[PATCH 0/2] prelink: fixed segmentation fault when install libqb

[PATCH 0/2] prelink: fixed segmentation fault when install libqb

[Robert Yang]

The following changes since commit 125789b6ee6d47ab84192230f63971c4e22418ba:

  cve-check.bbclass: do not download the CVE DB in package-specific tasks (2018-08-15 21:45:10 +0100)

are available in the git repository at:

  git://git.openembedded.org/openembedded-core-contrib rbt/prelink
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=rbt/prelink

Robert Yang (2):
  prelink: use ehdr.e_shstrndx as index rather than ehdr.e_shnum
  elfutils: check data_list.data.d.d_buf before free it

 meta/recipes-devtools/elfutils/elfutils_0.172.bb   |  1 +
 ...end.c-check-data_list.data.d.d_buf-before.patch | 39 ++++++++++++++++++++++
 ...01-src-dso.c-use-ehdr.e_shstrndx-as-index.patch | 39 ++++++++++++++++++++++
 meta/recipes-devtools/prelink/prelink_git.bb       |  4 ++-
 4 files changed, 82 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-devtools/elfutils/files/0001-libelf-elf_end.c-check-data_list.data.d.d_buf-before.patch
 create mode 100644 meta/recipes-devtools/prelink/prelink/0001-src-dso.c-use-ehdr.e_shstrndx-as-index.patch

-- 
2.7.4

[PATCH 1/2] prelink: use ehdr.e_shstrndx as index rather than ehdr.e_shnum

[Robert Yang]

[YOCTO #12791]

According to struct elf32_hd, the e_shnum is section header number, and the
index is e_shstrndx, not e_shnum.

This can fix segmention fault when handle libqb.so.0.18.2 from libqb_1.0.3.
It fails to handle libqb.so.0.18.2 and get errors:
Symbol section index outside of section numbers

Then segmentation fault, this is because the e_shnum is 34, while e_shstrndx is
27 (it would be 33 when no errors), I've checked several elf files to confirm
that the ones after e_shstrndx is NULL, so use e_shstrndx should be correct.

Fixed:
MACHINE="qemux86-64"
IMAGE_INSTALL_append = " libqb" #libqp is from meta-openembedded
$ bitbake core-image-minimal
Segmention fault

Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
---
 ...01-src-dso.c-use-ehdr.e_shstrndx-as-index.patch | 39 ++++++++++++++++++++++
 meta/recipes-devtools/prelink/prelink_git.bb       |  4 ++-
 2 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-devtools/prelink/prelink/0001-src-dso.c-use-ehdr.e_shstrndx-as-index.patch

diff --git a/meta/recipes-devtools/prelink/prelink/0001-src-dso.c-use-ehdr.e_shstrndx-as-index.patch b/meta/recipes-devtools/prelink/prelink/0001-src-dso.c-use-ehdr.e_shstrndx-as-index.patch
new file mode 100644
index 0000000..397c7d3
--- /dev/null
+++ b/meta/recipes-devtools/prelink/prelink/0001-src-dso.c-use-ehdr.e_shstrndx-as-index.patch
@@ -0,0 +1,39 @@
+From 107290910ff846532d944ddb78edda436bb6ae63 Mon Sep 17 00:00:00 2001
+From: Robert Yang <liezhi.yang@windriver.com>
+Date: Wed, 15 Aug 2018 17:53:43 +0800
+Subject: [PATCH] src/dso.c: use ehdr.e_shstrndx as index
+
+According to struct elf32_hd, the e_shnum is section header number, and the
+index is e_shstrndx, not e_shnum.
+
+This can fix segmention fault when handle libqb.so.0.18.2 from libqb_1.0.3.
+It fails to handle libqb.so.0.18.2 and get errors:
+Symbol section index outside of section numbers
+
+Then segmentation fault, this is because the e_shnum is 34, while e_shstrndx is
+27 (it would be 33 when no errors), I've checked several elf files to confirm
+that the ones after e_shstrndx is NULL, so use e_shstrndx should be correct.
+
+Upstream-Status: Submitted
+
+Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
+---
+ src/dso.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/dso.c b/src/dso.c
+index ae5e04d..c59d81f 100644
+--- a/src/dso.c
++++ b/src/dso.c
+@@ -1659,7 +1659,7 @@ close_dso_1 (DSO *dso)
+     {
+       int i;
+ 
+-      for (i = 1; i < dso->ehdr.e_shnum; ++i)
++      for (i = 1; i < dso->ehdr.e_shstrndx; ++i)
+ 	{
+ 	  Elf_Scn *scn = dso->scn[i];
+ 	  Elf_Data *data = NULL;
+-- 
+2.7.4
+
diff --git a/meta/recipes-devtools/prelink/prelink_git.bb b/meta/recipes-devtools/prelink/prelink_git.bb
index 0f6d16e..c5eaedd 100644
--- a/meta/recipes-devtools/prelink/prelink_git.bb
+++ b/meta/recipes-devtools/prelink/prelink_git.bb
@@ -31,7 +31,9 @@ SRC_URI = "git://git.yoctoproject.org/prelink-cross.git;branch=cross_prelink \
            file://prelink.conf \
            file://prelink.cron.daily \
            file://prelink.default \
-	   file://macros.prelink"
+           file://macros.prelink \
+           file://0001-src-dso.c-use-ehdr.e_shstrndx-as-index.patch \
+"
 UPSTREAM_CHECK_COMMITS = "1"
 
 TARGET_OS_ORIG := "${TARGET_OS}"
-- 
2.7.4

[PATCH 2/2] elfutils: check data_list.data.d.d_buf before free it

[Robert Yang]

[YOCTO #12791]

The one which actually saves the data is data_list.data.d.d_buf, so check it
before free rawdata_base.

