Summary: | =app-misc/pax-utils-1.2.2: scanelf SIGSEGVs on some binaries on ia64 | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Sergei Trofimovich (RETIRED) <slyfox> |
Component: | Current packages | Assignee: | SpanKY <vapier> |
Status: | RESOLVED FIXED | ||
Severity: | normal | Keywords: | PATCH, REGRESSION |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | pax-utils-9999-scanelf-fix-out-of-bounds-access-in-ia64.patch |
Description
Sergei Trofimovich (RETIRED)
2017-07-09 09:37:13 UTC
Uploaded full file as: https://dev.gentoo.org/~slyfox/bugs/624356-ia64-rela/luatex I poked a bit around and found out that SIGSEGV happens when first relocation is read out at. SIGSEGV happens because pointer to relocation section is bogus. rela is setup as: rela = RELA##B(elf->vdata + EGET(drel->d_un.d_val)); but on ia64 'drel->d_un.d_val' is an absolute address. Absolute numbers are: RELA: elf->vdata=0x2000000000330000, drel->d_un.d_val=0x4000000000031C30 If I understand how scanelf works it should always try to point to elf->vdata buffer (it's 10MB here). $ readelf -a /usr/bin/luatex Section Headers: [Nr] Name Type Address Offset Size EntSize Flags Link Info Align ... [ 8] .rela.dyn RELA 4000000000031c30 00031c30 0000000000001218 0000000000000018 A 4 0 8 Note the absolute address. I suspect that scanelf works only by chance on ia64 for final executables. On x86_64 using fsanitize=address scanelf crashes on this file as: $ scanelf -v -qyRAF '%T %p' ./luatex ASAN:DEADLYSIGNAL ================================================================= ==12590==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x555a66101892 bp 0x7ffca5fa4eb0 sp 0x7ffca5fa4d90 T0) ==12590==The signal is caused by a READ memory access. ==12590==Hint: address points to the zero page. #0 0x555a66101891 in scanelf_file_textrels /tmp/portage-tmpdir/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:735 #1 0x555a66104ff2 in scanelf_elfobj /tmp/portage-tmpdir/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1492 #2 0x555a6610b214 in scanelf_elf /tmp/portage-tmpdir/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1567 #3 0x555a6610b214 in scanelf_fileat /tmp/portage-tmpdir/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1634 #4 0x555a6610b61b in scanelf_dirat /tmp/portage-tmpdir/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1668 #5 0x555a6610d56c in parseargs /tmp/portage-tmpdir/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:2228 #6 0x555a660f2e67 in main /tmp/portage-tmpdir/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:2316 #7 0x7feb5c2403f9 in __libc_start_main (/lib64/libc.so.6+0x39648203f9) #8 0x555a660f2f79 in _start (/usr/bin/scanelf+0x11f79) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /tmp/portage-tmpdir/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:735 in scanelf_file_textrels ==12590==ABORTING pax-utils-1.1.7 does not fail on the file and only complains about it: $ scanelf -qyRAF '%T %p' /usr/bin/luatex scanelf: scanelf_file_textrels(): ELF /usr/bin/luatex has TEXTREL markings but doesnt appear to have any real TEXTREL's !? /usr/bin/luatex Created attachment 489664 [details, diff]
pax-utils-9999-scanelf-fix-out-of-bounds-access-in-ia64.patch
pax-utils-9999-scanelf-fix-out-of-bounds-access-in-ia64.patch restore bounds checking for master version of pax-utils.
(In reply to Sergei Trofimovich from comment #4) > Created attachment 489664 [details, diff] [details, diff] > pax-utils-9999-scanelf-fix-out-of-bounds-access-in-ia64.patch > > pax-utils-9999-scanelf-fix-out-of-bounds-access-in-ia64.patch restore bounds > checking for master version of pax-utils. I've pushed similar fix to pax-utils-1.2.2-r1 (as the code is slightly diverged from master): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7e17e5572bda4281b90959cf8999dc95dfe21c6b Keeping the bug open as I don't have access to push the fix to master branch: FATAL -- ACCESS DENIED Repo proj/pax-utils User slyfox@gentoo.org Stage Before git was called Operation Repo write FATAL: W any proj/pax-utils slyfox@gentoo.org DENIED by fallthru (or you mis-spelled the reponame) Removing ia64@ as immediate crash is fixed there. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=720becce1314db8c0af8442650f496d972475327 commit 720becce1314db8c0af8442650f496d972475327 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2017-08-19 09:34:41 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2017-09-18 07:05:20 +0000 scanelf: fix out-of-bounds access in ia64 commit 2eb852129394f97dae89c0ff1f9f48637edcb0e9 slightly changed decoder and added unchecked read from elf header: ``` switch (EGET(dpltrel->d_un.d_val)) { \ case DT_REL: \ rel = REL##B(elf->vdata + EGET(drel->d_un.d_val)); \ ``` On ia64 'EGET(drel->d_un.d_val)' returns absolute address: ``` $ dumpelf bug/luatex ... /* Dynamic tag #31 'DT_RELA' 0x97E310 */ { .d_tag = 0x7 , .d_un = { .d_val = 0x4000000000031C30 , .d_ptr = 0x4000000000031C30 , }, }, ``` That causes 'scanelf' crash on binaries like 'luatex'. This change restores check and loudly skips such sections: scanelf: bug/luatex: DT_RELA is out of file range Bug: https://bugs.gentoo.org/624356 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> Signed-off-by: Fabian Groffen <grobian@gentoo.org> scanelf.c | 12 ++++++++++++ 1 file changed, 12 insertions(+)} there, now it's in the repo at least. Marking as fixed as latest ebuild has a patch applied and main tree has the fix. |