Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 624356

Summary: =app-misc/pax-utils-1.2.2: scanelf SIGSEGVs on some binaries on ia64
Product: Gentoo Linux Reporter: Sergei Trofimovich (RETIRED) <slyfox>
Component: Current packagesAssignee: SpanKY <vapier>
Status: RESOLVED FIXED    
Severity: normal Keywords: PATCH, REGRESSION
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: pax-utils-9999-scanelf-fix-out-of-bounds-access-in-ia64.patch

Description Sergei Trofimovich (RETIRED) gentoo-dev 2017-07-09 09:37:13 UTC
It's an ~ia64 system. The example is /usr/bin/luatex

$ gdb --args ./scanelf -qyRAF '%T %p' /usr/bin/

Program received signal SIGSEGV, Segmentation fault.
0x40000000000177e0 in scanelf_file_textrels (elf=0x6000000000010050, found_textrels=0x60000fffffff99dc "", found_textrel=0x60000fffffff99d4 "\001") at scanelf.c:735
735                     SCANELF_ELF_SIZED(SHOW_TEXTRELS);
(gdb) bt
#0  0x40000000000177e0 in scanelf_file_textrels (elf=0x6000000000010050, found_textrels=0x60000fffffff99dc "", found_textrel=0x60000fffffff99d4 "\001") at scanelf.c:735
#1  0x4000000000029ed0 in scanelf_elfobj (elf=0x6000000000010050) at scanelf.c:1492
#2  0x400000000002b0c0 in scanelf_elf (filename=0x60000fffffff9c58 "/usr/bin/luatex", fd=4, len=10241744) at scanelf.c:1567
#3  0x400000000002bbb0 in scanelf_fileat (dir_fd=-100, filename=0x60000fffffff9c58 "/usr/bin/luatex", st_cache=0x60000fffffff9bc8) at scanelf.c:1634
#4  0x400000000002c540 in scanelf_dirat (dir_fd=-100, path=0x60000fffffffb3ba "/usr/bin/") at scanelf.c:1706
#5  0x400000000002c780 in scanelf_dir (path=0x60000fffffffb3ba "/usr/bin/") at scanelf.c:1718
#6  0x4000000000031da0 in parseargs (argc=4, argv=0x60000fffffffb0e8) at scanelf.c:2228
#7  0x4000000000032340 in main (argc=4, argv=0x60000fffffffb0e8) at scanelf.c:2316
Comment 1 Sergei Trofimovich (RETIRED) gentoo-dev 2017-07-09 11:15:26 UTC
Uploaded full file as: https://dev.gentoo.org/~slyfox/bugs/624356-ia64-rela/luatex

I poked a bit around and found out that SIGSEGV happens when first relocation
is read out at. SIGSEGV happens because pointer to relocation section is bogus.

rela is setup as:
    rela = RELA##B(elf->vdata + EGET(drel->d_un.d_val));

but on ia64 'drel->d_un.d_val' is an absolute address. Absolute numbers are:
RELA: elf->vdata=0x2000000000330000, drel->d_un.d_val=0x4000000000031C30

If I understand how scanelf works it should always try to point to
elf->vdata buffer (it's 10MB here).

$ readelf -a /usr/bin/luatex

Section Headers:
  [Nr] Name              Type             Address           Offset
       Size              EntSize          Flags  Link  Info  Align
...
  [ 8] .rela.dyn         RELA             4000000000031c30  00031c30
       0000000000001218  0000000000000018   A       4     0     8

Note the absolute address. I suspect that scanelf works only by chance
on ia64 for final executables.
Comment 2 Sergei Trofimovich (RETIRED) gentoo-dev 2017-07-09 11:26:58 UTC
On x86_64 using fsanitize=address scanelf crashes on this file as:

