[GHC] #12657: GHC and GHCi: RWX mmap denied by GrSec, results in a segfault
#12657: GHC and GHCi: RWX mmap denied by GrSec, results in a segfault ----------------------------------------+---------------------------------- Reporter: PoroCYon | Owner: Type: bug | Status: new Priority: normal | Milestone: Component: Runtime System | Version: 8.0.1 Keywords: | Operating System: Linux Architecture: Unknown/Multiple | Type of failure: Runtime crash Test Case: | Blocked By: Blocking: | Related Tickets: Differential Rev(s): | Wiki Page: ----------------------------------------+---------------------------------- When compiling a package (cabal or stack doesn't matter) or launching GHCi while running a kernel with GrSec and PaX patches, GHC segfaults because GrSec denies an RWX mmap. Some packages do compile successfully, but others (such as optparse- applicative) don't. Launching GHCi always results in a segfault. Here's the output of ghc when compiling the optparse-applicative package: {{{ Building optparse-applicative-0.13.0.0... Preprocessing library optparse-applicative-0.13.0.0... [ 1 of 15] Compiling Options.Applicative.Help.Pretty ( Options/Applicative/Help/Pretty.hs, dist/build/Options/Applicative/Help/Pretty.o ) [ 2 of 15] Compiling Options.Applicative.Help.Chunk ( Options/Applicative/Help/Chunk.hs, dist/build/Options/Applicative/Help/Chunk.o ) [ 3 of 15] Compiling Options.Applicative.Help.Types ( Options/Applicative/Help/Types.hs, dist/build/Options/Applicative/Help/Types.o ) [ 4 of 15] Compiling Options.Applicative.Types ( Options/Applicative/Types.hs, dist/build/Options/Applicative/Types.o ) [ 5 of 15] Compiling Options.Applicative.Internal ( Options/Applicative/Internal.hs, dist/build/Options/Applicative/Internal.o ) [ 6 of 15] Compiling Options.Applicative.Common ( Options/Applicative/Common.hs, dist/build/Options/Applicative/Common.o ) [ 7 of 15] Compiling Options.Applicative.Help.Core ( Options/Applicative/Help/Core.hs, dist/build/Options/Applicative/Help/Core.o ) ghc: mmap 131072 bytes at (nil): Operation not permitted ghc: Try specifying an address with +RTS -xm<addr> -RTS Segmentation fault (core dumped) }}} GrSec log in dmesg: {{{ [15873.000867] grsec: denied RWX mmap of <anonymous mapping> by /usr/lib/ghc-8.0.1/bin/ghc[ghc_worker:16494] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/cabal[cabal:16486] uid/euid:1000/1000 gid/egid:1000/1000 [15873.001018] ghc_worker[16494]: segfault at 0 ip 000003b6c3a7167f sp 000002b6c23d8e50 error 6 in libHSrts_thr-ghc8.0.1.so[3b6c3a4f000+62000] }}} And here's the one for ghci: {{{ $ ghci GHCi, version 8.0.1: http://www.haskell.org/ghc/ :? for help ghc: mmap 131072 bytes at (nil): Operation not permitted ghc: Try specifying an address with +RTS -xm<addr> -RTS Segmentation fault (core dumped) $ echo $? 139 }}} GrSec complained here with: {{{ [14756.354725] grsec: denied RWX mmap of <anonymous mapping> by /usr/lib/ghc-8.0.1/bin/ghc[ghc:15883] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/xonsh[xonsh:15879] uid/euid:1000/1000 gid/egid:1000/1000 [14756.354875] ghc[15883]: segfault at 0 ip 00000379c0e0b67f sp 000003f0b7278ce0 error 6 in libHSrts_thr-ghc8.0.1.so[379c0de9000+62000] }}} -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/12657 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#12657: GHC and GHCi: RWX mmap denied by GrSec, results in a segfault -----------------------------------+-------------------------------------- Reporter: PoroCYon | Owner: Type: bug | Status: new Priority: normal | Milestone: Component: Runtime System | Version: 8.0.1 Resolution: | Keywords: Operating System: Linux | Architecture: x86_64 (amd64) Type of failure: Runtime crash | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Wiki Page: | -----------------------------------+-------------------------------------- Changes (by PoroCYon): * architecture: Unknown/Multiple => x86_64 (amd64) -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/12657#comment:1 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#12657: GHC and GHCi: RWX mmap denied by GrSec, results in a segfault -------------------------------------+------------------------------------- Reporter: PoroCYon | Owner: Type: bug | Status: new Priority: normal | Milestone: Component: Runtime System | Version: 8.0.1 Resolution: | Keywords: grsec, pax, | mmap, rts Operating System: Linux | Architecture: x86_64 | (amd64) Type of failure: Runtime crash | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Wiki Page: | -------------------------------------+------------------------------------- Changes (by PoroCYon): * keywords: => grsec, pax, mmap, rts -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/12657#comment:2 