From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Ulrich Mueller <ulm@gentoo.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#900: temacs segmentation fault in unexec under Linux 2.6.26
Date: Tue, 9 Sep 2008 17:02:04 +0200
Message-ID: <18630.36844.764754.85790@a1i15.kph.uni-mainz.de>
References: <18625.64355.215907.350751@a1i15.kph.uni-mainz.de>
	<handler.900.B.122067237912078.ack@emacsbugs.donarmstrong.com>
Reply-To: Ulrich Mueller <ulm@gentoo.org>, 900@emacsbugs.donarmstrong.com
NNTP-Posting-Host: lo.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Trace: ger.gmane.org 1220974127 11667 80.91.229.12 (9 Sep 2008 15:28:47 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Tue, 9 Sep 2008 15:28:47 +0000 (UTC)
Cc: emacs@gentoo.org
To: 900@emacsbugs.donarmstrong.com
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Tue Sep 09 17:29:41 2008
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([199.232.76.165])
	by lo.gmane.org with esmtp (Exim 4.50)
	id 1Kd590-0006po-8R
	for geb-bug-gnu-emacs@m.gmane.org; Tue, 09 Sep 2008 17:28:42 +0200
Original-Received: from localhost ([127.0.0.1]:36427 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43)
	id 1Kd580-0001XA-3l
	for geb-bug-gnu-emacs@m.gmane.org; Tue, 09 Sep 2008 11:27:40 -0400
Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1Kd57w-0001WD-08
	for bug-gnu-emacs@gnu.org; Tue, 09 Sep 2008 11:27:36 -0400
Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1Kd57u-0001V9-Vo
	for bug-gnu-emacs@gnu.org; Tue, 09 Sep 2008 11:27:35 -0400
Original-Received: from [199.232.76.173] (port=58662 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1Kd57u-0001V6-Nw
	for bug-gnu-emacs@gnu.org; Tue, 09 Sep 2008 11:27:34 -0400
Original-Received: from rzlab.ucr.edu ([138.23.92.77]:45923)
	by monty-python.gnu.org with esmtps
	(TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60)
	(envelope-from <debbugs@rzlab.ucr.edu>) id 1Kd57u-0007ZX-Hb
	for bug-gnu-emacs@gnu.org; Tue, 09 Sep 2008 11:27:34 -0400
Original-Received: from rzlab.ucr.edu (rzlab.ucr.edu [127.0.0.1])
	by rzlab.ucr.edu (8.13.8/8.13.8/Debian-3) with ESMTP id m89FRWue001330; 
	Tue, 9 Sep 2008 08:27:32 -0700
Original-Received: (from debbugs@localhost)
	by rzlab.ucr.edu (8.13.8/8.13.8/Submit) id m89FA4Gt027452;
	Tue, 9 Sep 2008 08:10:04 -0700
X-Loop: don@donarmstrong.com
Resent-From: Ulrich Mueller <ulm@gentoo.org>
Resent-To: bug-submit-list@donarmstrong.com
Resent-CC: Emacs Bugs <bug-gnu-emacs@gnu.org>
Resent-Date: Tue, 09 Sep 2008 15:10:04 +0000
Resent-Message-ID: <handler.900.B900.122097253624454@emacsbugs.donarmstrong.com>
Resent-Sender: don@donarmstrong.com
X-Emacs-PR-Message: report 900
X-Emacs-PR-Package: emacs
X-Emacs-PR-Keywords: moreinfo
Original-Received: via spool by 900-submit@emacsbugs.donarmstrong.com
	id=B900.122097253624454
	(code B ref 900); Tue, 09 Sep 2008 15:10:04 +0000
Original-Received: (at 900) by emacsbugs.donarmstrong.com; 9 Sep 2008 15:02:16 +0000
Original-Received: from a1iwww1.kph.uni-mainz.de (a1iwww1.kph.uni-mainz.de
	[134.93.134.1])
	by rzlab.ucr.edu (8.13.8/8.13.8/Debian-3) with ESMTP id m89F2Blj024448
	for <900@emacsbugs.donarmstrong.com>; Tue, 9 Sep 2008 08:02:13 -0700
Original-Received: from a1i15.kph.uni-mainz.de (a1i15.kph.uni-mainz.de [134.93.134.92])
	by a1iwww1.kph.uni-mainz.de (8.14.0/8.13.4) with ESMTP id
	m89F25kT018692; Tue, 9 Sep 2008 17:02:05 +0200
Original-Received: from a1i15.kph.uni-mainz.de (localhost [127.0.0.1])
	by a1i15.kph.uni-mainz.de (8.14.2/8.13.4) with ESMTP id m89F25NA003687; 
	Tue, 9 Sep 2008 17:02:05 +0200
Original-Received: (from ulm@localhost)
	by a1i15.kph.uni-mainz.de (8.14.2/8.14.2/Submit) id m89F25uf003681;
	Tue, 9 Sep 2008 17:02:05 +0200
X-Mailer: VM 8.0.9 under Emacs 22.2.1 (i686-pc-linux-gnu)
X-detected-kernel: by monty-python.gnu.org: Linux 2.6 (newer, 3)
Resent-Date: Tue, 09 Sep 2008 11:27:35 -0400
X-BeenThere: bug-gnu-emacs@gnu.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <http://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <http://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.bugs:20399
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/20399>

