Bug 105730 - crash in SELinux due to execheap violation
Summary: crash in SELinux due to execheap violation
Status: RESOLVED DUPLICATE of bug 76413
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Linux
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-12-24 14:27 PST by Stijn van Drongelen
Modified: 2013-01-08 05:28 PST (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stijn van Drongelen 2012-12-24 14:27:26 PST
There are issues with running Steam for Linux on a system with SELinux enabled. It is possible that WebKit is partially to blame.

The issue I've come across (https://github.com/ValveSoftware/steam-for-linux/issues/88) gives the following diagnostic information (with uninteresting data pruned for brevity):

    type=AVC msg=audit(...): avc: denied { execheap } for pid=4329 comm="MainThrd" ...
    type=SYSCALL msg=audit(...): arch=40000003 syscall=125 success=no exit=-13 a0=e9ac000 a1=c000 a2=7 a3=fff5bfcc ...

From this, one can derive that the violation is changing the memory protection (syscall=125 means mprotect), of a 48 kilobyte buffer to be both writable and executable (a2=7 means PROT_READ | PROT_WRITE | PROT_EXEC). I guess this is due to some JIT compilation going on in Steam (barring attackers, why else would anyone enable execution?), which would be due to WebKit (as suggested by the developer).

As far as I know, you don't need memory to be both writable and executable for JIT compilation. This issue looks like evidence of something bad happening in WebKit's JavaScript interpreter:

1) For one, memory should never be both writable and executable. On Windows, this would be a violation under DEP.
2) It's apparently a bad idea to use heap memory for this (according to Ulrich Drepper, at least: http://www.akkadia.org/drepper/selinux-mem.html).

(This issue seems similar to #35154, but 1) that issue lacked enough logging information to confirm, and 2) the missing permission there was execmem, rather than execheap.)
Comment 1 Gavin Barraclough 2013-01-03 14:33:48 PST
By default the JIT will make use of RWX memory, so if you want to run on a system that doesn't allow WX you need to configure your platform to enable the ENABLE_ASSEMBLER_WX_EXCLUSIVE setting.  I'm not sure how well tested this code path is in ToT, but the code is all still there – if you run into any issues please file bugs with specific backtraces.
Comment 2 Oliver Hunt 2013-01-07 10:53:36 PST
(In reply to comment #1)
> By default the JIT will make use of RWX memory, so if you want to run on a system that doesn't allow WX you need to configure your platform to enable the ENABLE_ASSEMBLER_WX_EXCLUSIVE setting.  I'm not sure how well tested this code path is in ToT, but the code is all still there – if you run into any issues please file bugs with specific backtraces.

WX_XCLUSIVE is currently totally hosed :(
Comment 3 Stijn van Drongelen 2013-01-08 05:28:45 PST

*** This bug has been marked as a duplicate of bug 76413 ***