commit: 7e17e5572bda4281b90959cf8999dc95dfe21c6b Author: Sergei Trofimovich <slyfox <AT> gentoo <DOT> org> AuthorDate: Sat Aug 19 10:02:47 2017 +0000 Commit: Sergei Trofimovich <slyfox <AT> gentoo <DOT> org> CommitDate: Sat Aug 19 10:11:55 2017 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7e17e557
app-misc/pax-utils: fix crash on ia64 TEXTRELs, bug #624356 Bug: https://bugs.gentoo.org/624356 Package-Manager: Portage-2.3.8, Repoman-2.3.3 ...-scanelf-fix-out-of-bounds-access-in-ia64.patch | 72 ++++++++++++++++++++++ app-misc/pax-utils/pax-utils-1.2.2-r1.ebuild | 58 +++++++++++++++++ 2 files changed, 130 insertions(+) diff --git a/app-misc/pax-utils/files/pax-utils-1.2.2-scanelf-fix-out-of-bounds-access-in-ia64.patch b/app-misc/pax-utils/files/pax-utils-1.2.2-scanelf-fix-out-of-bounds-access-in-ia64.patch new file mode 100644 index 00000000000..1fa5c3187e5 --- /dev/null +++ b/app-misc/pax-utils/files/pax-utils-1.2.2-scanelf-fix-out-of-bounds-access-in-ia64.patch @@ -0,0 +1,72 @@ +From e95103c40d0541fbcdb4b84b000832d9b1b83b8d Mon Sep 17 00:00:00 2001 +From: Sergei Trofimovich <sly...@gentoo.org> +Date: Sat, 19 Aug 2017 10:34:41 +0100 +Subject: [PATCH] scanelf: fix out-of-bounds access in ia64 + +commit 2eb852129394f97dae89c0ff1f9f48637edcb0e9 +slightly changed decoder and added unchecked +read from elf header: + +``` + switch (EGET(dpltrel->d_un.d_val)) { \ + case DT_REL: \ + rel = REL##B(elf->vdata + EGET(drel->d_un.d_val)); \ +``` + +On ia64 'EGET(drel->d_un.d_val)' returns absolute address: + +``` + $ dumpelf bug/luatex + ... + /* Dynamic tag #31 'DT_RELA' 0x97E310 */ + { + .d_tag = 0x7 , + .d_un = { + .d_val = 0x4000000000031C30 , + .d_ptr = 0x4000000000031C30 , + }, + }, +``` + +That causes 'scanelf' crash on binaries like 'luatex'. + +This change restores check and loudly skips such sections: + scanelf: bug/luatex: DT_RELA is out of file range + +Bug: https://bugs.gentoo.org/624356 +Signed-off-by: Sergei Trofimovich <sly...@gentoo.org> +--- + scanelf.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/scanelf.c b/scanelf.c +index 1ead891..a054408 100644 +--- a/scanelf.c ++++ b/scanelf.c +@@ -607,11 +607,23 @@ static char *scanelf_file_textrels(elfobj *elf, char *found_textrels, char *foun + } \ + switch (EGET(dpltrel->d_un.d_val)) { \ + case DT_REL: \ ++ if (EGET(drel->d_un.d_val) >= (uint64_t)elf->len - sizeof (drel->d_un.d_val)) { \ ++ rel = NULL; \ ++ rela = NULL; \ ++ warn("%s: DT_REL is out of file range", elf->filename); \ ++ break; \ ++ } \ + rel = REL##B(elf->vdata + EGET(drel->d_un.d_val)); \ + rela = NULL; \ + pltrel = DT_REL; \ + break; \ + case DT_RELA: \ ++ if (EGET(drel->d_un.d_val) >= (uint64_t)elf->len - sizeof (drel->d_un.d_val)) { \ ++ rel = NULL; \ ++ rela = NULL; \ ++ warn("%s: DT_RELA is out of file range", elf->filename); \ ++ break; \ ++ } \ + rel = NULL; \ + rela = RELA##B(elf->vdata + EGET(drel->d_un.d_val)); \ + pltrel = DT_RELA; \ +-- +2.14.1 + diff --git a/app-misc/pax-utils/pax-utils-1.2.2-r1.ebuild b/app-misc/pax-utils/pax-utils-1.2.2-r1.ebuild new file mode 100644 index 00000000000..ba368f7be67 --- /dev/null +++ b/app-misc/pax-utils/pax-utils-1.2.2-r1.ebuild @@ -0,0 +1,58 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +inherit eutils toolchain-funcs unpacker + +DESCRIPTION="ELF utils that can check files for security relevant properties" +HOMEPAGE="https://wiki.gentoo.org/index.php?title=Project:Hardened/PaX_Utilities"; +SRC_URI="mirror://gentoo/${P}.tar.xz + https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"; + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +IUSE="caps debug python seccomp" + +RDEPEND="caps? ( >=sys-libs/libcap-2.24 ) + python? ( dev-python/pyelftools ) + seccomp? ( sys-libs/libseccomp )" +DEPEND="${RDEPEND} + caps? ( virtual/pkgconfig ) + seccomp? ( virtual/pkgconfig ) + app-arch/xz-utils" + +PATCHES=("${FILESDIR}"/${P}-scanelf-fix-out-of-bounds-access-in-ia64.patch) + +_emake() { + emake \ + USE_CAP=$(usex caps) \ + USE_DEBUG=$(usex debug) \ + USE_PYTHON=$(usex python) \ + USE_SECCOMP=$(usex seccomp) \ + "$@" +} + +src_configure() { + # Avoid slow configure+gnulib+make if on an up-to-date Linux system + if use prefix || ! use kernel_linux || \ + has_version '<sys-libs/glibc-2.10' + then + econf $(use_with caps) $(use_with debug) $(use_with python) $(use_with seccomp) + else + tc-export CC PKG_CONFIG + fi +} + +src_compile() { + _emake +} + +src_test() { + _emake check +} + +src_install() { + _emake DESTDIR="${D}" PKGDOCDIR='$(DOCDIR)'/${PF} install +}
