Open srherbener opened 5 months ago
@srherbener
I assume this was with spack-stack 1.6 ?
note the problem is actually in eccodes. Either there is a bug there or the security options are not right to allow callback that eccodes needs.
From the ffi doc:
https://cffi.readthedocs.io/en/latest/using.html#callbacks%20%3Cend%20of%20output%3E
Warning Callbacks are provided for the ABI mode or for backward compatibility. If you are using the out-of-line API mode, it is recommended to use the extern “Python” mechanism instead of callbacks: it gives faster and cleaner code. It also avoids several issues with old-style callbacks:
On less common architecture, libffi is more likely to crash on callbacks (e.g. on NetBSD);
On hardened systems like PAX and SELinux, the extra memory protections can interfere (for example, on SELinux you need to run with deny_execmem set to off).
On Mac OS X, you need to give your application the entitlement com.apple.security.cs.allow-unsigned-executable-memory.
Note also that a cffi fix for this issue was attempted—see the ffi_closure_alloc branch—but was not merged because it creates potential memory corruption with fork().
In other words: yes, it is dangerous to allow write+execute memory in your program; that’s why the various “hardening” options above exist. But at the same time, these options open wide the door to another attack: if the program forks and then attempts to call any of the ffi.callback(), then this immediately results in a crash—or, with a minimal amount of work from an attacker, arbitrary code execution. To me it sounds even more dangerous than the original problem, and that’s why cffi is not playing along.
To fix the issue once and for all on the affected platforms, you need to refactor the involved code so that it no longer uses ffi.callback().
@PatNichols thanks for the info on this issue. This was run with a spack-stack built from develop branches and is a bit newer than spack-stack-1.6.0. This one is using py-eccodes/1.5.0 and eccodes/2.32.0.
I suspect this issue might be that my Mac is on Sonoma 14.2.1 which probably has tightened down the JIT restrictions which are noted in the "On Mac OS X" link in your comment.
I think the preferred option would be for py-eccodes to replace the calls to ffi.callback() as you noted. @BenjaminRuston do you know if the latest py-eccodes/1.6.1 has any updates related to this? Thanks!
Current behavior (describe the bug)
I am seeing the following tests fail on my Mac:
These appear to be converters using eccodes/cffi. Here is a excerpt from the LastTest.log:
To Reproduce
Expected behavior
All ctests pass
Additional information (optional)