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#12657: GHC and GHCi: RWX mmap denied by GrSec, results in a segfault -------------------------------------+------------------------------------- Reporter: PoroCYon | Owner: Type: bug | Status: new Priority: normal | Milestone: Component: Runtime System | Version: 8.0.1 Resolution: | Keywords: grsec, pax, | mmap, rts Operating System: Linux | Architecture: x86_64 | (amd64) Type of failure: Runtime crash | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Wiki Page: | -------------------------------------+------------------------------------- Description changed by PoroCYon: @@ -7,0 +7,4 @@ + + I've tried mounting /tmp as executable (as described eg. + [http://stackoverflow.com/questions/6103510/ghc-cabal-install-hamlet- + fails-with-an-obscure-error here]), but that didn't do anything. New description: When compiling a package (cabal or stack doesn't matter) or launching GHCi while running a kernel with GrSec and PaX patches, GHC segfaults because GrSec denies an RWX mmap. Some packages do compile successfully, but others (such as optparse- applicative) don't. Launching GHCi always results in a segfault. I've tried mounting /tmp as executable (as described eg. [http://stackoverflow.com/questions/6103510/ghc-cabal-install-hamlet- fails-with-an-obscure-error here]), but that didn't do anything. Here's the output of ghc when compiling the optparse-applicative package: {{{ Building optparse-applicative-0.13.0.0... Preprocessing library optparse-applicative-0.13.0.0... [ 1 of 15] Compiling Options.Applicative.Help.Pretty ( Options/Applicative/Help/Pretty.hs, dist/build/Options/Applicative/Help/Pretty.o ) [ 2 of 15] Compiling Options.Applicative.Help.Chunk ( Options/Applicative/Help/Chunk.hs, dist/build/Options/Applicative/Help/Chunk.o ) [ 3 of 15] Compiling Options.Applicative.Help.Types ( Options/Applicative/Help/Types.hs, dist/build/Options/Applicative/Help/Types.o ) [ 4 of 15] Compiling Options.Applicative.Types ( Options/Applicative/Types.hs, dist/build/Options/Applicative/Types.o ) [ 5 of 15] Compiling Options.Applicative.Internal ( Options/Applicative/Internal.hs, dist/build/Options/Applicative/Internal.o ) [ 6 of 15] Compiling Options.Applicative.Common ( Options/Applicative/Common.hs, dist/build/Options/Applicative/Common.o ) [ 7 of 15] Compiling Options.Applicative.Help.Core ( Options/Applicative/Help/Core.hs, dist/build/Options/Applicative/Help/Core.o ) ghc: mmap 131072 bytes at (nil): Operation not permitted ghc: Try specifying an address with +RTS -xm<addr> -RTS Segmentation fault (core dumped) }}} GrSec log in dmesg: {{{ [15873.000867] grsec: denied RWX mmap of <anonymous mapping> by /usr/lib/ghc-8.0.1/bin/ghc[ghc_worker:16494] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/cabal[cabal:16486] uid/euid:1000/1000 gid/egid:1000/1000 [15873.001018] ghc_worker[16494]: segfault at 0 ip 000003b6c3a7167f sp 000002b6c23d8e50 error 6 in libHSrts_thr-ghc8.0.1.so[3b6c3a4f000+62000] }}} And here's the one for ghci: {{{ $ ghci GHCi, version 8.0.1: http://www.haskell.org/ghc/ :? for help ghc: mmap 131072 bytes at (nil): Operation not permitted ghc: Try specifying an address with +RTS -xm<addr> -RTS Segmentation fault (core dumped) $ echo $? 139 }}} GrSec complained here with: {{{ [14756.354725] grsec: denied RWX mmap of <anonymous mapping> by /usr/lib/ghc-8.0.1/bin/ghc[ghc:15883] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/xonsh[xonsh:15879] uid/euid:1000/1000 gid/egid:1000/1000 [14756.354875] ghc[15883]: segfault at 0 ip 00000379c0e0b67f sp 000003f0b7278ce0 error 6 in libHSrts_thr-ghc8.0.1.so[379c0de9000+62000] }}} -- -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/12657#comment:3 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#12657: GHC and GHCi: RWX mmap denied by GrSec, results in a segfault -------------------------------------+------------------------------------- Reporter: PoroCYon | Owner: Type: bug | Status: new Priority: normal | Milestone: Component: Runtime System | Version: 8.0.1 Resolution: | Keywords: grsec, pax, | mmap, rts Operating System: Linux | Architecture: x86_64 | (amd64) Type of failure: Runtime crash | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Wiki Page: | -------------------------------------+------------------------------------- Comment (by rwbarton): Thanks for filing an issue. This was reported on IRC too (possibly by the same person?) Could you run one of these failing commands under gdb and provide the stack trace? (It will likely be short/strange but that's okay.) -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/12657#comment:4 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#12657: GHC and GHCi: RWX mmap