commit: 8ec3e4da8a051ed983a770b719b10730038474bb Author: Mike Frysinger <vapier <AT> gentoo <DOT> org> AuthorDate: Wed Nov 16 22:19:27 2016 +0000 Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org> CommitDate: Wed Nov 16 22:19:59 2016 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8ec3e4da
sys-apps/sandbox: fix crashes when the system is prelinked #599894 .../sandbox/files/sandbox-2.11-exec-prelink.patch | 107 +++++++++++++++++++++ ...ndbox-2.11-r2.ebuild => sandbox-2.11-r3.ebuild} | 1 + 2 files changed, 108 insertions(+) diff --git a/sys-apps/sandbox/files/sandbox-2.11-exec-prelink.patch b/sys-apps/sandbox/files/sandbox-2.11-exec-prelink.patch new file mode 100644 index 00000000..067824f --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-2.11-exec-prelink.patch @@ -0,0 +1,107 @@ +From 5628d830548e91819953d2d14397170e219df7c6 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger <vap...@gentoo.org> +Date: Wed, 16 Nov 2016 15:59:28 -0500 +Subject: [PATCH] libsandbox: fix symtab walking with prelinked ELFs + +When prelink runs on an ELF, it moves the string table from right +after the symbol table to the end, and then replaces the string +table with its liblist table. This ends up breaking sandbox's +assumption that the string table always follows the symbol table +leading to prelinked ELFs crashing. + +Update the range check to use the liblist table when available. +Since the prelink code has this logic hardcoded (swapping the +string table for the liblist table), this should be OK for now. + +URL: https://bugs.gentoo.org/599894 +Reported-by: Anders Larsson <anders.gen...@larsson.xyz> +Reported-by: Kenton Groombridge <rustyv...@comcast.net> +Reported-by: Marien Zwart <marien.zw...@gmail.com> +Signed-off-by: Mike Frysinger <vap...@gentoo.org> +--- + libsandbox/wrapper-funcs/__wrapper_exec.c | 39 ++++++++++++++++++++++--------- + 1 file changed, 28 insertions(+), 11 deletions(-) + +diff --git a/libsandbox/wrapper-funcs/__wrapper_exec.c b/libsandbox/wrapper-funcs/__wrapper_exec.c +index d372366c5478..226c0c0f4407 100644 +--- a/libsandbox/wrapper-funcs/__wrapper_exec.c ++++ b/libsandbox/wrapper-funcs/__wrapper_exec.c +@@ -83,8 +83,8 @@ static bool sb_check_exec(const char *filename, char *const argv[]) + ({ \ + Elf##n##_Ehdr *ehdr = (void *)elf; \ + Elf##n##_Phdr *phdr = (void *)(elf + ehdr->e_phoff); \ +- Elf##n##_Addr vaddr, filesz, vsym = 0, vstr = 0, vhash = 0; \ +- Elf##n##_Off offset, symoff = 0, stroff = 0, hashoff = 0; \ ++ Elf##n##_Addr vaddr, filesz, vsym = 0, vstr = 0, vhash = 0, vliblist = 0; \ ++ Elf##n##_Off offset, symoff = 0, stroff = 0, hashoff = 0, liblistoff = 0; \ + Elf##n##_Dyn *dyn; \ + Elf##n##_Sym *sym, *symend; \ + uint##n##_t ent_size = 0, str_size = 0; \ +@@ -102,11 +102,12 @@ static bool sb_check_exec(const char *filename, char *const argv[]) + dyn = (void *)(elf + phdr[i].p_offset); \ + while (dyn->d_tag != DT_NULL) { \ + switch (dyn->d_tag) { \ +- case DT_SYMTAB: vsym = dyn->d_un.d_val; break; \ +- case DT_SYMENT: ent_size = dyn->d_un.d_val; break; \ +- case DT_STRTAB: vstr = dyn->d_un.d_val; break; \ +- case