Debian Bug report logs - #820335
Segfaults caused by new DT_MIPS_RLD_MAP_REL tag and RPATH removers

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Mathieu Malaterre <malat@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Segfaults caused by new DT_MIPS_RLD_MAP_REL tag and RPATH removers

Date: Thu, 7 Apr 2016 15:46:02 +0200

[Message part 1 (text/plain, inline)]

Package: src:chrpath
Version: 0.16-1

Hi,

I've managed to find the cause of the openmpi segfault (#818909). It
might affect a number of different packages.

The segfault is caused by the interaction of the
new DT_MIPS_RLD_MAP_REL dynamic tag (from binutils 2.26) and chrpath.
Unlike all other tags, this tag is relative to the offset of the tag
within the executable. chrpath is used to remove rpaths from ELF files.
It does this by moving all of the other dynamic tags up one entry, but
since the DT_MIPS_RLD_MAP_REL is not updated, it now points to an
incorrect offset. The dynamic linker will then overwrite some other
memory when processing the DT_MIPS_RLD_MAP_REL tag.

The openmpi segfault was caused by a global variable being initialized
incorrectly (overwritten by the dynamic linker). I expect other
executables using chrpath will also be affected - possibly in strange
ways (not nessesarily a segfault).

It also seems that at least cmake uses the same technique for removing
the RPATH so any cmake reverse dependencies could be affected. The
DT_MIPS_RLD_MAP_REL is only created for executables which limits the
effect of this slightly. Only packages built using binutils
>= 2.25.51.20151014-1 will be affected.

There is a convinient way to test if a package is broken using the
presence of the old DT_MIPS_RLD_MAP tag. When correct
(DT_MIPS_RLD_MAP_REL + tag offset + executable base address) equals
DT_MIPS_RLD_MAP, so someone could analyze the archive to find which
packages are affected (any if any tools other than chrpath and cmake
are broken).

Based only on chrpath and cmake reverse dependencies, there is an upper
bound of about 1500 binNMUs (after the tools after fixed). Hopefully
that can be reduced!

I really don't have any time to fix all this. Please can someone else
have a look!

OpenMPI maintainers (and anyone else affected):
One possible workaround is to use chrpath -r "" <file> on mips*
architectures until this is fixed since that command does not cause any
tags to be moved. It has a tiny performance penalty but should
otherwise work properly.

James

[signature.asc (application/pgp-signature, attachment)]

Message #16 received at 820335@bugs.debian.org (full text, mbox, reply):

From: Aurelien Jarno <aurelien@aurel32.net>

To: Mathieu Malaterre <malat@debian.org>, Tollef Fog Heen <tfheen@debian.org>, James Cowgill <jcowgill@debian.org>

Cc: 820335@bugs.debian.org

Subject: Bug#820335: Segfaults caused by new DT_MIPS_RLD_MAP_REL tag and RPATH removers

Date: Fri, 8 Apr 2016 19:56:21 +0200

control: tag -1 + patch

On 2016-04-07 15:46, Mathieu Malaterre wrote:
> Package: src:chrpath
> Version: 0.16-1
> 
> Hi,
> 
> I've managed to find the cause of the openmpi segfault (#818909). It
> might affect a number of different packages.
> 
> The segfault is caused by the interaction of the
> new DT_MIPS_RLD_MAP_REL dynamic tag (from binutils 2.26) and chrpath.
> Unlike all other tags, this tag is relative to the offset of the tag
> within the executable. chrpath is used to remove rpaths from ELF files.
> It does this by moving all of the other dynamic tags up one entry, but
> since the DT_MIPS_RLD_MAP_REL is not updated, it now points to an
> incorrect offset. The dynamic linker will then overwrite some other
> memory when processing the DT_MIPS_RLD_MAP_REL tag.

Please find below a patch to correctly handle this tag in chrpath. If
you are fine with the patch, a quick upload would be appreciated as
chrpath currently generates broken binaries. Thanks!

Aurelien


--- chrpath-0.16.orig/killrpath.c
+++ chrpath-0.16/killrpath.c
@@ -73,10 +73,26 @@
    dynpos = 0;
    for (i = 0; DYNSS(i, d_tag) != DT_NULL; i++)
      {
-       if (is_e32())
+       if (is_e32()) {
         ((Elf32_Dyn *)dyns)[dynpos] = ((Elf32_Dyn *)dyns)[i];
-       else
+#ifdef DT_MIPS_RLD_MAP_REL
+        /* DT_MIPS_RLD_MAP_REL is relative to the offset of the tag.
+           Adjust it consequently.  */
+        if (DYNSS(i, d_tag) == DT_MIPS_RLD_MAP_REL)
+         ((Elf32_Dyn *)dyns)[dynpos].d_un.d_val =
+          DO_SWAPU32(DYNSU(i, d_un.d_val) +
+          (i - dynpos) * sizeof(Elf32_Dyn));
+#endif
+       } else {
         ((Elf64_Dyn *)dyns)[dynpos] = ((Elf64_Dyn *)dyns)[i];
+#ifdef DT_MIPS_RLD_MAP_REL
+        /* Ditto */
+        if (DYNSS(i, d_tag) == DT_MIPS_RLD_MAP_REL)
+         ((Elf64_Dyn *)dyns)[dynpos].d_un.d_val =
+          DO_SWAPU64(DYNSU(i, d_un.d_val) +
+          (i - dynpos) * sizeof(Elf64_Dyn));
+#endif
+       }
        if ( ! elf_dynpath_tag(DYNSS(i, d_tag)) )
         dynpos++;
      }

