Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 890028 - <=app-misc/pax-utils-1.3.7 unknown crash in scanelf_file_get_symtabs
Summary: <=app-misc/pax-utils-1.3.7 unknown crash in scanelf_file_get_symtabs
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Toolchain Maintainers
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-01-07 08:32 UTC by Agostino Sarubbo
Modified: 2024-09-22 04:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
scanelf testcase (1.crashes.elf.zip,589 bytes, application/zip)
2023-01-07 08:32 UTC, Agostino Sarubbo
Details
dumpelf testcase (1.crashes.elf.zip,1.04 KB, application/zip)
2023-01-08 07:19 UTC, Agostino Sarubbo
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2023-01-07 08:32:47 UTC
Created attachment 847774 [details]
scanelf testcase

scanelf -s '*' 1.crashes.elf

==58545==ERROR: AddressSanitizer: unknown-crash on address 0x7fe059136001 at pc 0x00000041bd79 bp 0x7ffe19497290 sp 0x7ffe19497288
READ of size 4 at 0x7fe059136001 thread T0
    #0 0x41bd78 in scanelf_file_get_symtabs ../pax-utils-1.3.6/scanelf.c:354
    #1 0x427638 in scanelf_file_sym ../pax-utils-1.3.6/scanelf.c:1313
    #2 0x427638 in scanelf_elfobj ../pax-utils-1.3.6/scanelf.c:1533
    #3 0x43fe33 in scanelf_elf ../pax-utils-1.3.6/scanelf.c:1598
    #4 0x43fe33 in scanelf_fileat ../pax-utils-1.3.6/scanelf.c:1665
    #5 0x44096c in scanelf_dirat ../pax-utils-1.3.6/scanelf.c:1699
    #6 0x443e03 in scanelf_dir ../pax-utils-1.3.6/scanelf.c:1749
    #7 0x443e03 in parseargs ../pax-utils-1.3.6/scanelf.c:2262
    #8 0x40291e in main ../pax-utils-1.3.6/scanelf.c:2350
    #9 0x7fe05caed1f6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #10 0x7fe05caed2ab in __libc_start_main_impl ../csu/libc-start.c:381
    #11 0x402c10  (/usr/bin/scanelf+0x402c10)


A similar (same?) was already reported twice in the past:
https://blogs.gentoo.org/ago/2017/02/01/pax-utils-scanelf-out-of-bounds-read-in-scanelf_file_get_symtabs-scanelf-c/
https://blogs.gentoo.org/ago/2017/02/25/pax-utils-scanelf-out-of-bounds-read-in-scanelf_file_get_symtabs-scanelf-c-2/
Comment 1 Agostino Sarubbo gentoo-dev 2023-01-08 07:19:12 UTC
Created attachment 847882 [details]
dumpelf testcase

There is also a crash in dumpelf:

dumpelf 1.crashes.elf
==6304==ERROR: AddressSanitizer: unknown-crash on address 0x7ff4963c7000 at pc 0x000000415aaa bp 0x7ffd1fb5c0e0 sp 0x7ffd1fb5c0d8
READ of size 4 at 0x7ff4963c7000 thread T0
    #0 0x415aa9 in dump_notes ../pax-utils-1.3.6/dumpelf.c:262
    #1 0x41655d in dump_phdr ../pax-utils-1.3.6/dumpelf.c:336
    #2 0x405789 in dumpelf ../pax-utils-1.3.6/dumpelf.c:83
    #3 0x405789 in dumpelf_file ../pax-utils-1.3.6/dumpelf.c:153
    #4 0x405789 in parseargs ../pax-utils-1.3.6/dumpelf.c:576
    #5 0x405789 in main ../pax-utils-1.3.6/dumpelf.c:604
    #6 0x7ff499d7d1f6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #7 0x7ff499d7d2ab in __libc_start_main_impl ../csu/libc-start.c:381
    #8 0x40a290  (/usr/bin/dumpelf+0x40a290)
Comment 2 Agostino Sarubbo gentoo-dev 2023-01-09 08:21:01 UTC
Mike, I don't know how much you monitor the toolchain@ alias. Since you are one of the main author, you may be interested in this.
Comment 3 Larry the Git Cow gentoo-dev 2024-01-25 05:21:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=c1759f9bf28edb910208a7c7fbb4b373fe8b1297

