Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 489664 Details for
Bug 624356
=app-misc/pax-utils-1.2.2: scanelf SIGSEGVs on some binaries on ia64
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
pax-utils-9999-scanelf-fix-out-of-bounds-access-in-ia64.patch
pax-utils-9999-scanelf-fix-out-of-bounds-access-in-ia64.patch (text/plain), 1.98 KB, created by
Sergei Trofimovich (RETIRED)
on 2017-08-19 09:49:00 UTC
(
hide
)
Description:
pax-utils-9999-scanelf-fix-out-of-bounds-access-in-ia64.patch
Filename:
MIME Type:
Creator:
Sergei Trofimovich (RETIRED)
Created:
2017-08-19 09:49:00 UTC
Size:
1.98 KB
patch
obsolete
>From e95103c40d0541fbcdb4b84b000832d9b1b83b8d Mon Sep 17 00:00:00 2001 >From: Sergei Trofimovich <slyfox@gentoo.org> >Date: Sat, 19 Aug 2017 10:34:41 +0100 >Subject: [PATCH] scanelf: fix out-of-bounds access in ia64 > >commit 2eb852129394f97dae89c0ff1f9f48637edcb0e9 >slightly changed decoder and added unchecked >read from elf header: > >``` > switch (EGET(dpltrel->d_un.d_val)) { \ > case DT_REL: \ > rel = REL##B(elf->vdata + EGET(drel->d_un.d_val)); \ >``` > >On ia64 'EGET(drel->d_un.d_val)' returns absolute address: > >``` > $ dumpelf bug/luatex > ... > /* Dynamic tag #31 'DT_RELA' 0x97E310 */ > { > .d_tag = 0x7 , > .d_un = { > .d_val = 0x4000000000031C30 , > .d_ptr = 0x4000000000031C30 , > }, > }, >``` > >That causes 'scanelf' crash on binaries like 'luatex'. > >This change restores check and loudly skips such sections: > scanelf: bug/luatex: DT_RELA is out of file range > >Bug: https://bugs.gentoo.org/624356 >Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> >--- > scanelf.c | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > >diff --git a/scanelf.c b/scanelf.c >index 1ead891..a054408 100644 >--- a/scanelf.c >+++ b/scanelf.c >@@ -607,11 +607,23 @@ static char *scanelf_file_textrels(elfobj *elf, char *found_textrels, char *foun > } \ > switch (EGET(dpltrel->d_un.d_val)) { \ > case DT_REL: \ >+ if (!VALID_RANGE(elf, EGET(drel->d_un.d_val), sizeof (drel->d_un.d_val))) { \ >+ rel = NULL; \ >+ rela = NULL; \ >+ warn("%s: DT_REL is out of file range", elf->filename); \ >+ break; \ >+ } \ > rel = REL##B(elf->vdata + EGET(drel->d_un.d_val)); \ > rela = NULL; \ > pltrel = DT_REL; \ > break; \ > case DT_RELA: \ >+ if (!VALID_RANGE(elf, EGET(drel->d_un.d_val), sizeof (drel->d_un.d_val))) { \ >+ rel = NULL; \ >+ rela = NULL; \ >+ warn("%s: DT_RELA is out of file range", elf->filename); \ >+ break; \ >+ } \ > rel = NULL; \ > rela = RELA##B(elf->vdata + EGET(drel->d_un.d_val)); \ > pltrel = DT_RELA; \ >-- >2.14.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=489664">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 624356
: 489664
