -av --emptytree world". 

All Pax settings are "default" which means I does not change any pax-flags at myself.

Created attachment 414206 [details]
Output of emerge --info calibre

Comment 4 Anthony Basile 2015-10-09 14:56:58 UTC

Can you try running `python -c 'import ctypes'` and see if it segfaults.  All you rsetting seem right, however, I don't understand PAXUSE="ptpax xattr xtpax"  Those flags should just be part of your USE flags.

Sorry I forgot to say: I split my USE-Flags into multiple subcategories. The Pax one I called PAXUSE, I forgot to say that. At the end I set them together with
USE="... ${PAXUSE} ..."
Just for a better overview in make.conf. So "ptpax xattr xtpax" are part of USE. 

However, `python -c 'import ctypes'` produces no segfault. 

Thanks for your answer.

Hi. I have issue with python-2.7/pax/grsec, but not calibre.
My segfaults with pyicq-t.

Thank Comment 4 for direction, I found  with: python2 -v pyicq-t
imports and track down my issue to:

$ python2 -c "import cryptography.hazmat.bindings.openssl.binding"
Segmentation fault

[ 3203.233384] python2[2070]: segfault at 0 ip 5225b785 sp 5c97ac50 error 6 in libffi.so.6.0.1[52257000+6000]
[ 3203.233403] grsec: Segmentation fault occurred at    (nil) in /usr/bin/python2.7[python2:2070] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:1520] uid/euid:0/0 gid/egid:0/0

Comment 7 Magnus Granberg 2015-10-09 18:25:35 UTC

(In reply to Maxim Britov from comment #6)
> Hi. I have issue with python-2.7/pax/grsec, but not calibre.
> My segfaults with pyicq-t.
> 
> Thank Comment 4 for direction, I found  with: python2 -v pyicq-t
> imports and track down my issue to:
> 
> $ python2 -c "import cryptography.hazmat.bindings.openssl.binding"
> Segmentation fault
> 
> [ 3203.233384] python2[2070]: segfault at 0 ip 5225b785 sp 5c97ac50 error 6
> in libffi.so.6.0.1[52257000+6000]
> [ 3203.233403] grsec: Segmentation fault occurred at    (nil) in
> /usr/bin/python2.7[python2:2070] uid/euid:0/0 gid/egid:0/0, parent
> /bin/bash[bash:1520] uid/euid:0/0 gid/egid:0/0

Check that you have CONFIG_PAX_EMUTRAMP set in the kernel config.

Comment 8 Magnus Granberg 2015-10-09 18:26:48 UTC

(In reply to Gerold Schellstede from comment #5)
> Sorry I forgot to say: I split my USE-Flags into multiple subcategories. The
> Pax one I called PAXUSE, I forgot to say that. At the end I set them
> together with
> USE="... ${PAXUSE} ..."
> Just for a better overview in make.conf. So "ptpax xattr xtpax" are part of
> USE. 
> 
> However, `python -c 'import ctypes'` produces no segfault. 
> 
> Thanks for your answer.
if you change the paxmarks to m do it still segfault?

Comment 9 Anthony Basile 2015-10-09 18:43:36 UTC

(In reply to Magnus Granberg from comment #7)
> 
> Check that you have CONFIG_PAX_EMUTRAMP set in the kernel config.

The original reporter (Gerold) attached his kernel config in comment #0 ad he does have PAX_EMUTRAMP on.  So something else is going on.  I'm not sure about Maxim.

Comment 10 Magnus Granberg 2015-10-09 19:00:11 UTC

(In reply to Anthony Basile from comment #9)
> (In reply to Magnus Granberg from comment #7)
> > 
> > Check that you have CONFIG_PAX_EMUTRAMP set in the kernel config.
> 
> The original reporter (Gerold) attached his kernel config in comment #0 ad
> he does have PAX_EMUTRAMP on.  So something else is going on.  I'm not sure
> about Maxim.
Two reporter and two diffrents errors.

(In reply to Magnus Granberg from 
> Two reporter and two diffrents errors.

Sorry, but wrong title in this issue. imho

(In reply to Magnus Granberg from comment #7)
> (In reply to Maxim Britov from comment #6)
> Check that you have CONFIG_PAX_EMUTRAMP set in the kernel config.

Yes. EMUTRAMP unset. But I report issue because it works for longtime.
My kernel from 27 Sep and issue from reboot on 6 Oct.

I found source of my problem:
=dev-python/cryptography-0.9.3 fine
=dev-python/cryptography-1.0.2 segfaults

Sorry for noise here. Should it report to upstream
or EMUTRAMP=y only or 1.0 nd above?

