Bug#941559: libxvidcore4: immediately crashes on amd64 since binNMU

2019-10-02 Thread James Cowgill 
Hi,

On 02/10/2019 11:47, Fabian Greffrath wrote:
> Hi James,
> 
> Am 02.10.2019 01:45, schrieb James Cowgill:
>> Indeed readelf contains some non-executable program headers in
>> 2:1.3.5-1+b1 which do not appear in 2:1.3.5-1 in buster. The
>> ".rotext" section sounds suspicious.
> 
> indeed, the check_cpu_feature() function is defined in
> src/utils/x86_asm/cpuid.asm [1] which includes src/nasm.inc, which in
> turn declares a .rotext section [2] for any other output format than
> macho32 and macho64.
> 
> It would probably be the best patch this to simply declare a .text
> section for all output formats. The question remains, however, why this
> is an issue now but not when xvidcore_2:1.3.5-1 was uploaded?

I had a play around and I think this is caused by the "-z separate-code"
option being enabled by default in binutils >= 2.31. With that option
binutils will put "text" and "rodata" into different segments.
Previously it bundled both of those (along with any other read only
data) into a single executable segment.

Second bullet point in the announcement:
https://sourceware.org/ml/binutils/2018-07/msg00213.html

In theory that also means the bug affects buster if the package is ever
rebuilt / updated there.

James



signature.asc
Description: OpenPGP digital signature

Bug#941559: libxvidcore4: immediately crashes on amd64 since binNMU

2019-10-02 Thread Fabian Greffrath 

Hi James,

Am 02.10.2019 01:45, schrieb James Cowgill:

Indeed readelf contains some non-executable program headers in
2:1.3.5-1+b1 which do not appear in 2:1.3.5-1 in buster. The
".rotext" section sounds suspicious.


indeed, the check_cpu_feature() function is defined in 
src/utils/x86_asm/cpuid.asm [1] which includes src/nasm.inc, which in 
turn declares a .rotext section [2] for any other output format than 
macho32 and macho64.


It would probably be the best patch this to simply declare a .text 
section for all output formats. The question remains, however, why this 
is an issue now but not when xvidcore_2:1.3.5-1 was uploaded?


 - Fabian

[1] 
https://sources.debian.org/src/xvidcore/2:1.3.5-1/src/utils/x86_asm/cpuid.asm/?hl=94#L94

[2] https://sources.debian.org/src/xvidcore/2:1.3.5-1/src/nasm.inc/#L177

Bug#941559: libxvidcore4: immediately crashes on amd64 since binNMU

2019-10-01 Thread James Cowgill 
Package: libxvidcore4
Version: 2:1.3.5-1
Severity: grave
Tags: sid bullseye

Hi,

Just over a month ago xvidcore was binNMUed and this seems to have
triggered a bug somewhere and now any application which tries to
initialize libxvidcore will segfault.

Test app:
#include 
#include 

int main(void)
{
xvid_gbl_init_t init = {
.version = XVID_VERSION,
.cpu_flags = 0,
.debug = 0,
};
xvid_global(NULL, XVID_GBL_INIT, , NULL);
return 0;
}

$ gcc -o xvid-test xvid-test.c -lxvidcore
$ ./xvid-test 
Segmentation fault (core dumped)

The crash happens here:
Program received signal SIGSEGV, Segmentation fault.
0x77f22940 in check_cpu_features () from 
/usr/lib/x86_64-linux-gnu/libxvidcore.so.4
(gdb) bt
#0  0x77f22940 in check_cpu_features () from 
/usr/lib/x86_64-linux-gnu/libxvidcore.so.4
#1  0x77e9c15b in detect_cpu_flags () at ../../src/xvid.c:156
#2  0x77e9d265 in xvid_gbl_init (init=0x7fffdee4, 
init=0x7fffdee4) at ../../src/xvid.c:793
#3  xvid_global (handle=, opt=, 
param1=0x7fffdee4, param2=) at ../../src/xvid.c:816
#4  0x516d in main ()

Which in turn seems to happen because the check_cpu_features function is
in a non-executable read only memory region.

$ /proc/4658/maps
[...]
77e87000-77e8b000 rw-p  00:00 0 
77e8b000-77e8d000 r--p  fd:00 954232 
/usr/lib/x86_64-linux-gnu/libxvidcore.so.4.3
77e8d000-77ef5000 r-xp 2000 fd:00 954232 
/usr/lib/x86_64-linux-gnu/libxvidcore.so.4.3
[vvv]
77ef5000-77f2b000 r--p 0006a000 fd:00 954232 
/usr/lib/x86_64-linux-gnu/libxvidcore.so.4.3
[^^^]
77f2b000-77f2c000 r--p 0009f000 fd:00 954232 
/usr/lib/x86_64-linux-gnu/libxvidcore.so.4.3
77f2c000-77f36000 rw-p 000a fd:00 954232 
/usr/lib/x86_64-linux-gnu/libxvidcore.so.4.3
77f36000-77fa1000 rw-p  00:00 0 
[...]

Indeed readelf contains some non-executable program headers in
2:1.3.5-1+b1 which do not appear in 2:1.3.5-1 in buster. The
".rotext" section sounds suspicious.

2:1.3.5-1+b1:
$ readelf -l /usr/lib/x86_64-linux-gnu/libxvidcore.so.4
[...]
Program Headers:
  Type   Offset VirtAddr   PhysAddr
 FileSizMemSiz  Flags  Align
  LOAD   0x 0x 0x
 0x18a8 0x18a8  R  0x1000
  LOAD   0x2000 0x2000 0x2000
 0x000673c9 0x000673c9  R E0x1000
  LOAD   0x0006a000 0x0006a000 0x0006a000
 0x00035088 0x00035088  R  0x1000
  LOAD   0x0009fb90 0x000a0b90 0x000a0b90
 0x98d0 0x00073138  RW 0x1000
[...]
   00 .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version 
.gnu.version_r .rela.dyn .rela.plt 
   01 .init .plt .plt.got .text .fini 
   02 .rodata .rotext .eh_frame_hdr .eh_frame 
   03 .init_array .fini_array .data.rel.ro .dynamic .got .data .bss 

2:1.3.5-1:
$ readelf -l /usr/lib/x86_64-linux-gnu/libxvidcore.so.4
[...]
Program Headers:
  Type   Offset VirtAddr   PhysAddr
 FileSizMemSiz  Flags  Align
  LOAD   0x 0x 0x
 0x0009da50 0x0009da50  R E0x20
  LOAD   0x0009db90 0x0029db90 0x0029db90
 0x98d0 0x00073138  RW 0x20
[...]
   00 .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version 
.gnu.version_r .rela.dyn .rela.plt .init .plt .plt.got .text .fini .rodata 
.rotext .eh_frame_hdr .eh_frame 
   01 .init_array .fini_array .data.rel.ro .dynamic .got .data .bss 

James



signature.asc
Description: OpenPGP digital signature