From 7e17e5572bda4281b90959cf8999dc95dfe21c6b Mon Sep 17 00:00:00 2001
From: Sergei Trofimovich <slyfox@gentoo.org>
Date: Sat, 19 Aug 2017 11:02:47 +0100
Subject: app-misc/pax-utils: fix crash on ia64 TEXTRELs, bug #624356

Bug: https://bugs.gentoo.org/624356
Package-Manager: Portage-2.3.8, Repoman-2.3.3
---
 ...-scanelf-fix-out-of-bounds-access-in-ia64.patch | 72 ++++++++++++++++++++++
 app-misc/pax-utils/pax-utils-1.2.2-r1.ebuild       | 58 +++++++++++++++++
 2 files changed, 130 insertions(+)
 create mode 100644 app-misc/pax-utils/files/pax-utils-1.2.2-scanelf-fix-out-of-bounds-access-in-ia64.patch
 create mode 100644 app-misc/pax-utils/pax-utils-1.2.2-r1.ebuild

(limited to 'app-misc')

diff --git a/app-misc/pax-utils/files/pax-utils-1.2.2-scanelf-fix-out-of-bounds-access-in-ia64.patch b/app-misc/pax-utils/files/pax-utils-1.2.2-scanelf-fix-out-of-bounds-access-in-ia64.patch
new file mode 100644
index 000000000000..1fa5c3187e5a
--- /dev/null
+++ b/app-misc/pax-utils/files/pax-utils-1.2.2-scanelf-fix-out-of-bounds-access-in-ia64.patch
@@ -0,0 +1,72 @@
+From e95103c40d0541fbcdb4b84b000832d9b1b83b8d Mon Sep 17 00:00:00 2001
+From: Sergei Trofimovich <slyfox@gentoo.org>
+Date: Sat, 19 Aug 2017 10:34:41 +0100
+Subject: [PATCH] scanelf: fix out-of-bounds access in ia64
+
+commit 2eb852129394f97dae89c0ff1f9f48637edcb0e9
+slightly changed decoder and added unchecked
+read from elf header:
+
+```
+       switch (EGET(dpltrel->d_un.d_val)) { \
+       case DT_REL: \
+               rel = REL##B(elf->vdata + EGET(drel->d_un.d_val)); \
+```
+
+On ia64 'EGET(drel->d_un.d_val)' returns absolute address:
+
+```
+    $ dumpelf bug/luatex
+    ...
+    /* Dynamic tag #31 'DT_RELA' 0x97E310 */
+    {
+        .d_tag     = 0x7        ,
+        .d_un      = {
+                .d_val = 0x4000000000031C30 ,
+                .d_ptr = 0x4000000000031C30 ,
+        },
+    },
+```
+
+That causes 'scanelf' crash on binaries like 'luatex'.
+
+This change restores check and loudly skips such sections:
+    scanelf: bug/luatex: DT_RELA is out of file range
+
+Bug: https://bugs.gentoo.org/624356
+Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
+---
+ scanelf.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/scanelf.c b/scanelf.c
+index 1ead891..a054408 100644
+--- a/scanelf.c
++++ b/scanelf.c
+@@ -607,11 +607,23 @@ static char *scanelf_file_textrels(elfobj *elf, char *found_textrels, char *foun
+ 	} \
+ 	switch (EGET(dpltrel->d_un.d_val)) { \
+ 	case DT_REL: \
++		if (EGET(drel->d_un.d_val) >= (uint64_t)elf->len - sizeof (drel->d_un.d_val)) { \
++			rel = NULL; \
++			rela = NULL; \
++			warn("%s: DT_REL is out of file range", elf->filename); \
++			break; \
++		} \
+ 		rel = REL##B(elf->vdata + EGET(drel->d_un.d_val)); \
+ 		rela = NULL; \
+ 		pltrel = DT_REL; \
+ 		break; \
+ 	case DT_RELA: \
++		if (EGET(drel->d_un.d_val) >= (uint64_t)elf->len - sizeof (drel->d_un.d_val)) { \
++			rel = NULL; \
++			rela = NULL; \
++			warn("%s: DT_RELA is out of file range", elf->filename); \
++			break; \
++		} \
+ 		rel = NULL; \
+ 		rela = RELA##B(elf->vdata + EGET(drel->d_un.d_val)); \
+ 		pltrel = DT_RELA; \
+-- 
+2.14.1
+
diff --git a/app-misc/pax-utils/pax-utils-1.2.2-r1.ebuild b/app-misc/pax-utils/pax-utils-1.2.2-r1.ebuild
new file mode 100644
index 000000000000..ba368f7be676
--- /dev/null
+++ b/app-misc/pax-utils/pax-utils-1.2.2-r1.ebuild
@@ -0,0 +1,58 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit eutils toolchain-funcs unpacker
+
+DESCRIPTION="ELF utils that can check files for security relevant properties"
+HOMEPAGE="https://wiki.gentoo.org/index.php?title=Project:Hardened/PaX_Utilities"
+SRC_URI="mirror://gentoo/${P}.tar.xz
+	https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE="caps debug python seccomp"
+
+RDEPEND="caps? ( >=sys-libs/libcap-2.24 )
+	python? ( dev-python/pyelftools )
+	seccomp? ( sys-libs/libseccomp )"
+DEPEND="${RDEPEND}
+	caps? ( virtual/pkgconfig )
+	seccomp? ( virtual/pkgconfig )
+	app-arch/xz-utils"
+
+PATCHES=("${FILESDIR}"/${P}-scanelf-fix-out-of-bounds-access-in-ia64.patch)
+
+_emake() {
+	emake \
+		USE_CAP=$(usex caps) \
+		USE_DEBUG=$(usex debug) \
+		USE_PYTHON=$(usex python) \
+		USE_SECCOMP=$(usex seccomp) \
+		"$@"
+}
+
+src_configure() {
+	# Avoid slow configure+gnulib+make if on an up-to-date Linux system
+	if use prefix || ! use kernel_linux || \
+	   has_version '<sys-libs/glibc-2.10'
+	then
+		econf $(use_with caps) $(use_with debug) $(use_with python) $(use_with seccomp)
+	else
+		tc-export CC PKG_CONFIG
+	fi
+}
+
+src_compile() {
+	_emake
+}
+
+src_test() {
+	_emake check
+}
+
+src_install() {
+	_emake DESTDIR="${D}" PKGDOCDIR='$(DOCDIR)'/${PF} install
+}
-- 
cgit v1.2.3-65-gdbad