1 |
commit: cb51c818a0d2b2f1a64e084411ac5717ebb3ef38 |
2 |
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org> |
3 |
AuthorDate: Wed Mar 30 03:44:29 2016 +0000 |
4 |
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Mar 30 03:46:35 2016 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cb51c818 |
7 |
|
8 |
sys-apps/sandbox: fix crashes w/some ELFs #578524 |
9 |
|
10 |
.../sandbox/files/sandbox-2.11-exec-hash.patch | 96 ++++++++++++++++++++++ |
11 |
...{sandbox-2.11.ebuild => sandbox-2.11-r1.ebuild} | 1 + |
12 |
2 files changed, 97 insertions(+) |
13 |
|
14 |
diff --git a/sys-apps/sandbox/files/sandbox-2.11-exec-hash.patch b/sys-apps/sandbox/files/sandbox-2.11-exec-hash.patch |
15 |
new file mode 100644 |
16 |
index 0000000..8a4cd9b |
17 |
--- /dev/null |
18 |
+++ b/sys-apps/sandbox/files/sandbox-2.11-exec-hash.patch |
19 |
@@ -0,0 +1,96 @@ |
20 |
+From e11815bb7f0656f39e122073e0e3284ec7f5d021 Mon Sep 17 00:00:00 2001 |
21 |
+From: Mike Frysinger <vapier@g.o> |
22 |
+Date: Tue, 29 Mar 2016 23:35:44 -0400 |
23 |
+Subject: [PATCH] libsandbox: fix symtab walking with some ELFs |
24 |
+MIME-Version: 1.0 |
25 |
+Content-Type: text/plain; charset=UTF-8 |
26 |
+Content-Transfer-Encoding: 8bit |
27 |
+ |
28 |
+The strtab assumption works if there is no SysV hash table. |
29 |
+Add logic to handle that scenario. |
30 |
+ |
31 |
+URL: https://bugs.gentoo.org/578524 |
32 |
+Reported-by: Toralf Förster <toralf.foerster@×××.de> |
33 |
+Signed-off-by: Mike Frysinger <vapier@g.o> |
34 |
+--- |
35 |
+ libsandbox/wrapper-funcs/__wrapper_exec.c | 30 +++++++++++++++++------------- |
36 |
+ 1 file changed, 17 insertions(+), 13 deletions(-) |
37 |
+ |
38 |
+diff --git a/libsandbox/wrapper-funcs/__wrapper_exec.c b/libsandbox/wrapper-funcs/__wrapper_exec.c |
39 |
+index f7f51ab..d372366 100644 |
40 |
+--- a/libsandbox/wrapper-funcs/__wrapper_exec.c |
41 |
++++ b/libsandbox/wrapper-funcs/__wrapper_exec.c |
42 |
+@@ -83,10 +83,10 @@ static bool sb_check_exec(const char *filename, char *const argv[]) |
43 |
+ ({ \ |
44 |
+ Elf##n##_Ehdr *ehdr = (void *)elf; \ |
45 |
+ Elf##n##_Phdr *phdr = (void *)(elf + ehdr->e_phoff); \ |
46 |
+- Elf##n##_Addr vaddr, filesz, vsym = 0, vstr = 0; \ |
47 |
+- Elf##n##_Off offset, symoff = 0, stroff = 0; \ |
48 |
++ Elf##n##_Addr vaddr, filesz, vsym = 0, vstr = 0, vhash = 0; \ |
49 |
++ Elf##n##_Off offset, symoff = 0, stroff = 0, hashoff = 0; \ |
50 |
+ Elf##n##_Dyn *dyn; \ |
51 |
+- Elf##n##_Sym *sym; \ |
52 |
++ Elf##n##_Sym *sym, *symend; \ |
53 |
+ uint##n##_t ent_size = 0, str_size = 0; \ |
54 |
+ bool dynamic = false; \ |
55 |
+ size_t i; \ |
56 |
+@@ -106,6 +106,7 @@ static bool sb_check_exec(const char *filename, char *const argv[]) |
57 |
+ case DT_SYMENT: ent_size = dyn->d_un.d_val; break; \ |
58 |
+ case DT_STRTAB: vstr = dyn->d_un.d_val; break; \ |
59 |
+ case DT_STRSZ: str_size = dyn->d_un.d_val; break; \ |
60 |
++ case DT_HASH: vhash = dyn->d_un.d_val; break; \ |
61 |
+ } \ |
62 |
+ ++dyn; \ |
63 |
+ } \ |
64 |
+@@ -123,6 +124,8 @@ static bool sb_check_exec(const char *filename, char *const argv[]) |
65 |
+ symoff = offset + (vsym - vaddr); \ |
66 |