denied by GrSec, results in a segfault -------------------------------------+------------------------------------- Reporter: PoroCYon | Owner: Type: bug | Status: new Priority: normal | Milestone: Component: Runtime System | Version: 8.0.1 Resolution: | Keywords: grsec, pax, | mmap, rts Operating System: Linux | Architecture: x86_64 | (amd64) Type of failure: Runtime crash | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Wiki Page: | -------------------------------------+------------------------------------- Comment (by PoroCYon): Here's the backtrace of the compilation of hlint: {{{ poro@alphard:~ $ sudo coredumpctl gdb /usr/lib/ghc-8.0.1/bin/ghc PID: 6326 (ghc) UID: 1000 (poro) GID: 1000 (poro) Signal: 11 (SEGV) Command Line: /usr/lib/ghc-8.0.1/bin/ghc -B/usr/lib/ghc-8.0.1 --make -fbuilding-cabal-package -O -static -dynamic-too -dynosuf dyn_o -dynhisuf dyn_hi -outputdir .stack-work/dist/x86_64-linux/Cabal-1.24.0.0/build -odir .stack-work/dist/x86_64-linux/Cabal-1.24.0.0/build -hidir .stack- work/dist/x86_64-linux/Cabal-1.24.0.0/build -stubdir .stack- work/dist/x86_64-linux/Cabal-1.24.0.0/build -i -i.stack- work/dist/x86_64-linux/Cabal-1.24.0.0/build -isrc -i.stack- work/dist/x86_64-linux/Cabal-1.24.0.0/build/autogen -I.stack- work/dist/x86_64-linux/Cabal-1.24.0.0/build/autogen -I.stack- work/dist/x86_64-linux/Cabal-1.24.0.0/build -optP-include -optP.stack- work/dist/x86_64-linux/Cabal-1.24.0.0/build/autogen/cabal_macros.h -this- unit-id hlint-1.9.35-10UG0p2vPBnEAFpFKv6Oh -hide-all-packages -no-user- package-db -package-db /home/poro/.stack/snapshots/x86_64-linux/lts-7.0/8.0.1/pkgdb -package-db .stack-work/dist/x86_64-linux/Cabal-1.24.0.0/package.conf.inplace -package-id ansi-terminal-0.6.2.3-448ipfN5j28Ha0AgPiJmdI -package-id base-4.9.0.0 -package-id cmdargs-0.10.14-8WOlFWoK1XlCebTZE2edgd -package- id containers-0.5.7.1 -package-id cpphs-1.20.2-GpD5nXqQjzpAbSUhSdFgEv -package-id directory-1.2.6.2 -package-id extra-1.4.10-2LEZ2hBhlUuEhqffYmrH30 -package-id filepath-1.4.1.0 -package- id haskell-src-exts-1.17.1-CHFwoWxepXQKBbAz4YNlQX -package-id hscolour-1.24.1-H2EUF2muHY0JRKOYWigHLc -package-id process-1.4.2.0 -package-id refact-0.3.0.2-JBbxaqExt5tJMSfYCjPwkx -package-id transformers-0.5.2.0 -package-id uniplate-1.6.12-GlIXchq8eyU5fQlB5lQgci -XHaskell98 Language.Haskell.HLint Language.Haskell.HLint2 Language.Haskell.HLint3 Paths_hlint Apply CmdLine Grep HLint HsColour Idea Settings Report Util Parallel Refact HSE.All HSE.Bracket HSE.Evaluate HSE.FreeVars HSE.Match HSE.Scope HSE.Type HSE.Util Hint.All Hint.Bracket Hint.Comment Hint.Duplicate Hint.Extensions Hint.Import Hint.Lambda Hint.List Hint.ListRec Hint.Match Hint.Monad Hint.Naming Hint.Pattern Hint.Pragma Hint.Type Hint.Unsafe Hint.Util Test.All Test.Annotations Test.InputOutput Test.Proof Test.Translate Test.Util -ddump-hi -ddump-to- file <big snip> Core was generated by `/usr/lib/ghc-8.0.1/bin/ghc -B/usr/lib/ghc-8.0.1 --make -fbuilding-cabal-package'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x000003295de4567f in initLinker_ () from /usr/lib/ghc-8.0.1/bin/../rts/libHSrts_thr-ghc8.0.1.so [Current thread is 1 (Thread 0x32968f52700 (LWP 6326))] (gdb) bt #0 0x000003295de4567f in initLinker_ () from /usr/lib/ghc-8.0.1/bin/../rts/libHSrts_thr-ghc8.0.1.so #1 0x0000032961baf4cd in ghcizm8zi0zi1_GHCiziRun_run1_info () from /usr/lib/ghc-8.0.1/bin/../ghci-8.0.1/libHSghci-8.0.1-ghc8.0.1.so #2 0x0000000000000000 in ?? () }}} I wasn't on IRC, I'm^H was only lurking on #idris at the time of reporting this issue (Idris does compile btw). -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/12657#comment:5 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#12657: GHC and GHCi: RWX mmap denied by GrSec, results in a segfault -------------------------------------+------------------------------------- Reporter: PoroCYon | Owner: Type: bug | Status: new Priority: normal | Milestone: Component: Runtime System | Version: 8.0.1 Resolution: | Keywords: grsec, pax, | mmap, rts Operating System: Linux | Architecture: x86_64 | (amd64) Type of failure: Runtime crash | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Wiki Page: | -------------------------------------+------------------------------------- Comment (by simonmar): The linker should mmap RW during linking and them remap RX when linking is complete. I think the new m32 allocator will make things a more difficult though, because it maintains partial pages of linked code, and we can't remap one of those pages from RX to RW since it might already be in use. -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/12657#comment:6 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#12657: GHC and GHCi: RWX mmap denied by