1 |
Ned Ludd wrote: |
2 |
> On Sat, 2007-11-03 at 23:00 -0500, Brian Kroth wrote: |
3 |
>>>> based on the maps files, both cactid and nagios are PIEs. two questions: |
4 |
>>>> are they the only PIEs on this system (that regularly run, that is) and |
5 |
>>>> do you have PIEs on the other systems that don't show the symptomps? |
6 |
>>> I'm using the hardened/x86/2.6 profile which enables the pic use flag. |
7 |
>>> Here's where my understanding gets hazy. PIC != PIE, but the two are |
8 |
>>> related in that PIC creates position independent code, but not for |
9 |
>>> executables? Anyways, how would I check? |
10 |
> |
11 |
> file, scanelf, readelf.. |
12 |
> |
13 |
>> Reading some wikipedia on this now to try and understand it a little |
14 |
>> better, but it didn't give me any insight as to how to read the maps |
15 |
>> file to determine whether or not it was a pie. |
16 |
>> |
17 |
>> I re-emerged cacti-cactid and did not see pic or pie in the output at |
18 |
>> all. Is that just enabled by default by the compiler? It looks like it. |
19 |
> |
20 |
> The profile auto enables USE=hardened on gcc which would result in a |
21 |
> compiler that will generate position independent executable with ssp |
22 |
> enabled by default. The 'pic' flag is only used in the tree to enable |
23 |
> alternative position independent versions of hand written assembly in a |
24 |
> few packages or work around other non pic code that we would prefer to |
25 |
> be pic otherwise in pkgs. |
26 |
> |
27 |
> gcc-config gives you the option of switching to various combinations of |
28 |
> these flags enabled by the hardened compiler using spec files. |
29 |
> |
30 |
> For userland debugging it's usually best to switch to the gcc specs to |
31 |
> the ones labeled 'vanilla and recompile the programs in question with a |
32 |
> command like |
33 |
> bash# gcc-config i686-pc-linux-gnu-3.4.6-vanilla |
34 |
> bash# . /etc/profile ; . ~/.bash_profile |
35 |
> |
36 |
> See also |
37 |
> http://www.gentoo.org/proj/en/qa/backtraces.xml |
38 |
> http://www.gentoo.org/proj/en/hardened/hardened-toolchain.xml |
39 |
> |
40 |
|
41 |
Excellent. Thanks for the info. So I take it that ET_DYN is a PIE and |
42 |
ET_EXEC is not? If that's the case every other major service on the |
43 |
system seems to be ET_DYN, so no they don't show the symptoms. |
44 |
|
45 |
I recompiled cactid with vanilla gcc and had it running in a loop for |
46 |
about 10 minutes before it showed a bad page state, which is much longer |
47 |
than usual, but still broken. |
48 |
|
49 |
So, since at least one of us thinks this is a kernel bug, should I try |
50 |
to compile the kernel using gcc vanilla as well? |
51 |
|
52 |
Does it also make sense to add -ggdb to the cactid rebuild to try and |
53 |
pinpoint the failure that way? |
54 |
|
55 |
Brian |