GNU bug report logs - #23371
emacs: paxctl usage on NetBSD

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 23371 in the body.
You can then email your comments to 23371 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Thomas Klausner <wiz <at> NetBSD.org>
To: submit <at> debbugs.gnu.org
Subject: emacs: paxctl usage on NetBSD
Date: Mon, 25 Apr 2016 14:09:44 +0200

Package: emacs
Version: 25.1.50

emacs is using paxctl during the build, in two ways:
"paxctl -zex file" and "paxctl -r file"

However, the NetBSD version of paxctl has a different usage, e.g.
"paxctl +a file" would turn off ASLR. For more details, see
http://netbsd.gw.com/cgi-bin/man-cgi?paxctl++NetBSD-current

When I replace 'paxctl -zex' with 'paxctl +a' in src/Makefile.in, the
build succeeds.
 Thomas

Message #10 received at 23371 <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Thomas Klausner <wiz <at> NetBSD.org>
Cc: 23371 <at> debbugs.gnu.org
Subject: Re: emacs: paxctl usage on NetBSD
Date: Mon, 25 Apr 2016 17:09:56 -0700

[Message part 1 (text/plain, inline)]

> When I replace 'paxctl -zex' with 'paxctl +a' in src/Makefile.in, the
> build succeeds.

Did you do something other than just that replacement? configure.ac says 
that paxctl is used only when the operating system is GNU/Linux, unless 
one manually configures by setting PAXCTL in the environment or using a 
PAXCTL=/some/path argument to 'configure'.


Does the attached patch to the emacs-25 branch work for you?

[0001-Port-dumping-to-NetBSD-with-PaX.patch (application/x-patch, attachment)]

Message #15 received at 23371 <at> debbugs.gnu.org (full text, mbox):

From: Thomas Klausner <wiz <at> NetBSD.org>
To: Paul Eggert <eggert <at> cs.ucla.edu>
Cc: 23371 <at> debbugs.gnu.org
Subject: Re: emacs: paxctl usage on NetBSD
Date: Wed, 27 Apr 2016 17:54:42 +0200

[Message part 1 (text/plain, inline)]

Hi Paul!

Thanks for the fast reply!

On Mon, Apr 25, 2016 at 05:09:56PM -0700, Paul Eggert wrote:
> >When I replace 'paxctl -zex' with 'paxctl +a' in src/Makefile.in, the
> >build succeeds.
> 
> Did you do something other than just that replacement?

No.

> configure.ac says
> that paxctl is used only when the operating system is GNU/Linux, unless one
> manually configures by setting PAXCTL in the environment or using a
> PAXCTL=/some/path argument to 'configure'.

That's true, but src/Makefile.in ignores that:
PAXCTL_if_present = $(or $(PAXCTL),: paxctl)

> Does the attached patch to the emacs-25 branch work for you?

I've modified it to apply to git head but it didn't work:

Finding pointers to doc strings...
Finding pointers to doc strings...done
Loading /scratch/wip/emacs-current/work/emacs/lisp/site-init.el (source)...
Dumping under the name emacs
18932704 of 33554432 static heap bytes used
91843 pure bytes used
/usr/sbin/paxctl +a emacs
mv -f emacs bootstrap-emacs
/usr/sbin/paxctl +a bootstrap-emacs
/usr/pkg/bin/gmake -C ../lisp compile-first EMACS="../src/bootstrap-emacs"
gmake[3]: Entering directory '/scratch/wip/emacs-current/work/emacs/lisp'
  ELC      emacs-lisp/macroexp.elc
Memory fault (core dumped)
Makefile:282: recipe for target 'emacs-lisp/macroexp.elc' failed



My version is attached (I added some more paxctl's for the symlinks
when the original version didn't work.) I hope I didn't break it.

 Thomas

[patch-configure.ac (text/plain, attachment)]

[patch-src_Makefile.in (text/plain, attachment)]

Message #18 received at 23371 <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Thomas Klausner <wiz <at> NetBSD.org>
Cc: 23371 <at> debbugs.gnu.org
Subject: Re: emacs: paxctl usage on NetBSD
Date: Wed, 27 Apr 2016 12:38:53 -0700

On 04/27/2016 08:54 AM, Thomas Klausner wrote:
>> configure.ac says
>> that paxctl is used only when the operating system is GNU/Linux, unless one
>> manually configures by setting PAXCTL in the environment or using a
>> PAXCTL=/some/path argument to 'configure'.
> That's true, but src/Makefile.in ignores that:
> PAXCTL_if_present = $(or $(PAXCTL),: paxctl)

I guess I'm still not following. On non-GNU/Linux hosts, $(PAXCTL) 
should be empty because paxctl is not searched for, so PAXCTL_if_present 
should be ': paxctl', i.e., a no-op shell command. And yet you reported 
that your build used 'paxctl -zex' and 'paxctl -r'. Perhaps your build 
was actually using the no-ops ': paxctl -zex' and ': paxctl -r' and you 
didn't notice the colons? That is, perhaps you replaced ': paxctl -zex' 
(with a prefix colon) with 'paxctl +a' (without the colon)?

>
> My version is attached (I added some more paxctl's for the symlinks
> when the original version didn't work.) I hope I didn't break it.

Did it work with your version?

If so, does 'ln' and/or 'mv' remove the mark placed on an executable by 
'paxctl +a'? and if that happens, how does 'make install' avoid removing 
the mark in the installed Emacs?

If not, then I'm afraid I'm lost.