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                 http://www.aurel32.net

Message #23 received at 820335-close@bugs.debian.org (full text, mbox, reply):

From: Tollef Fog Heen <tfheen@debian.org>

To: 820335-close@bugs.debian.org

Subject: Bug#820335: fixed in chrpath 0.16-2

Date: Sat, 09 Apr 2016 10:39:12 +0000

Source: chrpath
Source-Version: 0.16-2

We believe that the bug you reported is fixed in the latest version of
chrpath, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 820335@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tollef Fog Heen <tfheen@debian.org> (supplier of updated chrpath package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 09 Apr 2016 10:20:53 +0200
Source: chrpath
Binary: chrpath
Architecture: source amd64
Version: 0.16-2
Distribution: unstable
Urgency: medium
Maintainer: Tollef Fog Heen <tfheen@debian.org>
Changed-By: Tollef Fog Heen <tfheen@debian.org>
Description:
 chrpath    - Tool to edit the rpath in ELF binaries
Closes: 820335
Changes:
 chrpath (0.16-2) unstable; urgency=medium
 .
   * Handle DT_MIPS_RLD_MAP_REL on MIPS.  Thanks to Aurelien Jarno for the
     patch.  Closes: #820335.
Checksums-Sha1:
 248b2b4ab01566cfb0cdd48d19b849751c1e4abb 1677 chrpath_0.16-2.dsc
 d56a2cb6af04a139321b88b2b9d12a56da2bcfe6 2565 chrpath_0.16-2.diff.gz
 8b0fdf598e7020b82377a391e4b6489e3db3275e 17744 chrpath-dbgsym_0.16-2_amd64.deb
 4f62e7b0b5e2511e38830d32b922b47ad8fcc571 16702 chrpath_0.16-2_amd64.deb
Checksums-Sha256:
 3b61b4f3ac6ecff53510e57c9e62d05ede876361b82bf098aa04b494adc6db54 1677 chrpath_0.16-2.dsc
 c4cf462fe0b88683ba81183bc1e6f73c58d371b2add8af163e1d432d59115669 2565 chrpath_0.16-2.diff.gz
 c882cb34c1312c106fb7624e05dff3e0a5e2372b428d8d13b3f852aefec88757 17744 chrpath-dbgsym_0.16-2_amd64.deb
 7101b922cabf0132df289f427a2f2056ef676005fd3553fab807f52c4af2b1af 16702 chrpath_0.16-2_amd64.deb
Files:
 cc0fe6e2e3a2bb10510f75756dd4b9b8 1677 utils optional chrpath_0.16-2.dsc
 9016039c54d15401c194f7c6542ad8e9 2565 utils optional chrpath_0.16-2.diff.gz
 6548bce895893d0f439e6198a4e48e3e 17744 debug extra chrpath-dbgsym_0.16-2_amd64.deb
 97b4ec647d58026e8c220b7700203a6b 16702 utils optional chrpath_0.16-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXCNH/AAoJELZaSHHKGdcXM/QQALHRs1UKcLARnzEwACELR/z+
f7Q9MhMgSVn7G5k3EECh4Wvmx0PGKpL4bDT1xTtokij23QrXRYk8X0UD9EPrqY2N
UUCEHCWxf+9OiV/uyUklFGrCqypByi0xp5lgPyqtxUGVWq6eJdpdIvwPQX3sVIXh
a6W3txnCie5+Nezvm47YkWAeUAV3T0SzVo+EnMragyJF6pF6vm33JX+lBhs6/Dwu
GQHqZlL33HQy0zYskIEFtJJLsquO8cUdvb5CKWhzHANSlErV+JPmhbr7skHqusWN
obtkr+PKX/c+zAU6ZCFySuuQQVy+yPFPRXJ6BN+mJomparvpeT5FhPowmFbEOCe7
R7VjYfu5j91XK+VVK+mJAPkkjzh/jgUuX+3PGNXBbQFtwQ1CtOSwUjHcvFPjDugN
LwVmRPBAd5A4uEKi2p8/Bx0oDbRW3ZwoQf8NEWdV185B0WVVcERHS8rMdnEqSO5m
Nt5Ix2qSkcMm//CkAYag1XbYYxaxUR0qPoO4QjI7nrV9W7E4NIEbbvBQ8tjjqL+8
ToMQXLRe1Qr8ISThX445UGJiWJgM5ESMiU+QDKRHThSFec8QefPxxjpxkacArM7B
DYjNGYdOMEFbl257Cah/omRNfqmjcmUxXhgL6/G1CqLWMxrsfa+uKbcYAtxgwABI
HV3el/mf1lAIDA3aR0cV
=bqFY
-----END PGP SIGNATURE-----

Message #28 received at 820335@bugs.debian.org (full text, mbox, reply):

From: "Maciej W. Rozycki" <macro@imgtec.com>

To: Aurelien Jarno <aurelien@aurel32.net>

Cc: Matthew Fortune <Matthew.Fortune@imgtec.com>, <820335@bugs.debian.org>

Subject: Bug#820335: Segfaults caused by new DT_MIPS_RLD_MAP_REL tag and RPATH removers

Date: Fri, 15 Apr 2016 23:53:05 +0100

Aurelien,

 I think you need:

#ifndef DT_MIPS_RLD_MAP_REL
#define DT_MIPS_RLD_MAP_REL 0x70000035
#endif

or suchlike instead or otherwise if build on an old system, the program 
will still corrupt binaries.

 FWIW,

  Maciej

Send a report that this bug log contains spam.