Page 1 of 1

Building Cinelerra and stack exec and mprotect issues

PostPosted: Mon Apr 25, 2016 8:11 pm
by timbgo
title: Building Cinelerra and stack exec and mprotect issues
---
(We'll get to grsec, in a while ;-) .)
I need the Cinelerra program, which has been very outdated in Gentoo
(
https://packages.gentoo.org/packages/me ... /cinelerra
where 20140710 is the most recent version and there is no maintainer...
)
and the development of a relatively recent fork at:
https://cinelerra-cv.org/
has been very lively since, so while I could use the old version, I wish so much to use the new, built out of git repo.

I have worked for two days very dedicatedly, and have tried to keep good notes of what I tried when building and installing Cinelerra, which installs, but fails to start.

And here we arrived at grsecurity.

It fails because of execstack and mprotect issues, maybe because of not having been talked into playing by the good rules the grsecurity imposes...

The entire quest of mine with the Cinelerra-CV building is available here:

Install Cinelerra in Gentoo (out-of-portage)
http://www.croatiafidelis.hr/foss/gento ... out-of.php

maybe just a tiny excerpt I should post here to give the idea:
Code: Select all
Apr 25 10:50:18 gcn kernel: [14513.404820] grsec: exec of /usr/bin/cinelerra
(cinelerra ) by /usr/bin/cinelerra[bash:26986] uid/euid:1000/1000
gid/egid:1000/1000, parent /bin/bash[bash:3336] uid/euid:1000/1000
gid/egid:1000/1000

Apr 25 10:50:19 gcn kernel: [14513.767991] grsec: denied marking stack
executable as requested by PT_GNU_STACK marking in
/usr/lib64/cinelerra/blondtheme.so by /usr/bin/cinelerra[cinelerra:26986]
uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3336]
uid/euid:1000/1000 gid/egid:1000/1000

Apr 25 10:50:19 gcn kernel: [14513.768030] grsec: denied RWX mprotect of
/lib64/ld-2.22.so by /usr/bin/cinelerra[cinelerra:26986] uid/euid:1000/1000
gid/egid:1000/1000, parent /bin/bash[bash:3336] uid/euid:1000/1000
gid/egid:1000/1000

and that really was the case still after a few recompiles...

I have also asked for help at:
Building in Gentoo; Was: Re: Cinelerra 5.1: Two bugs
http://lists.cinelerra-cv.org/pipermail ... 04677.html

The day here in Europe has long been over. I'm exhausted. But I thought before I go to sleep I'd ask for help here on grsecurity forums, since these are really advanced issues that devs, and many users, may be very much at home with, and give me advice.

For which I'll be thankful!
Miroslav Rovis
http://www.CroatiaFidelis.hr

Re: Building Cinelerra and stack exec and mprotect issues

PostPosted: Mon Apr 25, 2016 9:25 pm
by PaX Team
the grsec logs says it all:
Code: Select all
denied marking stack executable as requested by PT_GNU_STACK marking in /usr/lib64/cinelerra/blondtheme.so
that is, this library (and possibly others too) either uses gcc nested function trampolines (less likely) or has assembly code without the non-exec GNU_STACK marking (more likely).

Re: Building Cinelerra and stack exec and mprotect issues

PostPosted: Tue Apr 26, 2016 3:17 am
by timbgo
PaX Team wrote:the grsec logs says it all:
Code: Select all
denied marking stack executable as requested by PT_GNU_STACK marking in /usr/lib64/cinelerra/blondtheme.so
that is, this library (and possibly others too) either uses gcc nested function trampolines (less likely) or has assembly code without the non-exec GNU_STACK marking (more likely).

Thank you PaX Team!

I'll be giving me a refresher course from your docs at
https://pax.grsecurity.net/
on this and other issues related to here. Slowly, because I work like a slow turtle... ;-) .
Then I may be able to understand how to deal with this.

There is also been in the meantime another big boy has held my hand ;-) . There is one of the main Cinelerra-CV dev's git that I need to compile Cinelerra-CV from, leaving behind the main Cinelerra-CV git.

So that means all over. And then I will likely run into the same or similar issue...

But first I have to follow instructions that Good Guy has wrote for me at:
Building in Gentoo; Was: Re: Cinelerra 5.1: Two bugs
http://lists.cinelerra-cv.org/pipermail ... 04678.html
and
(same title)
http://lists.cinelerra-cv.org/pipermail ... 04679.html

And then I hope to be able to figure out how to deal with these PT_GNU_STACK marking and other PaX/grsecurity related issues, if I (as is likely) encounter them again...

Will be back, in slow time.

Re: Building Cinelerra and stack exec and mprotect issues

PostPosted: Tue Apr 26, 2016 5:00 am
by PaX Team
search this forum, handling (un)intended GNU_STACK markings came up many times in the past.

Re: Building Cinelerra and stack exec and mprotect issues

PostPosted: Tue Apr 26, 2016 11:29 am
by timbgo
PaX Team wrote:search this forum, handling (un)intended GNU_STACK markings
came up many times in the past.