commit c1759f9bf28edb910208a7c7fbb4b373fe8b1297
Author:     Mike Frysinger <vapier@gentoo.org>
AuthorDate: 2024-01-25 05:19:50 +0000
Commit:     Mike Frysinger <vapier@gentoo.org>
CommitDate: 2024-01-25 05:19:50 +0000

    scanelf: fix hashtable overflow checks
    
    Make sure we use the right offset, and make sure the numbers to check
    don't overflow themselves -- if nbuckets & nchains are 32-bit, and if
    we multiply them by 4, we can easily overflow before we get a chance
    to see if they will fit within the memory range.
    
    Bug: https://bugs.gentoo.org/890028
    Signed-off-by: Mike Frysinger <vapier@gentoo.org>

 scanelf.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
Comment 4 SpanKY gentoo-dev 2024-01-25 05:26:13 UTC
(In reply to Agostino Sarubbo from comment #0)
> Created attachment 847774 [details]
> scanelf testcase
> 
> scanelf -s '*' 1.crashes.elf

should be fixed now

(In reply to Agostino Sarubbo from comment #1)
> There is also a crash in dumpelf:
> 
> dumpelf 1.crashes.elf

i can't reproduce this

> ==6304==ERROR: AddressSanitizer: unknown-crash on address 0x7ff4963c7000 at
> pc 0x000000415aaa bp 0x7ffd1fb5c0e0 sp 0x7ffd1fb5c0d8
> READ of size 4 at 0x7ff4963c7000 thread T0
>     #0 0x415aa9 in dump_notes ../pax-utils-1.3.6/dumpelf.c:262

glancing at this line/section, it seems like we already verify the memory is valid before we read it, so not sure what this is tripping on.
Comment 5 Agostino Sarubbo gentoo-dev 2024-01-25 14:04:25 UTC
(In reply to SpanKY from comment #4)
> i can't reproduce this
> 
> > ==6304==ERROR: AddressSanitizer: unknown-crash on address 0x7ff4963c7000 at
> > pc 0x000000415aaa bp 0x7ffd1fb5c0e0 sp 0x7ffd1fb5c0d8
> > READ of size 4 at 0x7ff4963c7000 thread T0
> >     #0 0x415aa9 in dump_notes ../pax-utils-1.3.6/dumpelf.c:262
> 
> glancing at this line/section, it seems like we already verify the memory is
> valid before we read it, so not sure what this is tripping on.

I still can reproduce on -9999 (a1d0123581ede02b54cf2c071507612dde25236c)
Comment 6 SpanKY gentoo-dev 2024-01-25 17:44:09 UTC
let's keep this bug focused on scanelf_file_get_symtabs.  that was distinct, and it's fixed.  the dumpelf stuff is a completely diff codebase, and not really important as it's only a low level curiosity type of thing.  i keep debating whether to include it in the default install.

i can repro one ASAN crash in dumpelf (out of bounds read), but i'm not sure it's a real bug, or it's a 1-byte boundary that ASAN doesn't like.  still poking it.
Comment 7 Larry the Git Cow gentoo-dev 2024-09-22 04:40:42 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9d250d23d6c2ff3286a8cdbfbe89f2c040b4a20c

commit 9d250d23d6c2ff3286a8cdbfbe89f2c040b4a20c
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-09-22 04:38:47 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-09-22 04:40:13 +0000

    app-misc/pax-utils: add 1.3.8
    
    Aliaksei Urbanski (1):
          Fix fuzz-dumpelf test
    
    Daniel Verkamp (1):
          lddtree: use readlink -f for absolute links
    
    David Riley (1):
          lddtree: Add --wrapper-preload
    
    Frederic Cambus (2):
          lddtree: allow lddtree.sh to find Xenocara libraries on OpenBSD.
          README: fix typo: s/peforming/performing.
    