Tags: patch

I guess the issue boils down to the fact that testing for
(heap_bss_diff > MAX_HEAP_BSS_DIFF) is not a reliable method to
determine if heap randomisation is switched on. "heap_bss_diff" is
random in nature, and will therefore be smaller than MAX_HEAP_BSS_DIFF
in some cases. These lead to the observed segmentation faults.

Here is an attempt of a patch, asking the kernel (via /proc fs) for
the presence of the feature. I've also made the definition of
ADDR_NO_RANDOMIZE conditional, since it is already defined in newer
versions of personality.h.

Patch was tested with 22.3, but also applies cleanly to the CVS trunk
of today.


*** emacs-orig/src/emacs.c	2008-05-12 21:55:52.000000000 +0200
--- emacs/src/emacs.c	2008-09-09 16:26:52.000000000 +0200
***************
*** 73,78 ****
--- 73,81 ----
  
  #ifdef HAVE_PERSONALITY_LINUX32
  #include <sys/personality.h>
+ #ifndef ADDR_NO_RANDOMIZE
+ #define ADDR_NO_RANDOMIZE 0x0040000
+ #endif
  #endif
  
  #ifndef O_RDWR
***************
*** 789,794 ****
--- 792,817 ----
    return count >= 3 ? REPORT_EMACS_BUG_PRETEST_ADDRESS : REPORT_EMACS_BUG_ADDRESS;
  }
  
+ #ifdef HAVE_PERSONALITY_LINUX32
+ /* Get the `randomize_va_space' parameter. A value of 2 (introduced
+    in Linux 2.6.25) indicates that brk() randomization is switched on,
+    which will break unexec. See <http://lkml.org/lkml/2007/10/23/435>. */
+ static int
+ linux_randomize_va_space ()
+ {
+   FILE *fp;
+   int rand, count;
+ 
+   fp = fopen ("/proc/sys/kernel/randomize_va_space", "r");
+   if (!fp)
+     return -1;
+   count = fscanf (fp, "%d", &rand);
+   (void) fclose (fp);
+   if (count != 1)
+     return -1;
+   return rand;
+ }
+ #endif /* HAVE_PERSONALITY_LINUX32 */
  
  /* ARGSUSED */
  int
***************
*** 883,906 ****
    if (!initialized
        && (strcmp (argv[argc-1], "dump") == 0
            || strcmp (argv[argc-1], "bootstrap") == 0)
!       && heap_bss_diff > MAX_HEAP_BSS_DIFF)
      {
!       if (! getenv ("EMACS_HEAP_EXEC"))
!         {
!           /* Set this so we only do this once.  */
!           putenv("EMACS_HEAP_EXEC=true");
! 
! 	  /* A flag to turn off address randomization which is introduced
! 	   in linux kernel shipped with fedora core 4 */
! #define ADD_NO_RANDOMIZE 0x0040000
! 	  personality (PER_LINUX32 | ADD_NO_RANDOMIZE);
! #undef  ADD_NO_RANDOMIZE
! 
!           execvp (argv[0], argv);
! 
!           /* If the exec fails, try to dump anyway.  */
!           perror ("execvp");
!         }
      }
  #endif /* HAVE_PERSONALITY_LINUX32 */
  
--- 906,925 ----
    if (!initialized
        && (strcmp (argv[argc-1], "dump") == 0
            || strcmp (argv[argc-1], "bootstrap") == 0)
!       && !getenv ("EMACS_HEAP_EXEC")
!       && (heap_bss_diff > MAX_HEAP_BSS_DIFF
! 	  || linux_randomize_va_space() >= 2))
      {
!       /* Set this so we only do this once.  */
!       putenv("EMACS_HEAP_EXEC=true");
! 
!       /* Set personality and disable randomization of VA space. */
!       personality (PER_LINUX32 | ADDR_NO_RANDOMIZE);
! 
!       execvp (argv[0], argv);
! 
!       /* If the exec fails, try to dump anyway.  */
!       perror ("execvp");
      }
  #endif /* HAVE_PERSONALITY_LINUX32 */