It's an ~ia64 system. The example is /usr/bin/luatex $ gdb --args ./scanelf -qyRAF '%T %p' /usr/bin/ Program received signal SIGSEGV, Segmentation fault. 0x40000000000177e0 in scanelf_file_textrels (elf=0x6000000000010050, found_textrels=0x60000fffffff99dc "", found_textrel=0x60000fffffff99d4 "\001") at scanelf.c:735 735 SCANELF_ELF_SIZED(SHOW_TEXTRELS); (gdb) bt #0 0x40000000000177e0 in scanelf_file_textrels (elf=0x6000000000010050, found_textrels=0x60000fffffff99dc "", found_textrel=0x60000fffffff99d4 "\001") at scanelf.c:735 #1 0x4000000000029ed0 in scanelf_elfobj (elf=0x6000000000010050) at scanelf.c:1492 #2 0x400000000002b0c0 in scanelf_elf (filename=0x60000fffffff9c58 "/usr/bin/luatex", fd=4, len=10241744) at scanelf.c:1567 #3 0x400000000002bbb0 in scanelf_fileat (dir_fd=-100, filename=0x60000fffffff9c58 "/usr/bin/luatex", st_cache=0x60000fffffff9bc8) at scanelf.c:1634 #4 0x400000000002c540 in scanelf_dirat (dir_fd=-100, path=0x60000fffffffb3ba "/usr/bin/") at scanelf.c:1706 #5 0x400000000002c780 in scanelf_dir (path=0x60000fffffffb3ba "/usr/bin/") at scanelf.c:1718 #6 0x4000000000031da0 in parseargs (argc=4, argv=0x60000fffffffb0e8) at scanelf.c:2228 #7 0x4000000000032340 in main (argc=4, argv=0x60000fffffffb0e8) at scanelf.c:2316
Uploaded full file as: https://dev.gentoo.org/~slyfox/bugs/624356-ia64-rela/luatex I poked a bit around and found out that SIGSEGV happens when first relocation is read out at. SIGSEGV happens because pointer to relocation section is bogus. rela is setup as: rela = RELA##B(elf->vdata + EGET(drel->d_un.d_val)); but on ia64 'drel->d_un.d_val' is an absolute address. Absolute numbers are: RELA: elf->vdata=0x2000000000330000, drel->d_un.d_val=0x4000000000031C30 If I understand how scanelf works it should always try to point to elf->vdata buffer (it's 10MB here). $ readelf -a /usr/bin/luatex Section Headers: [Nr] Name Type Address Offset Size EntSize Flags Link Info Align ... [ 8] .rela.dyn RELA 4000000000031c30 00031c30 0000000000001218 0000000000000018 A 4 0 8 Note the absolute address. I suspect that scanelf works only by chance on ia64 for final executables.
On x86_64 using fsanitize=address scanelf crashes on this file as: $ scanelf -v -qyRAF '%T %p' ./luatex ASAN:DEADLYSIGNAL ================================================================= ==12590==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x555a66101892 bp 0x7ffca5fa4eb0 sp 0x7ffca5fa4d90 T0) ==12590==The signal is caused by a READ memory access. ==12590==Hint: address points to the zero page. #0 0x555a66101891 in scanelf_file_textrels /tmp/portage-tmpdir/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:735 #1 0x555a66104ff2 in scanelf_elfobj /tmp/portage-tmpdir/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1492 #2 0x555a6610b214 in scanelf_elf /tmp/portage-tmpdir/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1567 #3 0x555a6610b214 in scanelf_fileat /tmp/portage-tmpdir/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1634 #4 0x555a6610b61b in scanelf_dirat /tmp/portage-tmpdir/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1668 #5 0x555a6610d56c in parseargs /tmp/portage-tmpdir/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:2228 #6 0x555a660f2e67 in main /tmp/portage-tmpdir/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:2316 #7 0x7feb5c2403f9 in __libc_start_main (/lib64/libc.so.6+0x39648203f9) #8 0x555a660f2f79 in _start (/usr/bin/scanelf+0x11f79) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /tmp/portage-tmpdir/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:735 in scanelf_file_textrels ==12590==ABORTING
pax-utils-1.1.7 does not fail on the file and only complains about it: $ scanelf -qyRAF '%T %p' /usr/bin/luatex scanelf: scanelf_file_textrels(): ELF /usr/bin/luatex has TEXTREL markings but doesnt appear to have any real TEXTREL's !? /usr/bin/luatex
Created attachment 489664 [details, diff] pax-utils-9999-scanelf-fix-out-of-bounds-access-in-ia64.patch pax-utils-9999-scanelf-fix-out-of-bounds-access-in-ia64.patch restore bounds checking for master version of pax-utils.
(In reply to Sergei Trofimovich from comment #4) > Created attachment 489664 [details, diff] [details, diff] > pax-utils-9999-scanelf-fix-out-of-bounds-access-in-ia64.patch > > pax-utils-9999-scanelf-fix-out-of-bounds-access-in-ia64.patch restore bounds > checking for master version of pax-utils. I've pushed similar fix to pax-utils-1.2.2-r1 (as the code is slightly diverged from master): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7e17e5572bda4281b90959cf8999dc95dfe21c6b Keeping the bug open as I don't have access to push the fix to master branch: FATAL -- ACCESS DENIED Repo proj/pax-utils User slyfox@gentoo.org Stage Before git was called Operation Repo write FATAL: W any proj/pax-utils slyfox@gentoo.org DENIED by fallthru (or you mis-spelled the reponame)
Removing ia64@ as immediate crash is fixed there.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=720becce1314db8c0af8442650f496d972475327 commit 720becce1314db8c0af8442650f496d972475327 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2017-08-19 09:34:41 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2017-09-18 07:05:20 +0000 scanelf: fix out-of-bounds access in ia64 commit 2eb852129394f97dae89c0ff1f9f48637edcb0e9 slightly changed decoder and added unchecked read from elf header: ``` switch (EGET(dpltrel->d_un.d_val)) { \ case DT_REL: \ rel = REL##B(elf->vdata + EGET(drel->d_un.d_val)); \ ``` On ia64 'EGET(drel->d_un.d_val)' returns absolute address: ``` $ dumpelf bug/luatex ... /* Dynamic tag #31 'DT_RELA' 0x97E310 */ { .d_tag = 0x7 , .d_un = { .d_val = 0x4000000000031C30 , .d_ptr = 0x4000000000031C30 , }, }, ``` That causes 'scanelf' crash on binaries like 'luatex'. This change restores check and loudly skips such sections: scanelf: bug/luatex: DT_RELA is out of file range Bug: https://bugs.gentoo.org/624356 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> Signed-off-by: Fabian Groffen <grobian@gentoo.org> scanelf.c | 12 ++++++++++++ 1 file changed, 12 insertions(+)}
there, now it's in the repo at least.
Marking as fixed as latest ebuild has a patch applied and main tree has the fix.