bug#29940: guile-2.2.3 does not work pax mprotect

bug#29940: guile-2.2.3 does not work pax mprotect

[Thomas Klausner]

Hi!

guile-2.2.3 does not compile on NetBSD 8 and NetBSD-current.
During build, it writes stuff like this for basically every file:

gmake[2]: Entering directory '/scratch/lang/guile22/work/guile-2.2.3/bootstrap'
  BOOTSTRAP GUILEC ice-9/eval.go
;;; WARNING: loading compiled file /scratch/lang/guile22/work/guile-2.2.3/prebuilt/64-bit-little-endian/ice-9/eval.go failed:
;;; Throw to key system-error with args ("load-thunk-from-memory" "~A" ("Permission denied") (13))
wrote `ice-9/eval.go'

When I turn off PaX mprotect, the build succeeds.

PaX mprotect is a security feature that forbids memory pages that are
writable and executable, and some memory protection changes that would
allow this. Other programs/libraries (e.g. libffi) needed to be fixed
for this.

Can you please fix this in guile-2.2.x?
(guile-2.0.14 builds fine on such a system.)

Thanks,
 Thomas

bug#29940: Acknowledgement (guile-2.2.3 does not work pax mprotect)

[Thomas Klausner]

[-- Attachment #1: Type: text/plain, Size: 357 bytes --]

The attached patch is a workaround: we can mark the guile binary to
not use the PAX mprotect feature using paxctl +m. On Linux, paxctl has
different flags, so I wrapped it in an "if", and it uses knowledge of
libtool internals, so it is not a good idea to integrate this patch
as-is.

Better would be of course to make guile work with PAX mprotect.
 Thomas

[-- Attachment #2: patch-libguile_Makefile.in --]
[-- Type: text/plain, Size: 599 bytes --]

$NetBSD: patch-libguile_Makefile.in,v 1.1 2018/01/08 10:39:45 wiz Exp $

Fix build on NetBSD>=8.

--- libguile/Makefile.in.orig	2017-11-06 09:12:56.000000000 +0000
+++ libguile/Makefile.in
@@ -2444,6 +2444,8 @@ clean-noinstPROGRAMS:
 guile$(EXEEXT): $(guile_OBJECTS) $(guile_DEPENDENCIES) $(EXTRA_guile_DEPENDENCIES) 
 	@rm -f guile$(EXEEXT)
 	$(AM_V_CCLD)$(guile_LINK) $(guile_OBJECTS) $(guile_LDADD) $(LIBS)
+	if [ `uname -s` = "NetBSD" ]; then paxctl +m .libs/guile$(EXEEXT); fi
+
 install-binSCRIPTS: $(bin_SCRIPTS)
 	@$(NORMAL_INSTALL)
 	@list='$(bin_SCRIPTS)'; test -n "$(bindir)" || list=; \

bug#29940: Acknowledgement (guile-2.2.3 does not work pax mprotect)

[Thomas Klausner]

[-- Attachment #1: Type: text/plain, Size: 199 bytes --]

Jörg Sonnenberger just committed the attached patch to pkgsrc, which
fixes the problem for me as well, with the commit message:

"Use correct mmap permissions for later PROT_WRITE mprotect."
 Thomas

[-- Attachment #2: patch-libguile_loader.c --]
[-- Type: text/plain, Size: 458 bytes --]

$NetBSD: patch-libguile_loader.c,v 1.1 2018/01/08 22:37:08 joerg Exp $

--- libguile/loader.c.orig	2018-01-08 16:21:04.790894906 +0000
+++ libguile/loader.c
@@ -484,7 +484,7 @@ map_file_contents (int fd, size_t len, i
   char *data;
 
 #ifdef HAVE_SYS_MMAN_H
-  data = mmap (NULL, len, PROT_READ, MAP_PRIVATE, fd, 0);
+  data = mmap (NULL, len, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
   if (data == MAP_FAILED)
     SCM_SYSERROR;
   *is_read_only = 1;