100054 – sys-auth/polkit-0.113-r2::gentoo segfault and error 4 in libpthread-2.23.so when enabled PAX_NOEXEC(linux hardened)

Bug 100054 - sys-auth/polkit-0.113-r2::gentoo segfault and error 4 in libpthread-2.23.so when enabled PAX_NOEXEC(linux hardened)

Summary: sys-auth/polkit-0.113-r2::gentoo segfault and error 4 in libpthread-2.23.so w...

Status:	RESOLVED MOVED

Alias:	None

Product:	PolicyKit
Classification:	Unclassified
Component:	daemon (show other bugs)
Version:	unspecified
Hardware:	x86-64 (AMD64) Linux (All)

Importance:	medium major
Assignee:	David Zeuthen (not reading bugmail)
QA Contact:	David Zeuthen (not reading bugmail)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-03-03 18:06 UTC by xdev52
Modified:	2018-08-20 21:33 UTC (History)
CC List:	1 user (show)

See Also:
i915 platform:
i915 features:

Attachments

Description xdev52 2017-03-03 18:06:05 UTC

sys-auth/polkit-0.113-r2::gentoo was built with the following:
USE="gtk introspection nls pam (-elogind) -examples -jit -kde (-selinux) -systemd -test"

sh bash 4.4_p12
ld GNU ld (Gentoo 2.26.1 p1.0) 2.26.1
ccache version 3.3.4 [enabled]
app-shells/bash:          4.4_p12::gentoo
dev-java/java-config:     2.2.0-r3::gentoo
dev-lang/perl:            5.24.1::gentoo
dev-lang/python:          2.7.13::gentoo, 3.4.6::gentoo, 3.5.3::gentoo
dev-util/ccache:          3.3.4::gentoo
dev-util/cmake:           3.7.2::gentoo
dev-util/pkgconfig:       0.29.1::gentoo
sys-apps/baselayout:      2.3::gentoo
sys-apps/openrc:          0.22.4::gentoo
sys-apps/sandbox:         2.10-r3::gentoo
sys-devel/autoconf:       2.13::gentoo, 2.69-r2::gentoo
sys-devel/automake:       1.11.6-r2::gentoo, 1.13.4-r1::gentoo, 1.14.1-r1::gentoo, 1.15-r2::gentoo
sys-devel/binutils:       2.26.1::gentoo, 2.27::gentoo
sys-devel/gcc:            5.4.0-r2::gentoo
sys-devel/gcc-config:     1.8-r1::gentoo
sys-devel/libtool:        2.4.6-r3::gentoo
sys-devel/make:           4.2.1::gentoo
sys-kernel/linux-headers: 4.9::gentoo (virtual/os-headers)
sys-libs/glibc:           2.23-r3::gentoo

HERE:

# gdb -q /usr/bin/pkaction
Reading symbols from /usr/bin/pkaction...(no debugging symbols found)...done.
(gdb) run
Starting program: /usr/bin/pkaction 
warning: Cannot call inferior functions, Linux kernel PaX protection forbids return to non-executable pages!
[New LWP 10752]
[New LWP 10753]
Error getting authority: Error initializing authority: Error calling StartServiceByName for org.freedesktop.PolicyKit1: GDBus.Error:org.freedesktop.DBus.Error.Spawn.ChildSignaled: Process org.freedesktop.PolicyKit1 received signal 11
[LWP 10752 exited]
[LWP 10740 exited]
[Inferior 1 (process 10740) exited with code 01]

dmesg LOG:

[24394.960110] PAX: execution attempt in: <anonymous mapping>, 39ca97f2000-39ca97f3000 39ca97f2000                                                                                        
[24394.960115] PAX: terminating task: /usr/bin/gdb(gdb):10743, uid/euid: 0/0, PC: 0000039ca97f2000, SP: 000003a80217e4b0                                                                  
[24394.960118] PAX: bytes at PC: cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

[24394.960132] PAX: bytes at SP-8: 0000039ca97f2000 0000039ca7eed788 0000000000000000 0000000000000018 0000001f9fce145f 000003a80217e4d8 d9b33c462bec4500 00000000000029f5 00000000000029f5 000003a80217e514 00000000000029f5                                                          

[24395.076960] polkitd[10756]: segfault at 10 ip 000003963b468a93 sp 000003fe59ec9620 error 4 in libpthread-2.23.so[3963b45f000+17000]

Comment 1 Simon McVittie 2017-03-03 19:36:13 UTC

(In reply to xdev52 from comment #0)
> # gdb -q /usr/bin/pkaction

It is polkitd that is crashing, not pkaction, so you will need to attach gdb to polkitd (not pkaction) to get a useful backtrace.

polkit uses mozjs (the Mozilla JavaScript engine) to interpret its domain-specific language, and JavaScript interpreters typically use JIT which relies on generating executable code in memory and running it. This makes me speculate that the version of mozjs you have might not be compatible with the PAX kernel.

I notice you have configured "-jit" which suggests that your kernel is known not to work well with JIT. Perhaps that setting has not actually been effective in preventing mozjs from using JIT?

You might get better results by talking to the Hardened Gentoo maintainers - I would guess that they see this sort of thing a lot. If so, please respond here with any more information you/they can provide.

Comment 2 xdev52 2017-03-03 20:34:32 UTC

(In reply to Simon McVittie from comment #1)
> (In reply to xdev52 from comment #0)
> > # gdb -q /usr/bin/pkaction
> 
> It is polkitd that is crashing, not pkaction, so you will need to attach gdb
> to polkitd (not pkaction) to get a useful backtrace.
> 
> polkit uses mozjs (the Mozilla JavaScript engine) to interpret its
> domain-specific language, and JavaScript interpreters typically use JIT
> which relies on generating executable code in memory and running it. This
> makes me speculate that the version of mozjs you have might not be
> compatible with the PAX kernel.
> 
> I notice you have configured "-jit" which suggests that your kernel is known
> not to work well with JIT. Perhaps that setting has not actually been
> effective in preventing mozjs from using JIT?
> 
> You might get better results by talking to the Hardened Gentoo maintainers -
> I would guess that they see this sort of thing a lot. If so, please respond
> here with any more information you/they can provide.

here:

# gdb -q /usr/lib/polkit-1/polkitd
Reading symbols from /usr/lib/polkit-1/polkitd...(no debugging symbols found)...done.
(gdb) run
Starting program: /usr/lib64/polkit-1/polkitd 
warning: Cannot call inferior functions, Linux kernel PaX protection forbids return to non-executable pages!
Successfully changed to user polkitd
[New LWP 16284]
[New LWP 16285]

Thread 1 "polkitd" received signal SIGSEGV, Segmentation fault.
0x000003556bf5ba93 in ?? ()

dmesg:

[34060.196688] PAX: execution attempt in: <anonymous mapping>, 35f60a57000-35f60a58000 35f60a57000                                                                                        
[34060.196693] PAX: terminating task: /usr/bin/gdb(gdb):16274, uid/euid: 0/0, PC: 0000035f60a57000, SP: 000003a625e87570                                                                  
[34060.196695] PAX: bytes at PC: cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

[34060.196709] PAX: bytes at SP-8: 0000035f60a57000 0000035f5f152788 0000000000000000 0000000000000018 00000002e30cc45f 000003a625e87598 a28b850286a0fd00 0000000000003f90 0000000000003f90 000003a625e875d4 0000000000003f90

Comment 3 GitLab Migration User 2018-08-20 21:33:46 UTC

-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/polkit/polkit/issues/1.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.