php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #72281 PaX MPROTECT breaks php
Submitted: 2016-05-28 08:11 UTC Modified: 2016-11-13 14:38 UTC
From: tk at giga dot or dot at Assigned: cmb (profile)
Status: Closed Package: PCRE related
PHP Version: 7.0.7 OS: NetBSD
Private report: No CVE-ID: None
 [2016-05-28 08:11 UTC] tk at giga dot or dot at
Description:
------------
When compiling php-7.0.7 on NetBSD-7.99.29/amd64, the compilation fails because php dumps core.
The problem is that NetBSD on that release has PaX MPROTECT turned on by default (see http://netbsd.gw.com/cgi-bin/man-cgi?security++NetBSD-current), i.e. it does not allow mapping pages both writable and executable. However, this is needed by php.

The backtrace of the core dump has:
#1  0x00000000004d0d87 in _pcre_jit_exec ()
#2  0x00000000004a53f1 in php_pcre_exec ()

Since JIT and MPROTECT are at odds with each other, I suggest running "paxctl +m" on the binary, which (on NetBSD, see http://netbsd.gw.com/cgi-bin/man-cgi?paxctl++NetBSD-current) removes the MPROTECT restrictions for the php binary.

A workaround patch is attached.
It can not be used as is, since paxctl on *BSD and paxctl on Linux have different syntax.
I hope that someone can extend this to also work on Linux.

The patch is an example, but is tested and works on NetBSD.


Patches

Better_workaround_patch_for_NetBSD.diff (last revision 2016-06-12 16:44 UTC by tk at giga dot or dot at)
workaround_patch_for_NetBSD.diff (last revision 2016-05-28 08:12 UTC by tk at giga dot or dot at)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-09 20:32 UTC] cmb@php.net
-Package: Compile Failure +Package: PCRE related
 [2016-11-09 20:32 UTC] cmb@php.net
As I understand it, the compilation succeeds, but the problem is PCRE's
JIT support, so I'm changing the "package affected".

> Since JIT and MPROTECT are at odds with each other, I suggest running
> "paxctl +m" on the binary, […]

But what if PCRE is built as shared library? Would that also work in
this case?

Furthermore, according to Gentoo's Hardened/PaX Quickstart[1] it appears
that marking is not without issues. Perhaps we should simply document
the issue instead of trying to fix it?

[1] <https://wiki.gentoo.org/wiki/Hardened/PaX_Quickstart#Marking_for_PaX>
 [2016-11-09 22:01 UTC] tk at giga dot or dot at
PCRE is built as a shared library here, so the paxctl does work in this case.

The paxctl is just a workaround, the real fix would be to address the PCRE bug
"PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction": https://bugs.exim.org/show_bug.cgi?id=1749

It is however better in the meantime than core dumps :)
 [2016-11-13 14:00 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2016-11-13 14:35 UTC] cmb@php.net
Automatic comment from SVN on behalf of cmb
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=340988
Log: Document W^X/PaX MPROTECT issues

Fix #72281: PaX MPROTECT breaks php
Fix #73114: php segfault probably because OpenBSD wx implementation
 [2016-11-13 14:38 UTC] cmb@php.net
-Status: Assigned +Status: Closed -Type: Bug +Type: Documentation Problem
 [2016-11-13 14:38 UTC] cmb@php.net
We have decided that this is not an issue that PHP should try to
solve, but rather to document the problem and possible solutions.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 12:01:27 2024 UTC