Also, I noticed that you removed the indenting on some of the 'ifeq' 
lines in src/Makefile.in; why was that necessary?

Message #21 received at 23371 <at> debbugs.gnu.org (full text, mbox):

From: Thomas Klausner <wiz <at> NetBSD.org>
To: Paul Eggert <eggert <at> cs.ucla.edu>
Cc: 23371 <at> debbugs.gnu.org
Subject: Re: emacs: paxctl usage on NetBSD
Date: Thu, 28 Apr 2016 00:50:37 +0200

[Message part 1 (text/plain, inline)]

On Wed, Apr 27, 2016 at 12:38:53PM -0700, Paul Eggert wrote:
> On 04/27/2016 08:54 AM, Thomas Klausner wrote:
> >>configure.ac says
> >>that paxctl is used only when the operating system is GNU/Linux, unless one
> >>manually configures by setting PAXCTL in the environment or using a
> >>PAXCTL=/some/path argument to 'configure'.
> >That's true, but src/Makefile.in ignores that:
> >PAXCTL_if_present = $(or $(PAXCTL),: paxctl)
> 
> I guess I'm still not following. On non-GNU/Linux hosts, $(PAXCTL) should be
> empty because paxctl is not searched for, so PAXCTL_if_present should be ':
> paxctl', i.e., a no-op shell command. And yet you reported that your build
> used 'paxctl -zex' and 'paxctl -r'. Perhaps your build was actually using
> the no-ops ': paxctl -zex' and ': paxctl -r' and you didn't notice the
> colons? That is, perhaps you replaced ': paxctl -zex' (with a prefix colon)
> with 'paxctl +a' (without the colon)?

You're right, I didn't do exactly what I described.

The build system as-is does not use paxctl on NetBSD, so this breaks
when ASLR is enabled. I run the following sed expressions on
src/Makefile.in:

's,$$(PAXCTL_if_present) -zex,/usr/sbin/paxctl +a,g'
's,$$(PAXCTL_if_present) -r,/usr/sbin/paxctl +a,g'

> >My version is attached (I added some more paxctl's for the symlinks
> >when the original version didn't work.) I hope I didn't break it.
> 
> Did it work with your version?

No, I just posted it so you can see what I did.

> If so, does 'ln' and/or 'mv' remove the mark placed on an executable by
> 'paxctl +a'? and if that happens, how does 'make install' avoid removing the
> mark in the installed Emacs?
> 
> If not, then I'm afraid I'm lost.

All of cp, mv, and ln keep the paxctl settings:

# paxctl a
PaX flags:
  a: ASLR, explicit disable
# cp a b
# paxctl b
PaX flags:
  a: ASLR, explicit disable
# ln b c
# paxctl c
PaX flags:
  a: ASLR, explicit disable
# mv c d
# paxctl d
PaX flags:
  a: ASLR, explicit disable

I wasn't sure of that, so I added the extra ones, since it wasn't
working. It's not necessary, so I removed it again.

> Also, I noticed that you removed the indenting on some of the 'ifeq' lines
> in src/Makefile.in; why was that necessary?

Because the patch didn't apply cleanly, I had to manually apply it,
and I didn't indent it correctly, sorry.

So perhaps there is a different problem and paxctl is not properly
detected or applied even with your patch. Let's look more closely:

PAXCTL_dumped value:

work/emacs/config.log:PAXCTL_dumped='$(PAXCTL) +a'
work/emacs/lib/Makefile:PAXCTL_dumped = $(PAXCTL) +a
work/emacs/src/Makefile:PAXCTL_dumped = $(PAXCTL) +a

PAXCTL itself:

work/emacs/config.log:PAXCTL='/usr/sbin/paxctl'
work/emacs/lib/Makefile:PAXCTL = /usr/sbin/paxctl
work/emacs/src/Makefile:PAXCTL = /usr/sbin/paxctl

But PAXCTL_notdumped is empty.
work/emacs/config.status:S["PAXCTL_notdumped"]=""
work/emacs/lib/Makefile:PAXCTL_notdumped =
work/emacs/src/Makefile:PAXCTL_notdumped = 

On Linux this uses paxctl -r, which, according to
http://man.he.net/man1/paxctl is:

       -r     do not randomize memory regions (NORANDMMAP)

While on NetBSD, +a does:

     a     Explicitly disable PaX ASLR (Address Space Layout Randomization)
           for program.

So perhaps notdumped also needs to call paxctl +a, like my sed
expressions do.

(later)

Yes, that's it. I've defined PAXCTL_notdumped to the same value as
PAXCTL_dumped and emacs builds fine now -- basically, one additional
line to configure.ac in the netbsd case.

I'll attach my patches again, just to make it absolutely clear.

Thanks,
 Thomas

[patch-configure.ac (text/plain, attachment)]

[patch-src_Makefile.in (text/plain, attachment)]

Message #26 received at 23371-done <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Thomas Klausner <wiz <at> NetBSD.org>
Cc: 23371-done <at> debbugs.gnu.org
Subject: Re: emacs: paxctl usage on NetBSD
Date: Wed, 27 Apr 2016 16:08:42 -0700

On 04/27/2016 03:50 PM, Thomas Klausner wrote:
> Yes, that's it. I've defined PAXCTL_notdumped to the same value as
> PAXCTL_dumped and emacs builds fine now -- basically, one additional
> line to configure.ac in the netbsd case.

Thanks, I installed a patch along those lines into the emacs-25 branch.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.