Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:97348 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 81259 invoked from network); 9 Dec 2016 15:01:13 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 9 Dec 2016 15:01:13 -0000 Authentication-Results: pb1.pair.com header.from=cmbecker69@gmx.de; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=cmbecker69@gmx.de; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmx.de designates 212.227.17.20 as permitted sender) X-PHP-List-Original-Sender: cmbecker69@gmx.de X-Host-Fingerprint: 212.227.17.20 mout.gmx.net Received: from [212.227.17.20] ([212.227.17.20:63715] helo=mout.gmx.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 77/7E-12501-537CA485 for ; Fri, 09 Dec 2016 10:01:10 -0500 Received: from [192.168.2.109] ([79.243.126.18]) by mail.gmx.com (mrgmx101 [212.227.17.168]) with ESMTPSA (Nemesis) id 0MVIva-1c9IfW0O0U-00Yl9G; Fri, 09 Dec 2016 16:01:04 +0100 To: Joe Watkins , Anatol Belski References: <5eea66e9-0e47-852a-8720-7c7a6a0d2224@gmx.de> <0ca201d23d22$e3d623d0$ab826b70$@belski.net> <05b7feed-3a0a-efd4-7923-a363d3d3c12c@gmx.de> Cc: PHP internals Message-ID: Date: Fri, 9 Dec 2016 16:01:15 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: <05b7feed-3a0a-efd4-7923-a363d3d3c12c@gmx.de> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:vxGNptlwgR9LcN8b3UKCgoesSqboK1PDj6GtLXBCByyyBh40L1s AnZ6vOlcuELH3RNUcRIJ+XQQ0RW6OXo6vl8rT/dlZ0Zo75Eimxfi1GMm8BOYX+PXRaWWwyb kSR0dN6qb9LzhLoc7i2HnNqk8WXa/GIcdURlUtQdMOzDQDVgmo9Hd/bQ7kj/clTgfR4+kHW Oskl4eivZKQm5QA0lJjCw== X-UI-Out-Filterresults: notjunk:1;V01:K0:5Pa00jcPqFg=:p1MPo/eQXTQJPhw1JtaDa9 C9KT422FfJMAubNC7sbL3PlKMz3Y8I19EnpL0b2/GK8F4qdvqE2rOB74Kp6XHtZEOnoIpa5wQ gxGaM0cwpXJSDS+5GWwrRepqQHN5wWlHg9DvBuIDOTBl+R80YWpruQj9ZFdr8+i9OO+EzlnfU sVFlISuvKkrRhVius8IbIA80K7dsXYtemhtJthZfX3JwxvlahqZojornKeuIKt9CCOWk4GEDI HNLHORz4Qsc9ppLrpmYMzl/Bb/E6OD5CwBYd6NlaWHMHOFhptofwLupPJKBEpxGUdK7jTqR7O yksN35QrJIRc1F/FTizuyMdh1hBMsUVeycw0srvOh0kuWATwYCCQ+hig3edWWIKQtVhujiUWT fTfGrR/JOKmsq7M9ssYzb06XUVVZa6lQ+ihrj1dDa6OC6t3X3IAqfreJPail/duRoplN48H5L 5lle99lUtBbcWQhFqdBAsHvtPN9sKw+Qz/O+QlDIdXcqIPBPgB98+l3vz0Hdm2wqiTApzi0jB Zq1axHtbFaolDxHVDajumDXT7+5ZVyNNJ0O9/eBMrf8vKTmR829PVZllW+r4KeMWM/GBZyRkA 7yVtXj5yKEqSpYTjrGfaI5yezymId0WdpC76GwwH+XF2OTAsU1QLpkeEQiU8hXCbt0Go+Qvei cxhqYmnwcLovm6V1K0EOmmChV3K/+9QighMERJoa0ZxfFZd6ngWvZGMxKSQ6jUaWjp6tEh6L6 iQcqI3E+yJ6qkqmi97b0aVQDxN5dH8Eoe8xLOSAxiLcIpEsQPKLbRK0vejhbdTdwQDTo/U3+W uSEsWDE Subject: Re: [PHP-DEV] PaX MPROTECT / W^X protection From: cmbecker69@gmx.de ("Christoph M. Becker") An update regarding the PaX MPROTEXT / W^X protection issue: Zoltan Herczeg added a new compile flag which is supposed to avoid this issue, see for details. Perhaps something to consider for our builds? Cheers, Christoph On 13.11.2016 at 15:00, Christoph M. Becker wrote: > Thanks, Anatol and Joe! So I'm going to document these issues, and > close the respective reports. > > Cheers, > Christoph > > On 13.11.2016 at 07:36, Joe Watkins wrote: > >> Morning, >> >> Just wanted to give a thumbs up to documenting the issue ... >> >> Trying to work around it with platform/distro/kernel specific solutions, >> sounds quite horrible, and is bound to be fragile. >> >> Cheers >> Joe >> >> On Sat, Nov 12, 2016 at 8:25 PM, Anatol Belski >> wrote: >> >>> Hi Christoph, >>> >>>> -----Original Message----- >>>> From: Christoph M. Becker [mailto:cmbecker69@gmx.de] >>>> Sent: Friday, November 11, 2016 7:40 PM >>>> To: internals@lists.php.net >>>> Subject: [PHP-DEV] PaX MPROTECT / W^X protection >>>> >>>> Hi! >>>> >>>> There are currently at least two unresolved tickets[1][2] in our bug >>> tracker >>>> regarding PaX MPROTECT / W^X protection issues with regard to PCRE JIT. >>> The >>>> problem is that PCRE JIT mmaps W|X pages[3], what is no longer allowed on >>>> several platforms, such as OpenBSD, FreeBSD and SELinux. It seems that >>> there >>>> are workarounds (e.g. using paxctl to allow W|X mapping[1], or mounting >>> with >>>> wxallowed[4]), but these appear to be very system specific. >>>> >>>> My best idea to resolve the reports is to document this issue. Maybe >>> somebody >>>> has a better idea? >>>> >>> AFM, the linked tickets are not about an issue in PHP. There are just >>> systems, or system configurations, that are very security oriented. If some >>> feature is disabled on the system level, there's not much PHP can do. To >>> compare - it were wrong same way to say atime doesn't work in PHP, if >>> indeed a volume is mounted with atime disabled. Any issue, that is only to >>> be solved by the system configuration, is a configuration issue in the most >>> case. So the documentation is probably the only what we can do in the case. >>> >>> Regrads >>> >>> Anatol >>> >>> >>> >>> -- >>> PHP Internals - PHP Runtime Development Mailing List >>> To unsubscribe, visit: http://www.php.net/unsub.php >>> >>> >> >