GrSec, results in a segfault -------------------------------------+------------------------------------- Reporter: PoroCYon | Owner: Type: bug | Status: new Priority: normal | Milestone: Component: Runtime System | Version: 8.0.1 Resolution: | Keywords: grsec, pax, | mmap, rts Operating System: Linux | Architecture: x86_64 | (amd64) Type of failure: Runtime crash | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Wiki Page: | -------------------------------------+------------------------------------- Comment (by dobenour): simonmar: I feel like the only option may be to do eager binding, and to always allocate groups of whole pages for each linked object file. -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/12657#comment:7 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#12657: GHC and GHCi: RWX mmap denied by GrSec, results in a segfault -------------------------------------+------------------------------------- Reporter: PoroCYon | Owner: Type: bug | Status: new Priority: normal | Milestone: Component: Runtime System | Version: 8.0.1 Resolution: | Keywords: grsec, pax, | mmap, rts Operating System: Linux | Architecture: x86_64 | (amd64) Type of failure: Runtime crash | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Wiki Page: | -------------------------------------+------------------------------------- Comment (by simonmar): I'm not sure why this has surfaced again, it's an old problem, see #738. I'm actually not sure how the linker worked with SELinux before, as far as I can tell it has always mmapped with RWX permissions. -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/12657#comment:8 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#12657: GHC and GHCi: RWX mmap denied by GrSec, results in a segfault -------------------------------------+------------------------------------- Reporter: PoroCYon | Owner: Type: bug | Status: new Priority: normal | Milestone: Component: Runtime System | Version: 8.0.1 Resolution: | Keywords: grsec, pax, | mmap, rts Operating System: Linux | Architecture: x86_64 | (amd64) Type of failure: Runtime crash | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Wiki Page: | -------------------------------------+------------------------------------- Comment (by pumpkin): Replying to [comment:6 simonmar]:
The linker should mmap RW during linking and them remap RX when linking is complete. I think the new m32 allocator will make things a more difficult though, because it maintains partial pages of linked code, and we can't remap one of those pages from RX to RW since it might already be in use.
I think grsecurity tracks writability history as well, so it forbids a page from being executable that was ever writable (by a given process) -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/12657#comment:9 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
I think grsecurity tracks writability history as well, so it forbids a
#12657: GHC and GHCi: RWX mmap denied by GrSec, results in a segfault -------------------------------------+------------------------------------- Reporter: PoroCYon | Owner: Type: bug | Status: new Priority: normal | Milestone: Component: Runtime System | Version: 8.0.1 Resolution: | Keywords: grsec, pax, | mmap, rts Operating System: Linux | Architecture: x86_64 | (amd64) Type of failure: Runtime crash | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Wiki Page: | -------------------------------------+------------------------------------- Comment (by simonmar): page from being executable that was ever writable (by a given process) Then we should do whatever `ld.so` does, or `libffi`, both of which have to solve the same problem. -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/12657#comment:10 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#12657: GHC and GHCi: RWX mmap denied by GrSec, results in a segfault -------------------------------------+------------------------------------- Reporter: PoroCYon | Owner: Type: bug | Status: new Priority: normal | Milestone: Component: Runtime System | Version: 8.0.1 Resolution: | Keywords: grsec, pax, | mmap, rts Operating System: Linux | Architecture: x86_64 | (amd64) Type of failure: Runtime crash | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Wiki Page: | -------------------------------------+------------------------------------- Comment (by rwbarton): I see this same error affecting libffi in python [http://www.gossamer- threads.com/lists/gentoo/hardened/288223 here], but then the discussion goes into a lot of PAX lingo that I don't understand. -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/12657#comment:11 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
participants (1)
-
GHC