[Mono-bugs] [Bug 61710][Nor] New - mono can't compile with PaX

bugzilla-daemon@bugzilla.ximian.com bugzilla-daemon@bugzilla.ximian.com
Sun, 18 Jul 2004 18:30:02 -0400 (EDT)

Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by nigelenki@comcast.net.


--- shadow/61710	2004-07-18 18:30:02.000000000 -0400
+++ shadow/61710.tmp.22201	2004-07-18 18:30:02.000000000 -0400
@@ -0,0 +1,65 @@
+Bug#: 61710
+Product: Mono: Runtime
+Version: unspecified
+OS Details: Gentoo with PaX
+Status: NEW   
+Severity: 001 One hour
+Priority: Normal
+Component: misc
+AssignedTo: mono-bugs@ximian.com                            
+ReportedBy: nigelenki@comcast.net               
+QAContact: mono-bugs@ximian.com
+TargetMilestone: ---
+Summary: mono can't compile with PaX
+Description of Problem:
+When building mono, at least one kill occurs with PaX:
+PAX: execution attempt in: <anonymous mapping>, 22018000-22020000 22018000
+PAX: terminating task:
+uid/euid: 0/0, PC: 22018050, SP: 5cb37e6c
+I'm digging my way through to see what needs to be done, but I'm assuming
+you'll need to `paxctl -pemrxs` against this binary during building, before
+using it.  You may wish to use both 'chpax' and 'paxctl' at this point.
+You can find information on PaX at:
+Basically, it's a strict executable space protection scheme.
+Steps to reproduce the problem:
+1.  Set up a PaX-enabled system
+2.  Compile mono
+3.  Watch lt-mono die.
+Actual Results:
+lt-mono dies due to a PaX kill, compilation halts.
+Expected Results:
+mono should finish installing and get merged to /
+How often does this happen? 
+100% guarantee.
+Additional Information:
+See the two links above.  It's not feasible to say, "just get a binary
+download" or "don't use PaX," in this situation; however, you'll want to
+allow the paxctl and chpax commands to fail in the Makefile, as non-PaX
+systems won't have these installed.
+Anything that does JIT during build will need restrictions removed as given
+This should be a fairly simple build system fix (mark affected binaries
+before using them, and after building).  I've left the priority at "Normal"
+because I figure none of the Internet cares about security at this point,
+and would rather we switch off our protections.  Raise if you disagree with
+common opinion.