NetBSD Problem Report #51800

From www@NetBSD.org  Sun Jan  8 15:40:20 2017
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 8A12D7A27F
	for <gnats-bugs@gnats.NetBSD.org>; Sun,  8 Jan 2017 15:40:20 +0000 (UTC)
Message-Id: <20170108154019.6D34E7A295@mollari.NetBSD.org>
Date: Sun,  8 Jan 2017 15:40:19 +0000 (UTC)
From: jdbaker@mylinuxisp.com
Reply-To: jdbaker@mylinuxisp.com
To: gnats-bugs@NetBSD.org
Subject: gnutls w/accelerated asm routines runs afoul of PAX MPROTECT on -current/i386
X-Send-Pr-Version: www-1.0

>Number:         51800
>Category:       pkg
>Synopsis:       gnutls w/accelerated asm routines runs afoul of PAX MPROTECT on -current/i386
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jan 08 15:45:00 +0000 2017
>Last-Modified:  Tue Jan 10 23:35:00 +0000 2017
>Originator:     John D. Baker
>Release:        NetBSD/i386-7.99.55, pkgsrc-2016Q4
>Organization:
>Environment:
NetBSD verthandi 7.99.55 NetBSD 7.99.55 (VERTHANDI) #1: Fri Jan  6 15:38:47 CST 2017  sysop@dpe2850b.technoskunk.fur:/d0/build/current/obj/i386/sys/arch/i386/compile/VERTHANDI i386

>Description:
While making another stab at pkg/51266 (see PR for context), I figured
it would be good to figure out how to fix or work around issues with
loading "gnutls" libraries--just to reduce the possible sources of
error.  This is most often seen during package builds which use
"gobject-introspection".  Example from "security/libsecret":

[...]
  GISCAN   Secret-1.gir
/usr/pkg/lib/libgnutls.so.30: text relocations
/usr/pkg/lib/libgnutls.so.30: Cannot write-enable text segment: Permission denied
Failed to load module: /usr/pkg/lib/gio/modules/libgiognutls.so

[g-ir-scanner messages]

Failed to load module: /usr/pkg/lib/gio/modules/libgiognutls.so
Command '[u'/d0/build/pkgsrc/security/libsecret/work/libsecret-0.18/tmp-introspect1lCZGZ/Secret-1', u'--introspect-dump=/d0/build/pkgsrc/security/libsecret/work/libsecret-0.18/tmp-introspect1lCZGZ/functions.txt,/d0/build/pkgsrc/security/libsecret/work/libsecret-0.18/tmp-introspect1lCZGZ/dump.xml']' returned non-zero exit status -11
[1]   Segmentation fault (core dumped) CPPFLAGS="-I/usr...
/usr/pkg/share/gobject-introspection-1.0/Makefile.introspection:155: recipe for target 'Secret-1.gir' failed
gmake[2]: *** [Secret-1.gir] Error 139
gmake[2]: Leaving directory '/d0/build/pkgsrc/security/libsecret/work/libsecret-0.18'
Makefile:1992: recipe for target 'all-recursive' failed
gmake[1]: *** [all-recursive] Error 1
gmake[1]: Leaving directory '/d0/build/pkgsrc/security/libsecret/work/libsecret-0.18'
Makefile:1147: recipe for target 'all' failed
gmake: *** [all] Error 2
*** Error code 2

Stop.
make[1]: stopped in /usr/pkgsrc/security/libsecret
*** Error code 1

Stop.
make: stopped in /usr/pkgsrc/security/libsecret

(the segfault from the mysterious "Secret-1" program included for
context, but not actually relevant to this PR).


