Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Packages crashing on -current


mprotect (and ASLR) are security measures that not all pkgsrc packages
can survive, so some packages had NOT_PAX_MPROTECT_SAFE set for some
binaries, to disable it.

However the condition for using NOT_PAX_MPROTECT_SAFE was incorrectly
only done for NetBSD/amd64.

The outcome should've been things like (only on -current, stable is
unaffected as it doesn't have pax mprotect enabled):
- Firefox crashes
- Libreoffice segfaults during build

You can test if mprotect is disabled e.g. for firefox using file:
> file /usr/pkg/lib/firefox/firefox
/usr/pkg/lib/firefox/firefox: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /usr/libexec/ld.elf_so, for NetBSD 7.99.65, PaX: -mprotect, BuildID[sha1]=577897fd2966e904de0c47df56c5af86b3d9312b, stripped

Noteworthy part: PaX: -mprotect

Newly built packages will disable it on a per-file basis (now not only
on amd64), but unfortunately there are many files to adjust.
If you just want it fixed now, a quick workaround is disabling mprotect
  # sysctl -w security.pax.mprotect.enabled=0

You can disable it on a per-file basis, which is what all new packages
will do now, using:
  # paxctl +m /path/to/binary

Home | Main Index | Thread Index | Old Index