Bug ID 997239
Summary p11-kit-trust.so tries to use mmap with write+exec
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Basesystem
Assignee lnussel@suse.com
Reporter mrueckert@suse.com
QA Contact qa-bugs@suse.de
CC dsterba@suse.com
Found By ---
Blocker --- 

when p11-kit tries to load the p11-kit-trust.so we run into the following code:

```
1623  mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x3834e70b000
```

This gets killed by the grsec kernel with:

```
8097.931220] PAX: From 127.0.0.1: execution attempt in: <anonymous mapping>,
3532a352000-3532a354000 3532a352000
[ 8097.931223] PAX: terminating task: /usr/bin/pdnsutil(pdnsutil):23868,
uid/euid: 0/0, PC: 000003532a352010, SP: 000003ab64903928
[ 8097.931224] PAX: bytes at PC: 4c 8d 15 f9 ff ff ff ff 25 03 00 00 00 0f 1f
00 68 b1 25 27 
[ 8097.931230] PAX: bytes at SP-8: 000000472c954320 0000035328ba3ef2
0000000000000000 0000000000000000 000000472c954320 000000472c954320
000003ab649039d0 000003ab649039e0 000003ab64903bf0 000003ab64903bd8
0000000000000002 
```

moving /usr/share/p11-kit/modules/p11-kit-trust.module away, "solves" the
issue, as the module is no longer loaded. During the discussion with the
maintainer of the pkcs#11 part in powerdns, he mentioned that in the future
systemd will have a DenyWriteExec option to deny WRITE+EXEC pages there as
well. so the grsec kernel will not be the only way to trigger this bug. 

complete strace is available if needed.

kernel-grsec-guest-kvm-4.7.2-2.1
obs://build.opensuse.org/home:dsterba:grsecurity/openSUSE_Tumbleweed/68ce05d9439e32ada1b1151bf6f9b7e8-kernel-grsec-guest-kvm

You are receiving this mail because: