[gentoo-commits] repo/gentoo:master commit in: sys-apps/sandbox/files/, sys-apps/sandbox/ - gentoo-commits

From:	Mike Frysinger <vapier@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: sys-apps/sandbox/files/, sys-apps/sandbox/
Date:	Wed, 30 Mar 2016 03:46:57
Message-Id:	`1459309595.cb51c818a0d2b2f1a64e084411ac5717ebb3ef38.vapier@gentoo`

1

commit:     cb51c818a0d2b2f1a64e084411ac5717ebb3ef38

2

Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>

3

AuthorDate: Wed Mar 30 03:44:29 2016 +0000

4

Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>

5

CommitDate: Wed Mar 30 03:46:35 2016 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cb51c818

7

8

sys-apps/sandbox: fix crashes w/some ELFs #578524

9

10

 .../sandbox/files/sandbox-2.11-exec-hash.patch     | 96 ++++++++++++++++++++++

11

 ...{sandbox-2.11.ebuild => sandbox-2.11-r1.ebuild} |  1 +

12

 2 files changed, 97 insertions(+)

13

14

diff --git a/sys-apps/sandbox/files/sandbox-2.11-exec-hash.patch b/sys-apps/sandbox/files/sandbox-2.11-exec-hash.patch

15

new file mode 100644

16

index 0000000..8a4cd9b

17

--- /dev/null

18

+++ b/sys-apps/sandbox/files/sandbox-2.11-exec-hash.patch

19

@@ -0,0 +1,96 @@

20

+From e11815bb7f0656f39e122073e0e3284ec7f5d021 Mon Sep 17 00:00:00 2001

21

+From: Mike Frysinger <vapier@g.o>

22

+Date: Tue, 29 Mar 2016 23:35:44 -0400

23

+Subject: [PATCH] libsandbox: fix symtab walking with some ELFs

24

+MIME-Version: 1.0

25

+Content-Type: text/plain; charset=UTF-8

26

+Content-Transfer-Encoding: 8bit

27

+

28

+The strtab assumption works if there is no SysV hash table.

29

+Add logic to handle that scenario.

30

+

31

+URL: https://bugs.gentoo.org/578524

32

+Reported-by: Toralf Förster <toralf.foerster@×××.de>

33

+Signed-off-by: Mike Frysinger <vapier@g.o>

34

+---

35

+ libsandbox/wrapper-funcs/__wrapper_exec.c | 30 +++++++++++++++++-------------

36

+ 1 file changed, 17 insertions(+), 13 deletions(-)

37

+

38

+diff --git a/libsandbox/wrapper-funcs/__wrapper_exec.c b/libsandbox/wrapper-funcs/__wrapper_exec.c

39

+index f7f51ab..d372366 100644

40

+--- a/libsandbox/wrapper-funcs/__wrapper_exec.c

41

++++ b/libsandbox/wrapper-funcs/__wrapper_exec.c

42

+@@ -83,10 +83,10 @@ static bool sb_check_exec(const char *filename, char *const argv[])

43

+ ({ \

44

+ 	Elf##n##_Ehdr *ehdr = (void *)elf; \

45

+ 	Elf##n##_Phdr *phdr = (void *)(elf + ehdr->e_phoff); \

46

+-	Elf##n##_Addr vaddr, filesz, vsym = 0, vstr = 0; \

47

+-	Elf##n##_Off offset, symoff = 0, stroff = 0; \

48

++	Elf##n##_Addr vaddr, filesz, vsym = 0, vstr = 0, vhash = 0; \

49

++	Elf##n##_Off offset, symoff = 0, stroff = 0, hashoff = 0; \

50

+ 	Elf##n##_Dyn *dyn; \

51

+-	Elf##n##_Sym *sym; \

52

++	Elf##n##_Sym *sym, *symend; \

53

+ 	uint##n##_t ent_size = 0, str_size = 0; \

54

+ 	bool dynamic = false; \

55

+ 	size_t i; \

56

+@@ -106,6 +106,7 @@ static bool sb_check_exec(const char *filename, char *const argv[])