Comment 12 Magnus Granberg 2015-10-09 21:16:14 UTC

(In reply to Maxim Britov from comment #11)
> (In reply to Magnus Granberg from 
> > Two reporter and two diffrents errors.
> 
> Sorry, but wrong title in this issue. imho
> 
> (In reply to Magnus Granberg from comment #7)
> > (In reply to Maxim Britov from comment #6)
> > Check that you have CONFIG_PAX_EMUTRAMP set in the kernel config.
> 
> Yes. EMUTRAMP unset. But I report issue because it works for longtime.
> My kernel from 27 Sep and issue from reboot on 6 Oct.
> 
> I found source of my problem:
> =dev-python/cryptography-0.9.3 fine
> =dev-python/cryptography-1.0.2 segfaults
> 
> Sorry for noise here. Should it report to upstream
> or EMUTRAMP=y only or 1.0 nd above?
Anything that use the libffi or cffi need to have EMUTRAMP on.

(In reply to Magnus Granberg from comment #8)
> (In reply to Gerold Schellstede from comment #5)
> > Sorry I forgot to say: I split my USE-Flags into multiple subcategories. The
> > Pax one I called PAXUSE, I forgot to say that. At the end I set them
> > together with
> > USE="... ${PAXUSE} ..."
> > Just for a better overview in make.conf. So "ptpax xattr xtpax" are part of
> > USE. 
> > 
> > However, `python -c 'import ctypes'` produces no segfault. 
> > 
> > Thanks for your answer.
> if you change the paxmarks to m do it still segfault?

Indeed, I changed /usr/bin/python2.7 from "-E---" to "-Em--" the segfault is gone and the program works

Short request,

shouldn't the Pax flags be set on the ELF-binaries of calibres ebook-viewer etc. instead of python 2.7 or does python 2.7 needs this flags in principle?

Thanks for the help

Comment 15 Magnus Granberg 2015-10-21 15:00:21 UTC

(In reply to Gerold Schellstede from comment #14)
> Short request,
> 
> shouldn't the Pax flags be set on the ELF-binaries of calibres ebook-viewer
> etc. instead of python 2.7 or does python 2.7 needs this flags in principle?
> 
> Thanks for the help
should be on the elf binaries
can you test that?

I thought as much! But unfortunately I do not know where the ELF-binaries of calibre, especcially of the ebook-viewer, are located. 

So if you can tell me where they are, I will try it immediately. 

Many Thanks!

Comment 17 Magnus Granberg 2015-10-21 19:00:16 UTC

(In reply to Gerold Schellstede from comment #16)
> I thought as much! But unfortunately I do not know where the ELF-binaries of
> calibre, especcially of the ebook-viewer, are located. 
> 
> So if you can tell me where they are, I will try it immediately. 
> 
> Many Thanks!

Looks like calibre is alot of python code.
The main prob is in qt webkit looks like it use jit in the js
code

(In reply to Magnus Granberg from comment #17)
> (In reply to Gerold Schellstede from comment #16)
> > I thought as much! But unfortunately I do not know where the ELF-binaries of
> > calibre, especcially of the ebook-viewer, are located. 
> > 
> > So if you can tell me where they are, I will try it immediately. 
> > 
> > Many Thanks!
> 
> Looks like calibre is alot of python code.
> The main prob is in qt webkit looks like it use jit in the js
> code

I tested the following settings while setting /usr/bin/python2.7 to default (-E---). 

1) Set "/usr/lib64/libpython3.4.so.1.0" to "perms" and "/usr/lib64/libpython3.4.so.1.0" to "perms" --> Does not work

2) Setting them both to "--m--" --> Does not work

3) Setting them both to "-Em--" --> Does not work

4) I tested the three settings above for each of "/usr/lib64/libpython3.4.so.1.0" and "/usr/lib64/libpython3.4.so.1.0" separately while set the other one to its default settings. --> Does not work 

Going back to (-Em--) "/usr/bin/python2.7" resolves the problem again?!?

Comment 19 Mike Gilbert 2015-11-06 18:18:18 UTC

This is at the third report in the last month or so from a user with EMUTRAMP disabled hitting PaX faults for python-related stuff.

Did something change?

Can we do anything to prevent these duplicate bug reports?

Comment 20 Mike Gilbert 2015-11-06 18:19:03 UTC

Sorry, this was meant for bug 564940, but the question still stands.

Comment 21 Magnus Granberg 2015-11-06 22:12:31 UTC

Created attachment 416198 [details, diff]
disable jit

This patch should disable jit on qtwebkit
can some one test it?

