Bug 241960

Summary:

ASLR impacted ports

Product:

Ports & Packages

Reporter:

dewayne

Component:

Individual Port(s)

Assignee:

Cy Schubert <cy>

Status:

Closed DUPLICATE

Severity:

Affects Some People

Flags:

bugzilla: maintainer-feedback? (cy)

Priority:

---

Version:

Latest

Hardware:

Any

OS:

Any

Bug Depends on:

241421

Bug Blocks:

Attachments:

Description	Flags
base ntpd circumvention patch	none

Description dewayne 2019-11-14 02:16:43 UTC

I've created this PR to help others avoiding the time losses in tracking down problems with ports that are adversely impacted when ASLR is enabled; specifically when the following sysctl's are set:
kern.elf64.aslr.enable=1
kern.elf64.aslr.pie_enable=1
kern.elf64.aslr.stack_gap=1
kern.elf32.aslr.enable=1
kern.elf32.aslr.pie_enable=1
kern.elf32.aslr.stack_gap=1

When there is a problem, a workable solution is to disable ASLR for that particular process with, for example:
proccontrol -m aslr -s disable $Dir/$Image; for example
proccontrol -m aslr -s disable /usr/local/sbin/clamd
which results in 
# proccontrol -m aslr -q -p 64596
not forced, not active.

net/ntp - fails to reliably start.  With ASLR enabled it may take up to 60 attempts to start, when it does, it functions correctly.

security/clamd - often starts first time, but when it doesn't, it usually results in messages which fill the logging disk with:
LibClamAV Error: mpool_malloc(): Can't allocate memory (16781312 bytes).
adjusting memorylock in login.conf is futile, that is not the problem.

Other reports include:
firefox/thunderbird ref: 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=228964 

Please feel free to add to this PR (might be better as a wiki).  The intention is to provide a vehicle where we can identify which ports have a problem, so that we can save time.  I'd spent four hours reviewing clamd and freshclam only to recall a prior change to kern.elf32...(a human memory swapout!)

Comment 1 Cy Schubert freebsd_committer

2019-11-14 02:47:35 UTC

Created attachment 209141 [details]
base ntpd circumvention patch

Apply the ntpd circumvention patch to base ntpd (build/installworld) or use the following in rc.conf:

Use,

ntpd_prepend="/usr/bin/proccontrol -m aslr -s disable"

I'll post a patch for ports later.

This patch has been submitted to nwtime.org (the upstream maintainers of ntpd) but they haven't reviewed it yet. The patch accomplishes the same as proccontrol above.

Comment 2 Cy Schubert freebsd_committer

2019-11-14 02:50:55 UTC

DUP of 241421

*** This bug has been marked as a duplicate of bug 241421 ***

Comment 3 commit-hook freebsd_committer

2019-11-15 16:34:57 UTC

A commit references this bug:

Author: cy
Date: Fri Nov 15 16:34:36 UTC 2019
New revision: 354733
URL: https://svnweb.freebsd.org/changeset/base/354733

Log:
  Disable ntpd stack gap. When ASLR with STACK GAP != 0 ntpd suffers SIGSEGV.

  PR:		241421, 241960
  Reported by:	Vladimir Zakharov <zakharov.vv@gmail.com>,
  		dewayne@heuristicsystems.com.au
  Reviewed by:	kib, imp (previous version), ian (suggestion)
  MFC after:	3 days
  Differential Revision:	https://reviews.freebsd.org/D22358

Changes:
  head/contrib/ntp/ntpd/ntpd.c

Comment 4 commit-hook freebsd_committer

2019-11-15 16:34:58 UTC

A commit references this bug:

Author: cy
Date: Fri Nov 15 16:34:43 UTC 2019
New revision: 517694
URL: https://svnweb.freebsd.org/changeset/ports/517694

Log:
  Disable ntpd stack gap. When ASLR with STACK GAP != 0 ntpd suffers SIGSEGV.

  PR:		241421, 241960
  Reported by:	Vladimir Zakharov <zakharov.vv@gmail.com>,
  		dewayne@heuristicsystems.com.au
  Reviewed by:	kib, imp (previous version), ian (suggestion)
  MFH:		2019Q4
  Differential Revision:  https://reviews.freebsd.org/D22358

Changes:
  head/net/ntp/Makefile
  head/net/ntp/files/patch-ntpd_ntpd.c
  head/net/ntp-devel/Makefile
  head/net/ntp-devel/files/patch-ntpd_ntpd.c

Comment 5 commit-hook freebsd_committer

2019-11-18 13:34:19 UTC

A commit references this bug:

Author: cy
Date: Mon Nov 18 13:33:51 UTC 2019
New revision: 517868
URL: https://svnweb.freebsd.org/changeset/ports/517868

Log:
  MFH: r515926 r517694

  patch-ntpd_ntp.c should really be named patch-ntpd_ntpd.c as it patches
  ntpd/ntpd.c.

  Disable ntpd stack gap. When ASLR with STACK GAP != 0 ntpd suffers SIGSEGV.

  PR:		241421, 241960
  Reported by:	Vladimir Zakharov <zakharov.vv@gmail.com>,
  		dewayne@heuristicsystems.com.au
  Reviewed by:	kib, imp (previous version), ian (suggestion)
  Differential Revision:  https://reviews.freebsd.org/D22358

  Approved by:	portmgr (joneum)

Changes:
_U  branches/2019Q4/
  branches/2019Q4/net/ntp/Makefile
  branches/2019Q4/net/ntp/files/patch-ntpd_ntp.c
  branches/2019Q4/net/ntp/files/patch-ntpd_ntpd.c
  branches/2019Q4/net/ntp-devel/Makefile
  branches/2019Q4/net/ntp-devel/files/patch-ntpd_ntp.c
  branches/2019Q4/net/ntp-devel/files/patch-ntpd_ntpd.c

Comment 6 commit-hook freebsd_committer

2019-11-27 03:19:13 UTC

A commit references this bug:

Author: cy
Date: Wed Nov 27 03:18:35 UTC 2019
New revision: 355127
URL: https://svnweb.freebsd.org/changeset/base/355127

Log:
  MFC rr354733:
  Disable ntpd stack gap. When ASLR with STACK GAP != 0 ntpd suffers SIGSEGV.

  PR:		241421, 241960
  Reported by:	Vladimir Zakharov <zakharov.vv@gmail.com>,
  		dewayne@heuristicsystems.com.au
  Reviewed by:	kib, imp (previous version), ian (suggestion)
  Differential Revision:	https://reviews.freebsd.org/D22358

Changes:
_U  stable/12/
  stable/12/contrib/ntp/ntpd/ntpd.c

Comment 7 dewayne 2019-11-30 03:58:16 UTC

(In reply to dewayne from comment #0)
Building gcc 9.2 on i386 fails due to out of memory.  Turning off aslr is only solution.