Bug 490753 (mmap_zero_fedora) - Kernel assigns addresses less mmap_min_addr when not MAP_FIXED
Summary: Kernel assigns addresses less mmap_min_addr when not MAP_FIXED
Keywords:
Status: NEW
Alias: mmap_zero_fedora
Product: Fedora
Classification: Fedora
Component: kernel
Version: rawhide
Hardware: x86_64
OS: Linux
high
high
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 707390 809329 970830 981862 1008852 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-03-17 20:01 UTC by Simon Lewis
Modified: 2019-04-30 21:39 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: ---


Attachments (Terms of Use)

Description Simon Lewis 2009-03-17 20:01:55 UTC
Zusammenfassung:

SELinux hindert ld-linux-x86-64 (prelink_t) "mmap_zero" am Zugriff auf
prelink_t.

Detaillierte Beschreibung:

SELinux verweigerte den von ld-linux-x86-64 angeforderten Zugriff. Da nicht
davon ausgegangen wird, dass dieser Zugriff von ld-linux-x86-64 benötigt wird,
signalisiert dies möglicherweise einen Einbruchsversuch. Es ist ausserdem
möglich, dass diese spezielle Version oder Konfiguration der Anwendung den
zusätzlichen Zugriff verursacht.

Zugriff erlauben:

Sie können ein lokales Richtlinienmodul generieren, um diesen Zugriff zu
erlauben - siehe FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
Sie können den SELinux-Schutz auch komplett deaktivieren. Dies wird jedoch
nicht empfohlen. Bitte reichen Sie einen Bug-Report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) für dieses Paket ein.

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:prelink_t:s0
Zielkontext                   system_u:system_r:prelink_t:s0
Zielobjekte                   None [ memprotect ]
Quelle                        ld-linux-x86-64
Quellen-Pfad                  /lib64/ld-2.9.so
Port                          <Unbekannt>
Host                          hp550-01
Quellen-RPM-Pakete            glibc-2.9-3
Ziel-RPM-Pakete               
RPM-Richtlinie                selinux-policy-3.5.13-47.fc10
SELinux aktiviert             True
Richtlinienversion            targeted
MLS aktiviert                 True
Enforcing-Modus               Enforcing
Plugin-Name                   catchall
Hostname                      hp550-01
Plattform                     Linux hp550-01 2.6.27.19-170.2.35.fc10.x86_64 #1
                              SMP Mon Feb 23 13:00:23 EST 2009 x86_64 x86_64
Anzahl der Alarme             1
Zuerst gesehen                So 15 Mär 2009 15:15:41 CET
Zuletzt gesehen               So 15 Mär 2009 15:15:41 CET
Lokale ID                     243e1568-228d-4964-a59a-00d2ed24c724
Zeilennummern                 

Raw-Audit-Meldungen           

node=hp550-01 type=AVC msg=audit(1237126541.283:115): avc:  denied  { mmap_zero } for  pid=24449 comm="ld-linux-x86-64" scontext=system_u:system_r:prelink_t:s0 tcontext=system_u:system_r:prelink_t:s0 tclass=memprotect

node=hp550-01 type=SYSCALL msg=audit(1237126541.283:115): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=748a08 a2=3 a3=32 items=0 ppid=22449 pid=24449 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ld-linux-x86-64" exe="/lib64/ld-2.9.so" subj=system_u:system_r:prelink_t:s0 key=(null)

Comment 1 Miroslav Grepl 2009-03-18 11:41:44 UTC
Simon, 

could you try:

# yum reinstall selinux-policy-targeted

and then

# fixfiles restore

Comment 2 Eric Paris 2009-03-18 13:26:45 UTC
This is the second report of prelink trying to call mmap(addr<64k, MAP_FIXED);

Why is prelink doing this?

Comment 4 Jakub Jelinek 2009-03-18 13:56:40 UTC
Prelink never assigns < 64KB as the base address of any library (see /var/log/prelink/prelink.log or prelink -pv for addresses it assigned) and the loads of segfaults of the ld-linux* processes are believed to be a recent kernel bug, so it is very well possible kernel is messing stuff in this case as well, or there is some badly linked binary with base address 0.
If you can reproduce this, just try run prelink under strace -f to see with what arguments ld.so has been invoked and what it actually tried to mmap at address 0, then try to reproduce it with running ld.so with those arguments by hand.

Comment 5 Simon Lewis 2009-03-18 19:38:36 UTC
Hello Mgrepl, Eric and Jakub,

I reinstalled selinux-policy-targeted.noarch 0:3.5.13-48.fc10 as you suggested.

[root@hp550-01 ~]# fixfiles restore completed without any errors in terminal but produced the following AVC-Access-Denial:


Zusammenfassung:

SELinux hindert den setfiles daran, evtl. falsch gekennzeichnete Dateien zu
verwenden (/tmp/kde-simon/konsolehX3066.tmp).

Detaillierte Beschreibung:

SELinux verweigerte setfiles den Zugriff auf potentiell falsch gekennzeichnete
Dateien (/tmp/kde-simon/konsolehX3066.tmp). Dies bedeutet, dass SELinux setfiles
die Verwendung dieser Dateien untersagt. Es ist üblich, dass Benutzer Dateien
in Ihrem Benutzerverzeichnis oder in temporären Verzeichnissen editieren und
dann in Systemverzeichnisse verschieben (mv). Das Problem ist, dass diese dort
mit einem Dateikontext abgelegt werden, auf den bestimmte Anwendungen nicht
zugreifen dürfen.

Zugriff erlauben:

Wenn Sie setfiles den Zugriff auf diese Dateien erlauben möchten, müssen Sie
diese mit restorecon -v /tmp/kde-simon/konsolehX3066.tmp neu kennzeichnen. Sie
können auch gleich das ganze Verzeichnis mit restorecon -R -v /tmp/kde-simon
neu kennzeichnen.

