Mailinglist Archive: opensuse-buildservice (124 mails)
< Previous | Next > |
[opensuse-buildservice] Re: [security-team] Do we have exec-shield as well as enabled during build?
- From: Marcus Meissner <meissner@xxxxxxx>
- Date: Fri, 11 Nov 2016 13:46:08 +0100
- Message-id: <20161111124608.GA23846@suse.de>
Hi Werner,
We do not have exec shield, but we might have other methods.
They are however not just enabled on AARCH64, you would see
similar issues on all architectures.
randomize_va_space we have, but it is effective for this issue
only if you build with PIE support enabled.
I think this specific issue is aarch64 architecture specific
and not related to kernel security features.
Ciao, Marcus
On Fri, Nov 11, 2016 at 08:53:11AM +0100, Dr. Werner Fink wrote:
--
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi.
3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <meissner@xxxxxxx>
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx
We do not have exec shield, but we might have other methods.
They are however not just enabled on AARCH64, you would see
similar issues on all architectures.
randomize_va_space we have, but it is effective for this issue
only if you build with PIE support enabled.
I think this specific issue is aarch64 architecture specific
and not related to kernel security features.
Ciao, Marcus
On Fri, Nov 11, 2016 at 08:53:11AM +0100, Dr. Werner Fink wrote:
Hi,
just seen such build messages on aarch64 for GNU Emacs:
[ 1604s] **************************************************
[ 1604s] Warning: Your system has a gap between BSS and the
[ 1604s] heap (418602288 bytes). This usually means that exec-shield[
1519.794139] pgd = ffff8001f2320000
[ 1604s]
[ 1604s] [ 1519.828659] [00949000] *pgd=0000000232181003,
*pud=000000022ec05003or something similar is in effect. The dump may,
*pmd=00000002330f4003, *pte=0000000000000000
[ 1604s]
[ 1604s] fail because of this. See the section about
[ 1604s] exec-shield in etc/PROBLEMS for more information.
and indeed on emacs-25.1/etc/PROBLEMS I read
| Another issue is that in Red Hat Linux kernels, Exec-shield is enabled by
| default, and this creates a different memory layout. Emacs should
| handle this at build time, but if this fails the following
| instructions may be useful. Exec-shield is enabled on your system if
|
| cat /proc/sys/kernel/exec-shield
|
|prints a nonzero value. You can temporarily disable it as follows:
|
| echo 0 > /proc/sys/kernel/exec-shield
similar for randomize_va_space:
| To work around the ASLR problem in either an older or a newer kernel,
| you can temporarily disable the feature while building Emacs. On
| GNU/Linux you can do so using the following command (as root).
|
| echo 0 > /proc/sys/kernel/randomize_va_space
|
| You can re-enable the feature when you are done, by echoing the
| original value back to the file.
|
| Alternatively, you can try using the 'setarch' command when building
| temacs like this, where -R disables address space randomization:
|
| setarch $(uname -m) -R make
That is if we support exec-shield and/or randomize_va_space I'd like to
be able to disable this in the build environment for GNU emacs as well as
e.g. for clisp and maybe other packages.
Werner
--
"Having a smoking section in a restaurant is like having
a peeing section in a swimming pool." -- Edward Burr
--
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi.
3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <meissner@xxxxxxx>
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx
< Previous | Next > |