DT_STRSZ: str_size = dyn->d_un.d_val; break; \ +- case DT_HASH: vhash = dyn->d_un.d_val; break; \ ++ case DT_SYMTAB: vsym = dyn->d_un.d_val; break; \ ++ case DT_SYMENT: ent_size = dyn->d_un.d_val; break; \ ++ case DT_STRTAB: vstr = dyn->d_un.d_val; break; \ ++ case DT_STRSZ: str_size = dyn->d_un.d_val; break; \ ++ case DT_HASH: vhash = dyn->d_un.d_val; break; \ ++ case DT_GNU_LIBLIST: vliblist = dyn->d_un.d_val; break; \ + } \ + ++dyn; \ + } \ +@@ -126,6 +127,8 @@ static bool sb_check_exec(const char *filename, char *const argv[]) + stroff = offset + (vstr - vaddr); \ + if (vhash >= vaddr && vhash < vaddr + filesz) \ + hashoff = offset + (vhash - vaddr); \ ++ if (vliblist >= vaddr && vliblist < vaddr + filesz) \ ++ liblistoff = offset + (vliblist - vaddr); \ + } \ + \ + /* Finally walk the symbol table. This should generally be fast as \ +@@ -133,19 +136,33 @@ static bool sb_check_exec(const char *filename, char *const argv[]) + * out there do not export any symbols at all. \ + */ \ + if (symoff && stroff) { \ +- /* Hash entries are always 32-bits. */ \ +- uint32_t *hashes = (void *)(elf + hashoff); \ + /* Nowhere is the # of symbols recorded, or the size of the symbol \ + * table. Instead, we do what glibc does: use the sysv hash table \ + * if it exists, else assume that the string table always directly \ + * follows the symbol table. This seems like a poor assumption to \ +- * make, but glibc has gotten by this long. \ ++ * make, but glibc has gotten by this long. See determine_info in \ ++ * glibc's elf/dl-addr.c. \ ++ * \ ++ * Turns out prelink will violate that assumption. Fortunately it \ ++ * will insert its liblist at the same location all the time -- it \ ++ * replaces the string table with its liblist table. \ ++ * \ ++ * Long term, we should behave the same as glibc and walk the gnu \ ++ * hash table first before falling back to the raw symbol table. \ + * \ + * We don't sanity check the ranges here as you aren't executing \ + * corrupt programs in the sandbox. \ + */ \ + sym = (void *)(elf + symoff); \ +- symend = vhash ? (sym + hashes[1]) : (void *)(elf + stroff); \ ++ if (vhash) { \ ++ /* Hash entries are always 32-bits. */ \ ++ uint32_t *hashes = (void *)(elf + hashoff); \ ++ symend = sym + hashes[1]; \ ++ } else if (vliblist) \ ++ symend = (void *)(elf + liblistoff); \ ++ else \ ++ symend = (void *)(elf + stroff); \ ++ \ + while (sym < symend) { \ + char *symname = (void *)(elf + stroff + sym->st_name); \ + if (ELF##n##_ST_VISIBILITY(sym->st_other) == STV_DEFAULT && \ +-- +2.10.2 + diff --git a/sys-apps/sandbox/sandbox-2.11-r2.ebuild b/sys-apps/sandbox/sandbox-2.11-r3.ebuild similarity index 97% rename from sys-apps/sandbox/sandbox-2.11-r2.ebuild rename to sys-apps/sandbox/sandbox-2.11-r3.ebuild index 1319c37..e49dd8c 100644 --- a/sys-apps/sandbox/sandbox-2.11-r2.ebuild +++ b/sys-apps/sandbox/sandbox-2.11-r3.ebuild @@ -34,6 +34,7 @@ sandbox_death_notice() { src_prepare() { epatch "${FILESDIR}"/${P}-execvpe.patch #578516 epatch "${FILESDIR}"/${P}-exec-hash.patch #578524 + epatch "${FILESDIR}"/${P}-exec-prelink.patch #599894 epatch_user }