57

+ 				case DT_SYMENT: ent_size = dyn->d_un.d_val; break; \

58

+ 				case DT_STRTAB: vstr = dyn->d_un.d_val; break; \

59

+ 				case DT_STRSZ:  str_size = dyn->d_un.d_val; break; \

60

++				case DT_HASH:   vhash = dyn->d_un.d_val; break; \

61

+ 				} \

62

+ 				++dyn; \

63

+ 			} \

64

+@@ -123,6 +124,8 @@ static bool sb_check_exec(const char *filename, char *const argv[])

65

+ 				symoff = offset + (vsym - vaddr); \

66

+ 			if (vstr >= vaddr && vstr < vaddr + filesz) \

67

+ 				stroff = offset + (vstr - vaddr); \

68

++			if (vhash >= vaddr && vhash < vaddr + filesz) \

69

++				hashoff = offset + (vhash - vaddr); \

70

+ 		} \

71

+ 		\

72

+ 		/* Finally walk the symbol table.  This should generally be fast as \

73

+@@ -130,18 +133,20 @@ static bool sb_check_exec(const char *filename, char *const argv[])

74

+ 		 * out there do not export any symbols at all. \

75

+ 		 */ \

76

+ 		if (symoff && stroff) { \

77

+-			sym = (void *)(elf + symoff); \

78

++			/* Hash entries are always 32-bits. */ \

79

++			uint32_t *hashes = (void *)(elf + hashoff); \

80

+ 			/* Nowhere is the # of symbols recorded, or the size of the symbol \

81

+-			 * table.  Instead, we do what glibc does: assume that the string \

82

+-			 * table always follows the symbol table.  This seems like a poor \

83

+-			 * assumption to make, but glibc has gotten by this long.  We could \

84

+-			 * rely on DT_HASH and walking all the buckets to find the largest \

85

+-			 * symbol index, but that's also a bit hacky. \

86

++			 * table.  Instead, we do what glibc does: use the sysv hash table \

87

++			 * if it exists, else assume that the string table always directly \

88

++			 * follows the symbol table.  This seems like a poor assumption to \

89

++			 * make, but glibc has gotten by this long. \

90

+ 			 * \

91

+ 			 * We don't sanity check the ranges here as you aren't executing \

92

+ 			 * corrupt programs in the sandbox. \

93

+ 			 */ \

94

+-			for (i = 0; i < (vstr - vsym) / ent_size; ++i) { \

95

++			sym = (void *)(elf + symoff); \

96

++			symend = vhash ? (sym + hashes[1]) : (void *)(elf + stroff); \

97

++			while (sym < symend) { \

98

+ 				char *symname = (void *)(elf + stroff + sym->st_name); \

99

+ 				if (ELF##n##_ST_VISIBILITY(sym->st_other) == STV_DEFAULT && \

100

+ 				    sym->st_shndx != SHN_UNDEF && sym->st_shndx < SHN_LORESERVE && \

101

+@@ -149,9 +154,8 @@ static bool sb_check_exec(const char *filename, char *const argv[])

102

+ 				    /* Minor optimization to avoid strcmp. */ \

103

+ 				    symname[0] == '_' && symname[1] == '_') { \

104

+ 					/* Blacklist internal C library symbols. */ \

105

+-					size_t j; \

106

+-					for (j = 0; j < ARRAY_SIZE(libc_alloc_syms); ++j) \

107

+-						if (!strcmp(symname, libc_alloc_syms[j])) { \

108

++					for (i = 0; i < ARRAY_SIZE(libc_alloc_syms); ++i) \

109

++						if (!strcmp(symname, libc_alloc_syms[i])) { \

110

+ 							run_in_process = false; \

111

+ 							goto use_trace; \

112

+ 						} \

113

+--

114

+2.7.4

115

+

116

117

diff --git a/sys-apps/sandbox/sandbox-2.11.ebuild b/sys-apps/sandbox/sandbox-2.11-r1.ebuild