Zusätzliche Informationen:

Quellkontext                  unconfined_u:unconfined_r:setfiles_t:s0
Zielkontext                   unconfined_u:object_r:user_tmp_t:s0
Zielobjekte                   /tmp/kde-simon/konsolehX3066.tmp [ file ]
Quelle                        setfiles
Quellen-Pfad                  /sbin/setfiles
Port                          <Unbekannt>
Host                          hp550-01
Quellen-RPM-Pakete            policycoreutils-2.0.57-17.fc10
Ziel-RPM-Pakete               
RPM-Richtlinie                selinux-policy-3.5.13-48.fc10
SELinux aktiviert             True
Richtlinienversion            targeted
MLS aktiviert                 True
Enforcing-Modus               Enforcing
Plugin-Name                   home_tmp_bad_labels
Hostname                      hp550-01
Plattform                     Linux hp550-01 2.6.27.19-170.2.35.fc10.x86_64 #1
                              SMP Mon Feb 23 13:00:23 EST 2009 x86_64 x86_64
Anzahl der Alarme             1
Zuerst gesehen                Mi 18 Mär 2009 20:26:53 CET
Zuletzt gesehen               Mi 18 Mär 2009 20:26:53 CET
Lokale ID                     44beadda-41d8-416a-90eb-bea97c79a5cd
Zeilennummern                 

Raw-Audit-Meldungen           

node=hp550-01 type=AVC msg=audit(1237404413.545:35): avc:  denied  { read } for  pid=3204 comm="setfiles" path="/tmp/kde-simon/konsolehX3066.tmp" dev=sda6 ino=377356 scontext=unconfined_u:unconfined_r:setfiles_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

node=hp550-01 type=AVC msg=audit(1237404413.545:35): avc:  denied  { read } for  pid=3204 comm="setfiles" path="/tmp/kde-simon/konsoleSL3066.tmp" dev=sda6 ino=377357 scontext=unconfined_u:unconfined_r:setfiles_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

node=hp550-01 type=AVC msg=audit(1237404413.545:35): avc:  denied  { read } for  pid=3204 comm="setfiles" path="/tmp/kde-simon/konsolenn3066.tmp" dev=sda6 ino=377358 scontext=unconfined_u:unconfined_r:setfiles_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

node=hp550-01 type=SYSCALL msg=audit(1237404413.545:35): arch=c000003e syscall=59 success=yes exit=0 a0=2223b30 a1=2210fd0 a2=220bf70 a3=7fffc50194e0 items=0 ppid=3192 pid=3204 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="setfiles" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0 key=(null)

Best regards, Simon

Comment 6 Daniel Walsh 2009-03-19 13:08:00 UTC
This AVC is unrelated to the mmap_zero avc and can be ignored.  It is caused by a leaked file descriptor in konsole/kdebase, which has been reported to them several times.

Comment 7 Steve Grubb 2009-03-23 18:01:41 UTC
I'm seeing this problem too.

type=AVC msg=audit(1237820250.382:127): avc:  denied  { mmap_zero } for  pid=20152 comm="ld-linux-x86-64" scontext=system_u:system_r:prelink_t:s0 tcontext=system_u:system_r:prelink_t:s0 tclass=memprotect
type=SYSCALL msg=audit(1237820250.382:127): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=600a78 a2=3 a3=32 items=0 ppid=17324 pid=20152 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ld-linux-x86-64" exe="/lib64/ld-2.9.so" subj=system_u:system_r:prelink_t:s0 key=(null)

If you look at a3, its passing 0x32 which maps to MAP_ANONYMOUS|MAP_FIXED|MAP_PRIVATE and a0 is NULL so its asking for mappings to begin at zero address. A2 says PROT_READ|PROT_WRITE. The a1 argument shows a request for > 100Mb.

Review of /var/log/prelink/prelink.log shows a couple things:

/usr/sbin/prelink: /usr/bin/msntest: Could not parse `Inconsistency detected by ld.so: dl-load.c: 690: _dl_init_paths: Assertion `pelem->dirname[0] == '/'' failed!'

Laying out 830 libraries in virtual address space 0000003000000000-0000004000000000
Random base 0x000000306c800000
Assigned virtual address space slots for 64-bit x86-64 ELF libraries:

So, aside from that one app. nothing too interesting.

Comment 8 Eric Paris 2009-08-12 15:20:42 UTC
This is a kernel problem, dup of bug 507017 but it's an upstream problem.  there is nothing wrong with prelink.  I'm taking the bug as a remember I need to fix this upstream.

Comment 9 Bug Zapper 2009-11-16 09:52:06 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 10 Bug Zapper 2010-11-04 11:26:33 UTC
This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 11 Eric Paris 2011-05-25 13:28:59 UTC
*** Bug 707390 has been marked as a duplicate of this bug. ***

Comment 12 Fedora End Of Life 2013-04-03 18:09:14 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19

Comment 13 Justin M. Forbes 2013-04-05 17:00:15 UTC
Is this still a problem with 3.9 based F19 kernels?

Comment 14 Eric Paris 2013-04-05 18:42:32 UTC
Yes.  Still a problem.

Comment 15 Eric Paris 2013-06-07 14:45:46 UTC
*** Bug 970830 has been marked as a duplicate of this bug. ***

Comment 16 Eric Paris 2013-06-07 14:50:58 UTC
*** Bug 809329 has been marked as a duplicate of this bug. ***

Comment 17 Eric Paris 2013-09-30 21:43:57 UTC
*** Bug 1008852 has been marked as a duplicate of this bug. ***

Comment 18 Eric Paris 2015-04-13 16:45:03 UTC
*** Bug 981862 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.