I sure will! Did you see here:

Install Cinelerra in Gentoo (out-of-portage) -- Part 3

http://www.croatiafidelis.hr/foss/gento ... grsecurity

Everything has to talk friendly to grsec in my box ;-) .

I'm awaiting if Good Guy can make anything or not because of the huge number of errors in his, essentially, fork of cinelerra-cv :
http://lists.cinelerra-cv.org/pipermail ... 04691.html

And here the errors, at the bottom here:

http://www.croatiafidelis.hr/foss/gento ... hp#goodguy And looking them up in the make's log:
http://www.croatiafidelis.hr/foss/gento ... 9_make.log
, no, they do not seem PaX/grsec related like I had issues in the main repo install, that I built yesterday and the day before, and for which I started this topic...

Regards!
Miroslav Rovis
http://www.CroatiaFidelis.hr

Re: Building Cinelerra and stack exec and mprotect issues

PostPosted: Wed Apr 27, 2016 3:34 am
by timbgo
timbgo wrote:
PaX Team wrote:search this forum, handling (un)intended GNU_STACK markings
came up many times in the past.

I sure will! Did you see here:

Install Cinelerra in Gentoo (out-of-portage) -- Part 3

http://www.croatiafidelis.hr/foss/gento ... grsecurity

Everything has to talk friendly to grsec in my box ;-) .

I'm awaiting if Good Guy can make anything or not because of the huge number of errors in his, essentially, fork of cinelerra-cv :
http://lists.cinelerra-cv.org/pipermail ... 04691.html


And we worked up until late into the night. And I think it now boils down to hardening issues and very little else:

[CinCV TNG] Re: Building in Gentoo
http://lists.cinelerra-cv.org/pipermail ... 04711.html

(
a link there to here...

For which links some mods and admins in Gentoo Forums would linch me for... God, I would link to Cinelerra ML and to grsecurity Forums, and to http://www.CroatiaFidelis.hr if I had opened a topic at Gentoo Forums about this...

And that would be "blogging", using Gentoo Forums for blogging, which the new rule in Gentoo Forums forbids, pain: life imprisonment for the offender, and award for the executors who ban the offender for blogging: the Nobel prize!
Install Cinelerra in Gentoo (out-of-portage) -- Part 3
http://www.croatiafidelis.hr/foss/gento ... ntoo-folks
)

Regards!
Miroslav Rovis
http://www.CroatiaFidelis.hr[/quote]

Re: Building Cinelerra and stack exec and mprotect issues

PostPosted: Thu Apr 28, 2016 11:41 am
by timbgo
Due to the passage of time, links about the GNU_STACK are a little harder to find some details about, e.g. why is the utility that was once so used, masked:

Code: Select all
# emerge -s prelink                                                                                     
[ Results for search key : prelink ]
Searching...

...

*  sys-devel/prelink [ Masked ]
      Latest version available: 20130503-r1
      Latest version installed: [ Not Installed ]
      Size of files: 907 KiB
      Homepage:      https://people.redhat.com/jakub/prelink
      Description:   Modifies ELFs to avoid runtime symbol resolutions resulting in faster load times
      License:       GPL-2

[ Applications found : 2 ]

#


(Gentoo perspective, but likely similar perspective is in other distro)

That invalidates (to some extent) some of the solutions offered in the links below.

It looks to me it is good to start from this old links containing other old links:

ls no longer works in debian: ls: error while loading shared
viewtopic.php?f=3&t=1747&hilit=GNU_STACK

where there are links:

pax + fedora
viewtopic.php?t=673

kernel BUG at page_alloc.c
viewtopic.php?t=933
(given twice, this second, and the fifth link, in the para)

Debian users: don't upgrade to glibc 2.3.4, take action
viewtopic.php?t=1152
page 2:
viewtopic.php?f=3&t=1152&start=15

installing rpm's on redhat box denied.
viewtopic.php?p=3136
page 2:
viewtopic.php?f=3&t=717&start=15

However, not being a developer, notwithstanding that I can vaguely grasp the theory of an executable stack being an exploit venue, I'd still need to learn how to deal with the concrete PT_GNU_STACK and RWX mprotect issues that I encountered with my Cinelerra 5.1 compiled from cinelerra-cv/gg repo, as can be, a plethora of the necessary details, gleaned and sorted out from:

Re: [Re: [CinCV TNG] Building in Gentoo
http://www.croatiafidelis.hr/foss/cinel ... d4.en.html

( and the thread around it:
http://www.croatiafidelis.hr/foss/cinel ... 1.6f90f7d4
)

I'm still studying this, because I'm slow to grasp more difficult matters like this one.

But I thought it might be useful for others (Gentooers and other *nixers) who might be interested in installing Cinelerra 5.1.

Regards,
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)

Re: Building Cinelerra and stack exec and mprotect issues

PostPosted: Fri Apr 29, 2016 12:54 pm
by timbgo
I've made a tiny breakthrough in my understanding of PaX, and starting writing:
PaX Quickstart Demystified
viewtopic.php?f=3&t=4458
---
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)