118

similarity index 97%

119

rename from sys-apps/sandbox/sandbox-2.11.ebuild

120

rename to sys-apps/sandbox/sandbox-2.11-r1.ebuild

121

index 0bbf588..8001316 100644

122

--- a/sys-apps/sandbox/sandbox-2.11.ebuild

123

+++ b/sys-apps/sandbox/sandbox-2.11-r1.ebuild

124

@@ -32,6 +32,7 @@ sandbox_death_notice() {

125

}

126

127

 src_prepare() {

128

+	epatch "${FILESDIR}"/${P}-exec-hash.patch #578524

129

 	epatch_user

130

}

1	commit: cb51c818a0d2b2f1a64e084411ac5717ebb3ef38
2	Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
3	AuthorDate: Wed Mar 30 03:44:29 2016 +0000
4	Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
5	CommitDate: Wed Mar 30 03:46:35 2016 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cb51c818
7
8	sys-apps/sandbox: fix crashes w/some ELFs #578524
9
10	.../sandbox/files/sandbox-2.11-exec-hash.patch \| 96 ++++++++++++++++++++++
11	...{sandbox-2.11.ebuild => sandbox-2.11-r1.ebuild} \| 1 +
12	2 files changed, 97 insertions(+)
13
14	diff --git a/sys-apps/sandbox/files/sandbox-2.11-exec-hash.patch b/sys-apps/sandbox/files/sandbox-2.11-exec-hash.patch
15	new file mode 100644
16	index 0000000..8a4cd9b
17	--- /dev/null
18	+++ b/sys-apps/sandbox/files/sandbox-2.11-exec-hash.patch
19	@@ -0,0 +1,96 @@
20	+From e11815bb7f0656f39e122073e0e3284ec7f5d021 Mon Sep 17 00:00:00 2001
21	+From: Mike Frysinger <vapier@g.o>
22	+Date: Tue, 29 Mar 2016 23:35:44 -0400
23	+Subject: [PATCH] libsandbox: fix symtab walking with some ELFs
24	+MIME-Version: 1.0
25	+Content-Type: text/plain; charset=UTF-8
26	+Content-Transfer-Encoding: 8bit
27	+
28	+The strtab assumption works if there is no SysV hash table.
29	+Add logic to handle that scenario.
30	+
31	+URL: https://bugs.gentoo.org/578524
32	+Reported-by: Toralf Förster <toralf.foerster@×××.de>
33	+Signed-off-by: Mike Frysinger <vapier@g.o>
34	+---
35	+ libsandbox/wrapper-funcs/__wrapper_exec.c \| 30 +++++++++++++++++-------------
36	+ 1 file changed, 17 insertions(+), 13 deletions(-)
37	+
38	+diff --git a/libsandbox/wrapper-funcs/__wrapper_exec.c b/libsandbox/wrapper-funcs/__wrapper_exec.c
39	+index f7f51ab..d372366 100644
40	+--- a/libsandbox/wrapper-funcs/__wrapper_exec.c
41	++++ b/libsandbox/wrapper-funcs/__wrapper_exec.c
42	+@@ -83,10 +83,10 @@ static bool sb_check_exec(const char filename, char const argv[])
43	+ ({ \
44	+ Elf##n##_Ehdr ehdr = (void )elf; \
45	+ Elf##n##_Phdr phdr = (void )(elf + ehdr->e_phoff); \
46	+- Elf##n##_Addr vaddr, filesz, vsym = 0, vstr = 0; \
47	+- Elf##n##_Off offset, symoff = 0, stroff = 0; \
48	++ Elf##n##_Addr vaddr, filesz, vsym = 0, vstr = 0, vhash = 0; \
49	++ Elf##n##_Off offset, symoff = 0, stroff = 0, hashoff = 0; \
50	+ Elf##n##_Dyn *dyn; \
51	+- Elf##n##_Sym *sym; \
52	++ Elf##n##_Sym sym, symend; \
53	+ uint##n##_t ent_size = 0, str_size = 0; \
54	+ bool dynamic = false; \
55	+ size_t i; \
56	+@@ -106,6 +106,7 @@ static bool sb_check_exec(const char filename, char const argv[])
57	+ case DT_SYMENT: ent_size = dyn->d_un.d_val; break; \
58	+ case DT_STRTAB: vstr = dyn->d_un.d_val; break; \
59	+ case DT_STRSZ: str_size = dyn->d_un.d_val; break; \
