https://bugs.exim.org/show_bug.cgi?id=1749
--- Comment #38 from Zoltan Herczeg <hzmester@???> ---
> All the tests were run without SELinux enforcing.
Great news! Thank you very much for testing.
> Running the tests with SELinux enforcing W^X pages on all of the platforms
> would require more time, thus I checked only on my x86_64 workstation and I
> can state it works.
Perhaps this is not necessary since the both allocators should work on normal
systems. The difference is that the protected allocator works on SELinux as
well while the normal allocator does not.
I would be grateful if you could check the JIT compiler as well on these
systems.
1) Please checkout the compiler
svn checkout svn://svn.code.sf.net/p/sljit/code/ sljit
2) Enter sljit directory
cd sljit
3) Modify Makefile
change the following line
CPPFLAGS = $(EXTRA_CPPFLAGS) -DSLJIT_CONFIG_AUTO=1 -Isljit_src
to
CPPFLAGS = $(EXTRA_CPPFLAGS) -DSLJIT_CONFIG_AUTO=1
-DSLJIT_PROT_EXECUTABLE_ALLOCATOR=1 -Isljit_src
4) Build program
make
5) Run SLJIT regression tests:
bin/sljit_test
bin/regex_test
> The pcre2grep tests will fail with "no more memory", fastjit pcre2test tests
> will segfault and pcre2_jit_test will fail with "JIT compiler does not
> support...".
Ok, I got the problem now. I think the pcregrep should only warn if JIT
compiling is failed rather than aborting the execution. Philip, what do you
think about modifying the pcregrep/pcre2grep to work this way?
> But you can be right especially if the JIT compiler does multiple
> allocations and only a subsequent allocation fails. Then probably the
> easiest solution is keep the JIT code as it is and only amend
> pcre2_jit_compile(3) documentation stating it is safe to ingnore
> pcre2_jit_compile(3) failure if the application is not going to use JIT
> specific functions later.
I would go this way. JIT compiling errors are harmless and should never abort
the execution of an application, unless using JIT is critical. But that is a
(rare) special case and we can expect that they provide the suitable
environment.
> Some programs create fix-named temporary files. If an attacker can control
> TMPDIR environment variable, SUID program would write to directory of
> attacker's choice and the final file could coincide with a file the attacker
> does not have access otherwise.
I can modify the compiler to use getenv("TMPDIR") as the first attempt. How can
I test the condition that TMPDIR must not be used?
Regards,
Zoltan
--
You are receiving this mail because:
You are on the CC list for the bug.