Comment 22 Anthony Basile 2015-11-06 22:51:54 UTC

(In reply to Mike Gilbert from comment #20)
> Sorry, this was meant for bug 564940, but the question still stands.

Nothing changed that would be triggering this bug. 4475_emutramp_default_on.patch is present in all hardened-sources patchsets and it turns off EMUTRAMP by default.  The user has to manually turn off this option to hit this bug.

I have no explanation at this time why 3 such bugs appeared in the last month.

(In reply to Anthony Basile from comment #22)
> (In reply to Mike Gilbert from comment #20)
> > Sorry, this was meant for bug 564940, but the question still stands.
> 
> Nothing changed that would be triggering this bug.
> 4475_emutramp_default_on.patch is present in all hardened-sources patchsets
> and it turns off EMUTRAMP by default.  The user has to manually turn off
> this option to hit this bug.
> 
> I have no explanation at this time why 3 such bugs appeared in the last
> month.

I am just asking to be sure what you mean. I enabled EMUTRAMP in the kernel, but the outcome is that it is deactivated by default?! So I have to enable it manually?! 

But then I do not understand that python 2.7 does not work with -E--- so I have to set -Em-- to make it work???

What is the relation to the disable jit patch?

If someone explains to which ebuild (with version) the patch should be applied I will test it.

Best regards

Comment 24 Magnus Granberg 2015-11-07 11:57:32 UTC

(In reply to Gerold Schellstede from comment #23)
> (In reply to Anthony Basile from comment #22)
> > (In reply to Mike Gilbert from comment #20)
> > > Sorry, this was meant for bug 564940, but the question still stands.
> > 
> > Nothing changed that would be triggering this bug.
> > 4475_emutramp_default_on.patch is present in all hardened-sources patchsets
> > and it turns off EMUTRAMP by default.  The user has to manually turn off
> > this option to hit this bug.
> > 
> > I have no explanation at this time why 3 such bugs appeared in the last
> > month.
> 
> I am just asking to be sure what you mean. I enabled EMUTRAMP in the kernel,
> but the outcome is that it is deactivated by default?! So I have to enable
> it manually?! 
> 
> But then I do not understand that python 2.7 does not work with -E--- so I
> have to set -Em-- to make it work???
Python works well with E but calibre is importing qtwebkit that use jit and
the only way around it to run python with m or disable jit in 
qtwebkit as the patch do.
> 
> What is the relation to the disable jit patch?
> 
> If someone explains to which ebuild (with version) the patch should be
> applied I will test it.
> 
> Best regards
the patch is for qtwebkit 5.X

(In reply to Magnus Granberg from comment #24)
> (In reply to Gerold Schellstede from comment #23)
> > (In reply to Anthony Basile from comment #22)
> > > (In reply to Mike Gilbert from comment #20)
> > > > Sorry, this was meant for bug 564940, but the question still stands.
> > > 
> > > Nothing changed that would be triggering this bug.
> > > 4475_emutramp_default_on.patch is present in all hardened-sources patchsets
> > > and it turns off EMUTRAMP by default.  The user has to manually turn off
> > > this option to hit this bug.
> > > 
> > > I have no explanation at this time why 3 such bugs appeared in the last
> > > month.
> > 
> > I am just asking to be sure what you mean. I enabled EMUTRAMP in the kernel,
> > but the outcome is that it is deactivated by default?! So I have to enable
> > it manually?! 
> > 
> > But then I do not understand that python 2.7 does not work with -E--- so I
> > have to set -Em-- to make it work???
> Python works well with E but calibre is importing qtwebkit that use jit and
> the only way around it to run python with m or disable jit in 
> qtwebkit as the patch do.
> > 
> > What is the relation to the disable jit patch?
> > 
> > If someone explains to which ebuild (with version) the patch should be
> > applied I will test it.
> > 
> > Best regards
> the patch is for qtwebkit 5.X

Thanks really a lot. 

The patch does the trick. Calibre works now with all its features using python's "out the box pax-flags". 

The outcome of the problem seems to be that a jit-flag is needed for all future versions of qtwebkit 5.x. 

Should someone file a bug-report for qtwebkit5.x about this need?

Best Regards

Comment 26 Magnus Granberg 2015-11-26 15:50:03 UTC

*** Bug 566914 has been marked as a duplicate of this bug. ***

Comment 27 Jeroen Roovers (RETIRED) 2015-12-25 19:24:13 UTC

*** Bug 569108 has been marked as a duplicate of this bug. ***

Comment 28 Michael Palimaka (kensington) 2016-01-15 07:09:24 UTC

Thanks everyone, fixed in git.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=09ef50e18b133b1fa59ef57a384933d7dde4e69c