60	++ case DT_HASH: vhash = dyn->d_un.d_val; break; \
61	+ } \
62	+ ++dyn; \
63	+ } \
64	+@@ -123,6 +124,8 @@ static bool sb_check_exec(const char filename, char const argv[])
65	+ symoff = offset + (vsym - vaddr); \
66	+ if (vstr >= vaddr && vstr < vaddr + filesz) \
67	+ stroff = offset + (vstr - vaddr); \
68	++ if (vhash >= vaddr && vhash < vaddr + filesz) \
69	++ hashoff = offset + (vhash - vaddr); \
70	+ } \
71	+ \
72	+ /* Finally walk the symbol table. This should generally be fast as \
73	+@@ -130,18 +133,20 @@ static bool sb_check_exec(const char filename, char const argv[])
74	+ * out there do not export any symbols at all. \
75	+ */ \
76	+ if (symoff && stroff) { \
77	+- sym = (void *)(elf + symoff); \
78	++ /* Hash entries are always 32-bits. */ \
79	++ uint32_t hashes = (void )(elf + hashoff); \
80	+ /* Nowhere is the # of symbols recorded, or the size of the symbol \
81	+- * table. Instead, we do what glibc does: assume that the string \
82	+- * table always follows the symbol table. This seems like a poor \
83	+- * assumption to make, but glibc has gotten by this long. We could \
84	+- * rely on DT_HASH and walking all the buckets to find the largest \
85	+- * symbol index, but that's also a bit hacky. \
86	++ * table. Instead, we do what glibc does: use the sysv hash table \
87	++ * if it exists, else assume that the string table always directly \
88	++ * follows the symbol table. This seems like a poor assumption to \
89	++ * make, but glibc has gotten by this long. \
90	+ * \
91	+ * We don't sanity check the ranges here as you aren't executing \
92	+ * corrupt programs in the sandbox. \
93	+ */ \
94	+- for (i = 0; i < (vstr - vsym) / ent_size; ++i) { \
95	++ sym = (void *)(elf + symoff); \
96	++ symend = vhash ? (sym + hashes[1]) : (void *)(elf + stroff); \
97	++ while (sym < symend) { \
98	+ char symname = (void )(elf + stroff + sym->st_name); \
99	+ if (ELF##n##_ST_VISIBILITY(sym->st_other) == STV_DEFAULT && \
100	+ sym->st_shndx != SHN_UNDEF && sym->st_shndx < SHN_LORESERVE && \
101	+@@ -149,9 +154,8 @@ static bool sb_check_exec(const char filename, char const argv[])
102	+ /* Minor optimization to avoid strcmp. */ \
103	+ symname[0] == '_' && symname[1] == '_') { \
104	+ /* Blacklist internal C library symbols. */ \
105	+- size_t j; \
106	+- for (j = 0; j < ARRAY_SIZE(libc_alloc_syms); ++j) \
107	+- if (!strcmp(symname, libc_alloc_syms[j])) { \
108	++ for (i = 0; i < ARRAY_SIZE(libc_alloc_syms); ++i) \
109	++ if (!strcmp(symname, libc_alloc_syms[i])) { \
110	+ run_in_process = false; \
111	+ goto use_trace; \
112	+ } \
113	+--
114	+2.7.4
115	+
116
117	diff --git a/sys-apps/sandbox/sandbox-2.11.ebuild b/sys-apps/sandbox/sandbox-2.11-r1.ebuild
118	similarity index 97%
119	rename from sys-apps/sandbox/sandbox-2.11.ebuild
120	rename to sys-apps/sandbox/sandbox-2.11-r1.ebuild
121	index 0bbf588..8001316 100644
122	--- a/sys-apps/sandbox/sandbox-2.11.ebuild
123	+++ b/sys-apps/sandbox/sandbox-2.11-r1.ebuild
124	@@ -32,6 +32,7 @@ sandbox_death_notice() {
125	}
126
127	src_prepare() {
128	+ epatch "${FILESDIR}"/${P}-exec-hash.patch #578524
129	epatch_user
130	}

Gentoo Archives: gentoo-commits