Re: PaX mprotect now on for amd64
chris...@zoulas.com (Christos Zoulas) writes: >Hi, >I just turned on mprotect for amd64. The following sysctls have >been set to 1 >security.pax.mprotect.enable=1 >security.pax.mprotect.global=1 >If you want to see what processes hit this you can: >security.pax.mprotect.debug=1 >This breaks programs that need to map segments both writable and executable, >for example java. To fix them you can: >paxctl +m /path/to/bin/java It also hits firefox (from pkgsrc) or glxgears (from xbase). pax_mprotect_adjust: /home/netbsd-current/src/sys/uvm/uvm_mmap.c,418: 266.1 (glxgears): -x pid 266 (glxgears), uid 61: exited on signal 11 (core dumped) gdb cannot use the coredump, either gdb is broken or the stack in the coredump is damaged. glxgears tries to execute code that starts on a page close to the stack. rsp 0x7f7fc7e8 rip 0x7f7fefe0 -- -- Michael van Elst Internet: mlel...@serpens.de "A potential Snark may lurk in every tree."
daily CVS update output
Updating src tree: P src/distrib/notes/common/main P src/doc/roadmaps/networking U src/doc/roadmaps/people/christos P src/sys/arch/sparc/include/psl.h P src/sys/arch/sparc64/include/psl.h P src/sys/arch/sparc64/sparc64/locore.s P src/sys/dev/pci/if_wm.c P src/sys/netinet6/icmp6.c P src/sys/netinet6/in6_src.c P src/sys/netinet6/nd6.c Updating xsrc tree: Killing core files: Running the SUP scanner: SUP Scan for current starting at Thu May 19 03:01:51 2016 SUP Scan for current completed at Thu May 19 03:02:15 2016 SUP Scan for mirror starting at Thu May 19 03:02:15 2016 SUP Scan for mirror completed at Thu May 19 03:05:14 2016 Updating file list: -rw-rw-r-- 1 srcmastr netbsd 53938255 May 19 03:07 ls-lRA.gz
Re: PaX mprotect now on for amd64
On Sun, 15 May 2016 12:29:16 +0200 Kamil Rytarowski wrote: > On 15.05.2016 10:22, David Brownlee wrote: > > Would it make sense to (possibly optionally) integrate this into > > pkgsrc builds for at least java? (the paxctl +m call) > > It makes sense, it has been already done for editors/emacs24 (but for > the +a option). I'm also having trouble with nodejs and firefox segfaulting from this. I bet there are many other packages yet to be discovered to be broken. We need to invent some better way to deal with this than how it was done for emacs. -Tobias