$ scanelf -v -qyRAF '%T %p' ./luatex 
ASAN:DEADLYSIGNAL
=================================================================
==12590==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x555a66101892 bp 0x7ffca5fa4eb0 sp 0x7ffca5fa4d90 T0)
==12590==The signal is caused by a READ memory access.
==12590==Hint: address points to the zero page.
    #0 0x555a66101891 in scanelf_file_textrels /tmp/portage-tmpdir/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:735
    #1 0x555a66104ff2 in scanelf_elfobj /tmp/portage-tmpdir/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1492
    #2 0x555a6610b214 in scanelf_elf /tmp/portage-tmpdir/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1567
    #3 0x555a6610b214 in scanelf_fileat /tmp/portage-tmpdir/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1634
    #4 0x555a6610b61b in scanelf_dirat /tmp/portage-tmpdir/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1668
    #5 0x555a6610d56c in parseargs /tmp/portage-tmpdir/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:2228
    #6 0x555a660f2e67 in main /tmp/portage-tmpdir/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:2316
    #7 0x7feb5c2403f9 in __libc_start_main (/lib64/libc.so.6+0x39648203f9)
    #8 0x555a660f2f79 in _start (/usr/bin/scanelf+0x11f79)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage-tmpdir/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:735 in scanelf_file_textrels
==12590==ABORTING
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2017-07-09 11:36:37 UTC
pax-utils-1.1.7 does not fail on the file and only complains about it:

$ scanelf -qyRAF '%T %p' /usr/bin/luatex 
scanelf: scanelf_file_textrels(): ELF /usr/bin/luatex has TEXTREL markings but doesnt appear to have any real TEXTREL's !?
 /usr/bin/luatex
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2017-08-19 09:49:00 UTC
Created attachment 489664 [details, diff]
pax-utils-9999-scanelf-fix-out-of-bounds-access-in-ia64.patch

pax-utils-9999-scanelf-fix-out-of-bounds-access-in-ia64.patch restore bounds checking for master version of pax-utils.
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2017-08-19 10:15:11 UTC
(In reply to Sergei Trofimovich from comment #4)
> Created attachment 489664 [details, diff] [details, diff]
> pax-utils-9999-scanelf-fix-out-of-bounds-access-in-ia64.patch
> 
> pax-utils-9999-scanelf-fix-out-of-bounds-access-in-ia64.patch restore bounds
> checking for master version of pax-utils.

I've pushed similar fix to pax-utils-1.2.2-r1 (as the code is slightly diverged from master):
    https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7e17e5572bda4281b90959cf8999dc95dfe21c6b

Keeping the bug open as I don't have access to push the fix to master branch:

FATAL -- ACCESS DENIED
Repo            proj/pax-utils                                              
User            slyfox@gentoo.org                                           
Stage           Before git was called                                       
Operation       Repo write                                                  

FATAL: W any proj/pax-utils slyfox@gentoo.org DENIED by fallthru
(or you mis-spelled the reponame)
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2017-08-19 10:21:28 UTC
Removing ia64@ as immediate crash is fixed there.
Comment 7 Larry the Git Cow gentoo-dev 2017-09-18 07:06:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=720becce1314db8c0af8442650f496d972475327

commit 720becce1314db8c0af8442650f496d972475327
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2017-08-19 09:34:41 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2017-09-18 07:05:20 +0000

    scanelf: fix out-of-bounds access in ia64
    
    commit 2eb852129394f97dae89c0ff1f9f48637edcb0e9
    slightly changed decoder and added unchecked
    read from elf header:
    
    ```
           switch (EGET(dpltrel->d_un.d_val)) { \
           case DT_REL: \
                   rel = REL##B(elf->vdata + EGET(drel->d_un.d_val)); \
    ```
    
    On ia64 'EGET(drel->d_un.d_val)' returns absolute address:
    
    ```
        $ dumpelf bug/luatex
        ...
        /* Dynamic tag #31 'DT_RELA' 0x97E310 */
        {
            .d_tag     = 0x7        ,
            .d_un      = {
                    .d_val = 0x4000000000031C30 ,
                    .d_ptr = 0x4000000000031C30 ,
            },
        },
    ```
    
    That causes 'scanelf' crash on binaries like 'luatex'.
    
    This change restores check and loudly skips such sections:
        scanelf: bug/luatex: DT_RELA is out of file range
    
    Bug: https://bugs.gentoo.org/624356
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 scanelf.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)}
Comment 8 Fabian Groffen gentoo-dev 2017-09-18 07:08:50 UTC
there, now it's in the repo at least.
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-09 15:08:29 UTC
Marking as fixed as latest ebuild has a patch applied and main tree has the fix.