http://bugzilla.opensuse.org/show_bug.cgi?id=997239 Bug ID: 997239 Summary: p11-kit-trust.so tries to use mmap with write+exec Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: lnussel@suse.com Reporter: mrueckert@suse.com QA Contact: qa-bugs@suse.de CC: dsterba@suse.com Found By: --- Blocker: --- when p11-kit tries to load the p11-kit-trust.so we run into the following code: ``` 1623 mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x3834e70b000 ``` This gets killed by the grsec kernel with: ``` 8097.931220] PAX: From 127.0.0.1: execution attempt in: <anonymous mapping>, 3532a352000-3532a354000 3532a352000 [ 8097.931223] PAX: terminating task: /usr/bin/pdnsutil(pdnsutil):23868, uid/euid: 0/0, PC: 000003532a352010, SP: 000003ab64903928 [ 8097.931224] PAX: bytes at PC: 4c 8d 15 f9 ff ff ff ff 25 03 00 00 00 0f 1f 00 68 b1 25 27 [ 8097.931230] PAX: bytes at SP-8: 000000472c954320 0000035328ba3ef2 0000000000000000 0000000000000000 000000472c954320 000000472c954320 000003ab649039d0 000003ab649039e0 000003ab64903bf0 000003ab64903bd8 0000000000000002 ``` moving /usr/share/p11-kit/modules/p11-kit-trust.module away, "solves" the issue, as the module is no longer loaded. During the discussion with the maintainer of the pkcs#11 part in powerdns, he mentioned that in the future systemd will have a DenyWriteExec option to deny WRITE+EXEC pages there as well. so the grsec kernel will not be the only way to trigger this bug. complete strace is available if needed. kernel-grsec-guest-kvm-4.7.2-2.1 obs://build.opensuse.org/home:dsterba:grsecurity/openSUSE_Tumbleweed/68ce05d9439e32ada1b1151bf6f9b7e8-kernel-grsec-guest-kvm -- You are receiving this mail because: You are on the CC list for the bug.