+ if (vstr >= vaddr && vstr < vaddr + filesz) \ |
67 |
+ stroff = offset + (vstr - vaddr); \ |
68 |
++ if (vhash >= vaddr && vhash < vaddr + filesz) \ |
69 |
++ hashoff = offset + (vhash - vaddr); \ |
70 |
+ } \ |
71 |
+ \ |
72 |
+ /* Finally walk the symbol table. This should generally be fast as \ |
73 |
+@@ -130,18 +133,20 @@ static bool sb_check_exec(const char *filename, char *const argv[]) |
74 |
+ * out there do not export any symbols at all. \ |
75 |
+ */ \ |
76 |
+ if (symoff && stroff) { \ |
77 |
+- sym = (void *)(elf + symoff); \ |
78 |
++ /* Hash entries are always 32-bits. */ \ |
79 |
++ uint32_t *hashes = (void *)(elf + hashoff); \ |
80 |
+ /* Nowhere is the # of symbols recorded, or the size of the symbol \ |
81 |
+- * table. Instead, we do what glibc does: assume that the string \ |
82 |
+- * table always follows the symbol table. This seems like a poor \ |
83 |
+- * assumption to make, but glibc has gotten by this long. We could \ |
84 |
+- * rely on DT_HASH and walking all the buckets to find the largest \ |
85 |
+- * symbol index, but that's also a bit hacky. \ |
86 |
++ * table. Instead, we do what glibc does: use the sysv hash table \ |
87 |
++ * if it exists, else assume that the string table always directly \ |
88 |
++ * follows the symbol table. This seems like a poor assumption to \ |
89 |
++ * make, but glibc has gotten by this long. \ |
90 |
+ * \ |
91 |
+ * We don't sanity check the ranges here as you aren't executing \ |
92 |
+ * corrupt programs in the sandbox. \ |
93 |
+ */ \ |
94 |
+- for (i = 0; i < (vstr - vsym) / ent_size; ++i) { \ |
95 |
++ sym = (void *)(elf + symoff); \ |
96 |
++ symend = vhash ? (sym + hashes[1]) : (void *)(elf + stroff); \ |
97 |
++ while (sym < symend) { \ |
98 |
+ char *symname = (void *)(elf + stroff + sym->st_name); \ |
99 |
+ if (ELF##n##_ST_VISIBILITY(sym->st_other) == STV_DEFAULT && \ |
100 |
+ sym->st_shndx != SHN_UNDEF && sym->st_shndx < SHN_LORESERVE && \ |
101 |
+@@ -149,9 +154,8 @@ static bool sb_check_exec(const char *filename, char *const argv[]) |
102 |
+ /* Minor optimization to avoid strcmp. */ \ |
103 |
+ symname[0] == '_' && symname[1] == '_') { \ |
104 |
+ /* Blacklist internal C library symbols. */ \ |
105 |
+- size_t j; \ |
106 |
+- for (j = 0; j < ARRAY_SIZE(libc_alloc_syms); ++j) \ |
107 |
+- if (!strcmp(symname, libc_alloc_syms[j])) { \ |
108 |
++ for (i = 0; i < ARRAY_SIZE(libc_alloc_syms); ++i) \ |
109 |
++ if (!strcmp(symname, libc_alloc_syms[i])) { \ |
110 |
+ run_in_process = false; \ |
111 |
+ goto use_trace; \ |
112 |
+ } \ |
113 |
+-- |
114 |
+2.7.4 |
115 |
+ |
116 |
|
117 |
diff --git a/sys-apps/sandbox/sandbox-2.11.ebuild b/sys-apps/sandbox/sandbox-2.11-r1.ebuild |
118 |
similarity index 97% |
119 |
rename from sys-apps/sandbox/sandbox-2.11.ebuild |
120 |
rename to sys-apps/sandbox/sandbox-2.11-r1.ebuild |
121 |
index 0bbf588..8001316 100644 |
122 |
--- a/sys-apps/sandbox/sandbox-2.11.ebuild |
123 |
+++ b/sys-apps/sandbox/sandbox-2.11-r1.ebuild |
124 |
@@ -32,6 +32,7 @@ sandbox_death_notice() { |
125 |
} |
126 |
|
127 |
src_prepare() { |
128 |
+ epatch "${FILESDIR}"/${P}-exec-hash.patch #578524 |
129 |
epatch_user |
130 |
} |