classification
Title: PaX triggers a segfault in dlopen
Type: security Stage:
Components: Versions: 3rd party
process
Status: closed Resolution: not a bug
Dependencies: Superseder:
Assigned To: Nosy List: Trundle, breun, jcea, neologix, pitrou, terry.reedy
Priority: normal Keywords:

Created on 2011-04-23 23:39 by breun, last changed 2011-05-01 09:11 by neologix. This issue is now closed.

Messages (10)
msg134314 - (view) Author: Nils Breunese (breun) Date: 2011-04-23 23:39
When I try to run iotop [0] on CentOS 5.6 on a kernel with grsecurity [1] then iotop won't start because grsecurity is blocking Python because of its use of the mprotect() system call.

Please see http://www.atomicorp.com/wiki/index.php/ASL_FAQ#grsec:_denied_RWX_mprotect for more information. The authors of this hardened Linux kernel suggested to file a bug with Python because using mprotect() is apparently a very bad thing to do.

[0] http://guichaz.free.fr/iotop/
[1] http://grsecurity.net/
msg134315 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2011-04-23 23:48
Where have you seen that Python is calling mprotect()? There's no sign of it in the whole source tree.
msg134316 - (view) Author: Nils Breunese (breun) Date: 2011-04-24 00:00
I got this error message in /var/log/messages when trying to start iotop:

----
Apr 13 08:49:37 hostname kernel: grsec: From xxx.xxx.xxx.xxx: denied RWX mprotect of /lib64/ld-2.5.so by /usr/bin/iotop[iotop:9836] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:9351] uid/euid:0/0 gid/egid:0/0
Apr 13 08:49:37 hostname kernel: iotop[9836]: segfault at 6248c405dda0 ip 00006248c3e489ec sp 00007fffa52e8410 error 7 in ld-2.5.so[6248c3e42000+1c000]
----

/usr/bin/iotop is a Python script and according to that log message grsecurity detected a call to mprotect().
msg134317 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2011-04-24 00:20
> /usr/bin/iotop is a Python script and according to that log message
> grsecurity detected a call to mprotect().

Well, does Python itself run ok? That Python script could use
third-party extension modules which issue the offending mprotect() call.
msg134318 - (view) Author: Nils Breunese (breun) Date: 2011-04-24 00:25
I haven't had any problems with other Python applications like this, Python seems fine otherwise.

I just noticed that iotop has a dependency on python-ctypes, which sounds like it could be iotop doing the mprotect() calls via ctypes. Does that make sense?
msg134320 - (view) Author: Andreas Stührk (Trundle) * Date: 2011-04-24 01:10
glibc's `dlopen()` can call `mprotect()`, which is used for loading C extensions.
msg134329 - (view) Author: Charles-François Natali (neologix) * (Python committer) Date: 2011-04-24 10:25
PaX doesn't block mprotect in itself, but prevents pages from being both writable and executable.
Andreas's right, it's probably due to a dlopen of an object requiring executable stack via ctypes.
So you should report this to iotop's developpers. In the meantime, you could use "paxctl -m /usr/bin/python".
msg134373 - (view) Author: Nils Breunese (breun) Date: 2011-04-25 07:47
I contacted the author of iotop and he told me iotop does not use mprotect (but it does use dlopen).

Guess I'll have to do some more digging to find what is exactly doing the call to mprotect.
msg134814 - (view) Author: Terry J. Reedy (terry.reedy) * (Python committer) Date: 2011-04-29 21:40
Is there any reason not to close this as a CPython issue?
msg134903 - (view) Author: Charles-François Natali (neologix) * (Python committer) Date: 2011-05-01 09:11
> Is there any reason not to close this as a CPython issue? 

No, it's definitely not a CPython issue. I'm closing as invalid.
History
Date User Action Args
2011-05-01 09:11:58neologixsetstatus: open -> closed
resolution: not a bug
messages: + msg134903

title: Python shouldn't use the mprotect() system call -> PaX triggers a segfault in dlopen
2011-04-29 21:40:01terry.reedysetnosy: + terry.reedy
messages: + msg134814
2011-04-25 07:47:38breunsetmessages: + msg134373
2011-04-25 02:22:57jceasetnosy: + jcea
2011-04-24 10:25:30neologixsetmessages: + msg134329
2011-04-24 01:10:56Trundlesetnosy: + Trundle
messages: + msg134320
2011-04-24 00:25:41breunsetmessages: + msg134318
2011-04-24 00:20:13pitrousetmessages: + msg134317
2011-04-24 00:00:35breunsetmessages: + msg134316
2011-04-23 23:48:09pitrousetnosy: + neologix, pitrou
messages: + msg134315
2011-04-23 23:39:44breuncreate