    George Burgess IV (1):
          lddtree: add LD_ARGV0_REL
    
    Mathias Krause (4):
          seccomp: make socket() fail with -ENOSYS
          tests: add basic pspax test
          pspax: fix libcap memory leaks
          meson: avoid using replace() to not unnecessarily bump meson >= 0.58.0
    
    Mike Frysinger (45):
          Revert "paxinc: include <alloca.h> for alloca"
          lddtree: add docstring for all classes
          pylintrc: remove old entries
          github: update to checkout@v3
          lddtree: use f-string in warn message
          lddtree: fix argcomplete typing
          elf.h: pull from latest glibc
          update copyright headers
          dumpelf: use explicit 64-bit to display off_t
          github: disable fuzzing on macOS
          github: update to checkout@v4
          lddtree: use older Python typing style
          lddtree: disable pyelftools pylint import errors
          lddtree: disable mypy import errors
          lddtree: add some more typing info for mypy
          github: add python checkers
          lddtree: raise min version to Python 3.8
          pyproject.toml: add black & isort & mypy settings
          pylintrc: merge into pyproject.toml
          requirements: pin(ish) Python deps that we use to check things
          drop old __BOUNDS_CHECKING_ON support
          fix various typos found w/codespell
          github: add codespell checker
          build: use standard config.h naming
          build: use standard HAVE_xxx define style
          pspax: rework & document get_proc_name
          pspax: replace proc_fopen with fopenat_r
          pspax: fix buffer limiting in cmdline reading
          pspax: fix error handling when reading attr or ipaddr fail
          pspax: switch from fgets to getline
          unify usage() output across all the tools
          ar: handle invalid ascii numbers better
          ar: handle invalid extended filename offsets
          ar: switch from alloca to malloc
          scanelf: fix hashtable overflow checks
          README: update macOS name
          paxelf: reject ELFs with incomplete Ehdr structures
          dumpelf: free elf after fuzzing it to avoid leaking
          sanitizer: fix feature tests under clang
          dumpelf: check dyn pointer before DT_NULL check too
          dumpelf: improve note memory check
          dumpelf: limit note name display
          fuzz-ar: fuzzer for the archive parsing API
          fuzz-dumpelf: fix stats argument
          fuzzer: fix unused setting on argc & argv
    
    Mike Gilbert (1):
          make-seccomp-filters.sh: split cflags/ldflags for libseccomp
    
    Sam James (10):
          Make headers standalone (missing includes, prep for clang-tidy)
          *: IWYU fixes
          *: IWYU fixes deux
          .github: add Alpine CI
          Undo IWYU fixes
          paxinc: include <alloca.h> for alloca
          porting.h: include <stddef.h> for size_t, sort includes
          ci: make tests verbose
          meson.build: prepare for pax-utils-1.3.8
          CI: update muon URL
    
    Takuto Ikuta (1):
          lddtree: keep relativeness of invoked program in elf wrapper
    
    Zach van Rijn (1):
          paxelf: use correct format string
    
    Bug: https://bugs.gentoo.org/890028
    Bug: https://bugs.gentoo.org/890577
    Bug: https://bugs.gentoo.org/890579
    Bug: https://bugs.gentoo.org/922906
    Signed-off-by: Sam James <sam@gentoo.org>

 app-misc/pax-utils/Manifest               |  1 +
 app-misc/pax-utils/pax-utils-1.3.8.ebuild | 77 +++++++++++++++++++++++++++++++
 2 files changed, 78 insertions(+)