Another discussion of this took place in this thread:

  http://mail-index.netbsd.org/pkgsrc-users/2016/10/03/msg023815.html

and specifically here:

  http://mail-index.netbsd.org/pkgsrc-users/2016/11/29/msg024028.html


I scanned everything in WRKOBJDIR for "libsecret" (and
"gobject-introspection") with 'ldd' but didn't find anything actually
linked against any gnutls libraries, even indirectly.  Even scanning
the installed "/usr/pkg/{,s}bin" and "/usr/pkg/lib" only turned up
"ffmpeg3" and "cups" binaries/libraries that referenced anything from
"gnutls".  I don't know where anything related to
"gobject-introspection" is trying to load "gnutls" stuff.

>How-To-Repeat:
Attempt to build "gobject-introspection" or anything that uses it
on i386-current after PAX MPROTECT was turned on by default.

I think I saw something similar on macppc?  It's been a long time since
I last booted NetBSD/macppc let alone try building any packages.

The problem does not occur on amd64.
>Fix:
Fix assembly routines to behave themselves?  I am not an x86 assembly
person.

Workaround:  Add:

  CONFIGURE_ARGS+= --disable-hardware-acceleration

for i386 (other non-amd64?) platforms with PAX MPROTECT enabled.

>Audit-Trail:
From: "John D. Baker" <jdbaker@mylinuxisp.com>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: pkg/51800: gnutls w/accelerated asm routines runs afoul of PAX
 MPROTECT on -current/i386
Date: Tue, 10 Jan 2017 10:47:24 -0600 (CST)

 I just noticed the following commit:

   http://mail-index.netbsd.org/pkgsrc-changes/2017/01/10/msg151353.html

 The changelog notes position-dependent code in the i386 AESNI assembly
 routines and reversion to an older verion which is not position dependent.

 This may address the issue in this PR.

 I will arrange to test soon.

 -- 
 |/"\ John D. Baker, KN5UKS               NetBSD     Darwin/MacOS X
 |\ / jdbaker[snail]mylinuxisp[flyspeck]com    OpenBSD            FreeBSD
 | X  No HTML/proprietary data in email.   BSD just sits there and works!
 |/ \ GPGkeyID:  D703 4A7E 479F 63F8 D3F4  BD99 9572 8F23 E4AD 1645

From: "John D. Baker" <jdbaker@mylinuxisp.com>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: pkg/51800: gnutls w/accelerated asm routines runs afoul of PAX
 MPROTECT on -current/i386
Date: Tue, 10 Jan 2017 17:25:36 -0600 (CST)

 On Tue, 10 Jan 2017, John D. Baker wrote:
 > I just noticed the following commit:
 > 
 >   http://mail-index.netbsd.org/pkgsrc-changes/2017/01/10/msg151353.html
 > 
 > The changelog notes position-dependent code in the i386 AESNI assembly
 > routines and reversion to an older verion which is not position dependent.
 > 
 > This may address the issue in this PR.

 Confirmed.  Updating "security/gnutls" (and "security/libtasn1") to HEAD
 and removing the workaround produces gnutls libraries that do not cause
 ld.elf_so to complain about text relocations on i386-current.

 Possibly pull these up to pkgsrc-2016Q4?

 -- 
 |/"\ John D. Baker, KN5UKS               NetBSD     Darwin/MacOS X
 |\ / jdbaker[snail]mylinuxisp[flyspeck]com    OpenBSD            FreeBSD
 | X  No HTML/proprietary data in email.   BSD just sits there and works!
 |/ \ GPGkeyID:  D703 4A7E 479F 63F8 D3F4  BD99 9572 8F23 E4AD 1645

From: Thomas Klausner <wiz@NetBSD.org>
To: NetBSD bugtracking <gnats-bugs@NetBSD.org>
Cc: 
Subject: Re: pkg/51800: gnutls w/accelerated asm routines runs afoul of PAX
 MPROTECT on -current/i386
Date: Wed, 11 Jan 2017 00:32:50 +0100

 On Tue, Jan 10, 2017 at 11:30:01PM +0000, John D. Baker wrote:
 >  Possibly pull these up to pkgsrc-2016Q4?

 Requested (for the security fixes in 3.5.8).

 Thanks for finding out that this bug was fixed too!
  Thomas

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.