Mailinglist Archive: opensuse-buildservice (124 mails)

< Previous Next >
[opensuse-buildservice] Re: [security-team] Do we have exec-shield as well as enabled during build?
Hi Werner,

We do not have exec shield, but we might have other methods.

They are however not just enabled on AARCH64, you would see
similar issues on all architectures.

randomize_va_space we have, but it is effective for this issue
only if you build with PIE support enabled.

I think this specific issue is aarch64 architecture specific
and not related to kernel security features.

Ciao, Marcus
On Fri, Nov 11, 2016 at 08:53:11AM +0100, Dr. Werner Fink wrote:

just seen such build messages on aarch64 for GNU Emacs:

[ 1604s] **************************************************
[ 1604s] Warning: Your system has a gap between BSS and the
[ 1604s] heap (418602288 bytes). This usually means that exec-shield[
1519.794139] pgd = ffff8001f2320000
[ 1604s]
[ 1604s] [ 1519.828659] [00949000] *pgd=0000000232181003,
*pud=000000022ec05003or something similar is in effect. The dump may,
*pmd=00000002330f4003, *pte=0000000000000000
[ 1604s]
[ 1604s] fail because of this. See the section about
[ 1604s] exec-shield in etc/PROBLEMS for more information.

and indeed on emacs-25.1/etc/PROBLEMS I read

| Another issue is that in Red Hat Linux kernels, Exec-shield is enabled by
| default, and this creates a different memory layout. Emacs should
| handle this at build time, but if this fails the following
| instructions may be useful. Exec-shield is enabled on your system if
| cat /proc/sys/kernel/exec-shield
|prints a nonzero value. You can temporarily disable it as follows:
| echo 0 > /proc/sys/kernel/exec-shield

similar for randomize_va_space:

| To work around the ASLR problem in either an older or a newer kernel,
| you can temporarily disable the feature while building Emacs. On
| GNU/Linux you can do so using the following command (as root).
| echo 0 > /proc/sys/kernel/randomize_va_space
| You can re-enable the feature when you are done, by echoing the
| original value back to the file.
| Alternatively, you can try using the 'setarch' command when building
| temacs like this, where -R disables address space randomization:
| setarch $(uname -m) -R make

That is if we support exec-shield and/or randomize_va_space I'd like to
be able to disable this in the build environment for GNU emacs as well as
e.g. for clisp and maybe other packages.


"Having a smoking section in a restaurant is like having
a peeing section in a swimming pool." -- Edward Burr

Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi.
3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <meissner@xxxxxxx>
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >