Problem with patchelf and some security features #6

quantheory · 2013-03-09T09:18:50Z

There appears to be a problem with patchelf in hardened Gentoo. The problem is due to the "hole" put in some files, which is done in as described in this comment:

"As a workaround, make sure that the virtual address of our new
PT_LOAD segment relative to the first PT_LOAD segment is equal
to its offset"

In most cases this hole is getting very large (~18MB) and exceeds the maxSize, causing growFile to error out. It's not clear to me what specific feature is causing this. (ASLR is a common cause of bugs.)

jlec · 2013-03-09T10:09:17Z

It happens when running the test suite.
Please see downstream bug report:
https://bugs.gentoo.org/show_bug.cgi?id=455454

domenkozar · 2020-06-09T13:40:23Z

Closing as too old.

Otherwise, patchelf segfaults when it encounters DT_NEEDED in the read garbage. Corresponding backtrace is: #0 0x00007ffff7c275f7 in __strlen_avx2 () from /nix/store/cvr0kjg2q7z2wwhjblx6c73rv422k8cm-glibc-2.33-47/lib/libc.so.6 NixOS#1 0x00007ffff7f2d448 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(char const*, std::allocator<char> const&) () from /nix/store/lg104nh0szci8slz5z6494m457jm5y3p-gcc-10.3.0-lib/lib/libstdc++.so.6 NixOS#2 0x000000000040fe0f in ElfFile<Elf64_Ehdr, Elf64_Phdr, Elf64_Shdr, unsigned long, unsigned long, Elf64_Dyn, Elf64_Sym, Elf64_Verneed, unsigned short>::modifyRPath (this=0x7fffffffbaa0, op=ElfFile<Elf64_Ehdr, Elf64_Phdr, Elf64_Shdr, unsigned long, unsigned long, Elf64_Dyn, Elf64_Sym, Elf64_Verneed, unsigned short>::rpPrint, allowedRpathPrefixes=std::vector of length 0, capacity 0, newRPath="") at patchelf.cc:1351 NixOS#3 0x00000000004061c3 in patchElf2<ElfFile<Elf64_Ehdr, Elf64_Phdr, Elf64_Shdr, unsigned long, unsigned long, Elf64_Dyn, Elf64_Sym, Elf64_Verneed, unsigned short> > (elfFile=..., fileContents=std::shared_ptr<std::vector<unsigned char, std::allocator<unsigned char> >> (use count 3, weak count 0) = {...}, fileName="libsystemd.debug") at patchelf.cc:1805 NixOS#4 0x0000000000404774 in patchElf () at patchelf.cc:1848 NixOS#5 0x000000000040551c in mainWrapped (argc=3, argv=0x7fffffffc148) at patchelf.cc:2003 NixOS#6 0x0000000000405913 in main (argc=3, argv=0x7fffffffc148) at patchelf.cc:2011 NOBIT sections are included in the section headers table but occupy no actual space in the file. .dynamic sections of this types are created, for example, by `strip --only-keep-debug`. I'm not sure whether calling error() would be more appropriate than ignoring this situation with debug/return. I chose ignoring it, because error() caused autoPatchelfHook to fail with my package. Also the rest of modifyRPath method simply calls debug/return in similar situations.

