Re: ruby and NOT_PAX_MPROTECT_SAFE (was: CVS commit: pkgsrc/lang)

To: Leonardo Taccari <leot%NetBSD.org@localhost>
Subject: Re: ruby and NOT_PAX_MPROTECT_SAFE (was: CVS commit: pkgsrc/lang)
From: Ryo ONODERA <ryo%tetera.org@localhost>
Date: Thu, 03 Oct 2019 16:59:07 +0900

Hi,

Leonardo Taccari <leot%NetBSD.org@localhost> writes:

> Hello Ryo,
>
> Ryo ONODERA writes:
>> [...]
>> Log Message:
>> Ruby binary is not PaX mprotect safe in devel/ruby-ffi and www/ruby-sassc case
>> [...]
>
> Can you please elaborate further why it's needed?  Couldn't be ruby-ffi
> and/or ruby-sassc adjusted instead?
>
> (I have hit that too when packaging wip/ruby-travis that IIRC has a
> dependency that needs ruby-ffi... but why, e.g. python and/or py-cffi
> doesn't need an interpreter that is marked PaX mprotect unsafe?)

My test program is here:

$ cat test.rb
require "sassc"

This program failed with the following error:

$ ruby26 ./test.rb
Traceback (most recent call last):
        2: from test.rb:1:in `<main>'
        1: from /usr/pkg/lib/ruby/2.6.0/rubygems/core_ext/kernel_require.rb:54:in `require'
/usr/pkg/lib/ruby/2.6.0/rubygems/core_ext/kernel_require.rb:54:in `require': cannot load such file -- sassc (LoadError)
        15: from test.rb:1:in `<main>'
        14: from /usr/pkg/lib/ruby/2.6.0/rubygems/core_ext/kernel_require.rb:34:in `require'
        13: from /usr/pkg/lib/ruby/2.6.0/rubygems/core_ext/kernel_require.rb:130:in `rescue in require'
        12: from /usr/pkg/lib/ruby/2.6.0/rubygems/core_ext/kernel_require.rb:130:in `require'
        11: from /usr/pkg/lib/ruby/gems/2.6.0/gems/sassc-2.2.1/lib/sassc.rb:31:in `<top (required)>'
        10: from /usr/pkg/lib/ruby/gems/2.6.0/gems/sassc-2.2.1/lib/sassc.rb:31:in `require_relative'
         9: from /usr/pkg/lib/ruby/gems/2.6.0/gems/sassc-2.2.1/lib/sassc/native.rb:5:in `<top (required)>'
         8: from /usr/pkg/lib/ruby/gems/2.6.0/gems/sassc-2.2.1/lib/sassc/native.rb:6:in `<module:SassC>'
         7: from /usr/pkg/lib/ruby/gems/2.6.0/gems/sassc-2.2.1/lib/sassc/native.rb:37:in `<module:Native>'
         6: from /usr/pkg/lib/ruby/gems/2.6.0/gems/sassc-2.2.1/lib/sassc/native.rb:37:in `require_relative'
         5: from /usr/pkg/lib/ruby/gems/2.6.0/gems/sassc-2.2.1/lib/sassc/native/lib_c.rb:3:in `<top (required)>'
         4: from /usr/pkg/lib/ruby/gems/2.6.0/gems/sassc-2.2.1/lib/sassc/native/lib_c.rb:4:in `<module:SassC>'
         3: from /usr/pkg/lib/ruby/gems/2.6.0/gems/sassc-2.2.1/lib/sassc/native/lib_c.rb:5:in `<module:Native>'
         2: from /usr/pkg/lib/ruby/gems/2.6.0/gems/sassc-2.2.1/lib/sassc/native/lib_c.rb:10:in `<module:LibC>'
         1: from /usr/pkg/lib/ruby/gems/2.6.0/gems/ffi-1.10.0/lib/ffi/library.rb:275:in `attach_function'
/usr/pkg/lib/ruby/gems/2.6.0/gems/ffi-1.10.0/lib/ffi/library.rb:275:in `attach': unhandled exception

And an output of ktrace(1) is here:
(snip)
  9843      1 ruby26   CALL  close(7)
  9843      1 ruby26   RET   close 0
  9843      1 ruby26   CALL  __sigprocmask14(3,0x7f7fff47c0f0,0)
  9843      1 ruby26   RET   __sigprocmask14 0
  9843      1 ruby26   CALL  mmap(0,0x1000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,A
NONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
  9843      1 ruby26   RET   mmap 123564063199232/0x706180181000
  9843      1 ruby26   CALL  mprotect(0x706180181000,0x1000,PROT_READ|PROT_EXEC)
  9843      1 ruby26   RET   mprotect -1 errno 13 Permission denied
  9843      1 ruby26   CALL  munmap(0x706180181000,0x1000)
  9843      1 ruby26   RET   munmap 0
  9843      1 ruby26   CALL  ioctl(2,TIOCGETA,0x7f7fff47e2c0)
  9843      1 ruby26   GIO   fd 2 read 44 bytes
(snip)


I suspected two ffi_c.so of devel/ruby-ffi
and two libsass.so of www/ruby-sassc.
I marked these four .so files with paxctl +m.
However it had no good effect and I got the same output of ktrace(1).
And I cannot find any ffi_c.so string in th output of ktrace(1).

www/ruby-sassc uses malloc(3) via devel/ruby-ffi.
And I suspected this is problematic.
However I cannot resolve my error with applying paxctl +m to .so files.
I have concluded that ruby binaries are not PaX mprotect safe.

And I have no idea about Python case, however I think that all ruby-ffi
or py-cffi consumers may not hit the same errors.

In wip/ruby-travis case, it seems that wip/ruby-ethon uses
devel/ruby-ffi and wip/ruby-ethon uses getdtablesize(3) and free(3)
via devel/ruby-ffi.
I have no idea about wip/ruby-ethon case sadly.

Thank you.

-- 
Ryo ONODERA // ryo%tetera.org@localhost
PGP fingerprint = 82A2 DC91 76E0 A10A 8ABB  FD1B F404 27FA C7D1 15F3

Follow-Ups:
- Re: ruby and NOT_PAX_MPROTECT_SAFE (was: CVS commit: pkgsrc/lang)
  - From: Joerg Sonnenberger

References:
- CVS commit: pkgsrc/lang
  - From: Ryo ONODERA
- ruby and NOT_PAX_MPROTECT_SAFE (was: CVS commit: pkgsrc/lang)
  - From: Leonardo Taccari

Prev by Date: CVS commit: pkgsrc/sysutils/u-boot-odroid-c2
Next by Date: CVS commit: pkgsrc/devel/cmake
Previous by Thread: ruby and NOT_PAX_MPROTECT_SAFE (was: CVS commit: pkgsrc/lang)
Next by Thread: Re: ruby and NOT_PAX_MPROTECT_SAFE (was: CVS commit: pkgsrc/lang)
Indexes:

Home | Main Index | Thread Index | Old Index