Bug 307531

Summary: gtk-vnc uses bogus mmap flags for use with swapcontext
Product: [Fedora] Fedora Reporter: Zack Cerza <zcerza>
Component: gtk-vncAssignee: Daniel Berrangé <berrange>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: rawhideCC: drepper, hbrock, katzj, kyle, patrick
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-09-26 20:26:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 235703    
Attachments:
Description Flags
Fix mmap flags to avoid execmem errors. none

Description Zack Cerza 2007-09-26 18:03:24 UTC 
Description of problem:
Copied from setroubleshoot:

Target Context:  system_u:system_r:unconfined_t:s0Target Objects:  None [
process ]Affected RPM Packages:  Policy RPM:  selinux-policy-3.0.8-11.fc8Selinux
Enabled:  TruePolicy Type:  targetedMLS Enabled:  TrueEnforcing
Mode:  PermissivePlugin Name:  plugins.allow_execmemHost
Name:  megadoomerPlatform:  Linux megadoomer 2.6.23-0.202.rc8.fc8 #1 SMP Mon Sep
24 22:09:05 EDT 2007 i686 i686Alert Count:  6First Seen:  Wed 26 Sep 2007
01:46:19 PM EDTLast Seen:  Wed 26 Sep 2007 01:53:54 PM EDTLocal
ID:  5b5e6c03-6b04-49bd-b9e3-43352f45a175Line Numbers:  Raw Audit Messages :avc:
denied { execmem } for comm=/usr/share/virt egid=0 euid=0 exe=/usr/bin/python
exit=-1239875584 fsgid=0 fsuid=0 gid=0 items=0 pid=4795
scontext=system_u:system_r:unconfined_t:s0 sgid=0
subj=system_u:system_r:unconfined_t:s0 suid=0 tclass=process
tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=0 

Version-Release number of selected component (if applicable):
virt-manager-0.5.0-1.fc8
selinux-policy-targeted-3.0.8-11.fc8
Comment 1 Daniel Walsh 2007-09-26 19:03:50 UTC 
virt manager should not require execmem.
Comment 2 Daniel Berrangé 2007-09-26 19:14:37 UTC 
I was not aware that we did require execmem. Its certainly not something we
knowingly introduced. Please capture a core file, install all the -debuginfo
packages for  python, virt-manager, gtk-vnc, gtk, glib, glibc  and extract a
stack trace from the place where it crashes.
Comment 3 Daniel Berrangé 2007-09-26 19:51:15 UTC 
Ok, ignore my previous request for core dump/trace - I've managed to reproduce it.

The flaw is in the GTK-VNC widget, which mmaps a chunk of memory with 
PROT_READ|PROT_WRITE|PROT_EXEC to use for the stack in swapcontext() /
makecontext() calls. Totally bogus to have PROT_EXEC there.

#0  0x00002aaaad5dc49c in swapcontext () from /lib64/libc.so.6
#1  0x00002aaaaaccbf6c in cc_swap (from=0x2aaaaaed9cb0, to=0x646bc0)
    at continuation.c:46
#2  0x00002aaaaaccc120 in coroutine_swap (from=0x2aaaaaed9c80, to=0x646b90, 
    arg=0x2aaaaaed9df8) at coroutine.c:81
#3  0x00002aaaaacd3da8 in do_vnc_display_open (data=<value optimized out>)
    at vncdisplay.c:731
#4  0x00002aaaacb68ee3 in IA__g_main_context_dispatch (context=0x631670)
    at gmain.c:2061
#5  0x00002aaaacb6c1dd in g_main_context_iterate (context=0x631670, block=1, 
    dispatch=1, self=<value optimized out>) at gmain.c:2694
#6  0x00002aaaacb6c4ea in IA__g_main_loop_run (loop=0x6887e0) at gmain.c:2898
#7  0x00002aaaab035f63 in IA__gtk_main () at gtkmain.c:1144
#8  0x0000000000403950 in ?? ()
#9  0x00002aaaad5baff4 in __libc_start_main (main=0x4031b0, argc=2, 
    ubp_av=0x7fff68bd7618, init=<value optimized out>, 
    fini=<value optimized out>, rtld_fini=<value optimized out>, 
    stack_end=0x7fff68bd7608) at libc-start.c:220
#10 0x0000000000402b29 in ?? ()
#11 0x00007fff68bd7608 in ?? ()
#12 0x0000000000000000 in ?? ()
Comment 4 Daniel Berrangé 2007-09-26 19:53:56 UTC 
Created attachment 207411 [details]
Fix mmap flags to avoid execmem errors.
Comment 5 Daniel Berrangé 2007-09-26 20:26:36 UTC 
Built into rawhide.

* Wed Sep 26 2007 Daniel P. Berrange <berrange> - 0.2.0-2.fc8
- Remove use of PROT_EXEC for coroutine stack (rhbz #307531 )
Comment 6 Zack Cerza 2007-09-26 20:41:04 UTC 
Thanks for the quick fix!
Comment 7 Daniel Berrangé 2007-09-26 21:28:50 UTC 
*** Bug 307481 has been marked as a duplicate of this bug. ***
Comment 8 Daniel Berrangé 2007-09-27 02:55:04 UTC 
*** Bug 277471 has been marked as a duplicate of this bug. ***
Comment 9 Daniel Berrangé 2007-09-27 02:55:08 UTC 
*** Bug 277831 has been marked as a duplicate of this bug. ***