Otherwise, patchelf segfaults when it encounters DT_NEEDED in the read garbage. Corresponding backtrace is: #0 0x00007ffff7c275f7 in __strlen_avx2 () from /nix/store/cvr0kjg2q7z2wwhjblx6c73rv422k8cm-glibc-2.33-47/lib/libc.so.6 #1 0x00007ffff7f2d448 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(char const*, std::allocator<char> const&) () from /nix/store/lg104nh0szci8slz5z6494m457jm5y3p-gcc-10.3.0-lib/lib/libstdc++.so.6 #2 0x000000000040fe0f in ElfFile<Elf64_Ehdr, Elf64_Phdr, Elf64_Shdr, unsigned long, unsigned long, Elf64_Dyn, Elf64_Sym, Elf64_Verneed, unsigned short>::modifyRPath (this=0x7fffffffbaa0, op=ElfFile<Elf64_Ehdr, Elf64_Phdr, Elf64_Shdr, unsigned long, unsigned long, Elf64_Dyn, Elf64_Sym, Elf64_Verneed, unsigned short>::rpPrint, allowedRpathPrefixes=std::vector of length 0, capacity 0, newRPath="") at patchelf.cc:1351 #3 0x00000000004061c3 in patchElf2<ElfFile<Elf64_Ehdr, Elf64_Phdr, Elf64_Shdr, unsigned long, unsigned long, Elf64_Dyn, Elf64_Sym, Elf64_Verneed, unsigned short> > (elfFile=..., fileContents=std::shared_ptr<std::vector<unsigned char, std::allocator<unsigned char> >> (use count 3, weak count 0) = {...}, fileName="libsystemd.debug") at patchelf.cc:1805 #4 0x0000000000404774 in patchElf () at patchelf.cc:1848 #5 0x000000000040551c in mainWrapped (argc=3, argv=0x7fffffffc148) at patchelf.cc:2003 #6 0x0000000000405913 in main (argc=3, argv=0x7fffffffc148) at patchelf.cc:2011 NOBIT sections are included in the section headers table but occupy no actual space in the file. .dynamic sections of this types are created, for example, by `strip --only-keep-debug`. I'm not sure whether calling error() would be more appropriate than ignoring this situation with debug/return. I chose ignoring it, because error() caused autoPatchelfHook to fail with my package. Also the rest of modifyRPath method simply calls debug/return in similar situations.

Otherwise, patchelf segfaults when it encounters DT_NEEDED in the read garbage. Corresponding backtrace is: #0 0x00007ffff7c275f7 in __strlen_avx2 () from /nix/store/cvr0kjg2q7z2wwhjblx6c73rv422k8cm-glibc-2.33-47/lib/libc.so.6 NixOS#1 0x00007ffff7f2d448 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(char const*, std::allocator<char> const&) () from /nix/store/lg104nh0szci8slz5z6494m457jm5y3p-gcc-10.3.0-lib/lib/libstdc++.so.6 NixOS#2 0x000000000040fe0f in ElfFile<Elf64_Ehdr, Elf64_Phdr, Elf64_Shdr, unsigned long, unsigned long, Elf64_Dyn, Elf64_Sym, Elf64_Verneed, unsigned short>::modifyRPath (this=0x7fffffffbaa0, op=ElfFile<Elf64_Ehdr, Elf64_Phdr, Elf64_Shdr, unsigned long, unsigned long, Elf64_Dyn, Elf64_Sym, Elf64_Verneed, unsigned short>::rpPrint, allowedRpathPrefixes=std::vector of length 0, capacity 0, newRPath="") at patchelf.cc:1351 NixOS#3 0x00000000004061c3 in patchElf2<ElfFile<Elf64_Ehdr, Elf64_Phdr, Elf64_Shdr, unsigned long, unsigned long, Elf64_Dyn, Elf64_Sym, Elf64_Verneed, unsigned short> > (elfFile=..., fileContents=std::shared_ptr<std::vector<unsigned char, std::allocator<unsigned char> >> (use count 3, weak count 0) = {...}, fileName="libsystemd.debug") at patchelf.cc:1805 NixOS#4 0x0000000000404774 in patchElf () at patchelf.cc:1848 NixOS#5 0x000000000040551c in mainWrapped (argc=3, argv=0x7fffffffc148) at patchelf.cc:2003 NixOS#6 0x0000000000405913 in main (argc=3, argv=0x7fffffffc148) at patchelf.cc:2011 NOBIT sections are included in the section headers table but occupy no actual space in the file. .dynamic sections of this types are created, for example, by `strip --only-keep-debug`. I'm not sure whether calling error() would be more appropriate than ignoring this situation with debug/return. I chose ignoring it, because error() caused autoPatchelfHook to fail with my package. Also the rest of modifyRPath method simply calls debug/return in similar situations.

domenkozar closed this as completed Jun 9, 2020

xiaoxiaoafeifei mentioned this issue Oct 26, 2022

Fix Out-of-bounds read in the function modifyRPath #419

Merged

yairKoskas mentioned this issue Dec 27, 2022

Fix Out-of-bounds read in the function modifySoname #451

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Problem with patchelf and some security features #6

Problem with patchelf and some security features #6

quantheory commented Mar 9, 2013

jlec commented Mar 9, 2013

domenkozar commented Jun 9, 2020

Problem with patchelf and some security features #6

Problem with patchelf and some security features #6

Comments

quantheory commented Mar 9, 2013

jlec commented Mar 9, 2013

domenkozar commented Jun 9, 2020