This can fix a segmentation fault when prelink libqb_1.0.3:
prelink: /usr/lib/libqb.so.0.18.2: Symbol section index outside of section numbers

The segmentation fault happens when prelink call elf_end().

Fixed:
MACHINE="qemux86-64"
IMAGE_INSTALL_append = " libqb" #libqp is from meta-openembedded
$ bitbake core-image-minimal
Segmention fault

Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
---
 meta/recipes-devtools/elfutils/elfutils_0.172.bb   |  1 +
 ...end.c-check-data_list.data.d.d_buf-before.patch | 39 ++++++++++++++++++++++
 2 files changed, 40 insertions(+)
 create mode 100644 meta/recipes-devtools/elfutils/files/0001-libelf-elf_end.c-check-data_list.data.d.d_buf-before.patch

diff --git a/meta/recipes-devtools/elfutils/elfutils_0.172.bb b/meta/recipes-devtools/elfutils/elfutils_0.172.bb
index 9d02211..1cdff40 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.172.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.172.bb
@@ -16,6 +16,7 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
            file://0006-Fix-build-on-aarch64-musl.patch \
            file://0007-Fix-control-path-where-we-have-str-as-uninitialized-.patch \
            file://0001-libasm-may-link-with-libbz2-if-found.patch \
+           file://0001-libelf-elf_end.c-check-data_list.data.d.d_buf-before.patch \
            file://debian/0001-hppa_backend.patch \
            file://debian/0001-arm_backend.patch \
            file://debian/0001-mips_backend.patch \
diff --git a/meta/recipes-devtools/elfutils/files/0001-libelf-elf_end.c-check-data_list.data.d.d_buf-before.patch b/meta/recipes-devtools/elfutils/files/0001-libelf-elf_end.c-check-data_list.data.d.d_buf-before.patch
new file mode 100644
index 0000000..7ea038f
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/0001-libelf-elf_end.c-check-data_list.data.d.d_buf-before.patch
@@ -0,0 +1,39 @@
+From d68822e93c57c3fbb77b93eada5986d2240157c2 Mon Sep 17 00:00:00 2001
+From: Robert Yang <liezhi.yang@windriver.com>
+Date: Thu, 16 Aug 2018 09:58:26 +0800
+Subject: [PATCH] libelf/elf_end.c: check data_list.data.d.d_buf before free it
+
+The one which actually saves the data is data_list.data.d.d_buf, so check it
+before free rawdata_base.
+
+This can fix a segmentation fault when prelink libqb_1.0.3:
+prelink: /usr/lib/libqb.so.0.18.2: Symbol section index outside of section numbers
+
+The segmentation fault happens when prelink call elf_end().
+
+Upstream-Status: Submitted
+
+Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
+---
+ libelf/elf_end.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libelf/elf_end.c b/libelf/elf_end.c
+index 160f0b8..5388e80 100644
+--- a/libelf/elf_end.c
++++ b/libelf/elf_end.c
+@@ -165,9 +165,10 @@ elf_end (Elf *elf)
+ 
+ 		/* The section data is allocated if we couldn't mmap
+ 		   the file.  Or if we had to decompress.  */
+-		if (elf->map_address == NULL
++		if ((elf->map_address == NULL
+ 		    || scn->rawdata_base == scn->zdata_base
+ 		    || (scn->flags & ELF_F_MALLOCED) != 0)
++		    && (scn->data_list.data.d.d_buf != NULL))
+ 		  free (scn->rawdata_base);
+ 
+ 		/* Free the list of data buffers for the section.
+-- 
+2.7.4
+
-- 
2.7.4

✗ patchtest: failure for prelink: fixed segmentation fault when install libqb

[Patchwork]

== Series Details ==

Series: prelink: fixed segmentation fault when install libqb
Revision: 1
URL   : https://patchwork.openembedded.org/series/13549/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* Issue             Upstream-Status is Submitted, but it is not mentioned where [test_upstream_status_presence_format] 
  Suggested fix    Include where 0001-src-dso.c-use-ehdr.e_shstrndx-as-index.patch was submitted
  Current          Upstream-Status: Submitted
  Standard format  Upstream-Status: Submitted [where]



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Guidelines:     https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe

Re: ✗ patchtest: failure for prelink: fixed segmentation fault when install libqb

[Robert Yang]

On 08/16/2018 02:37 PM, Patchwork wrote:
> == Series Details ==
> 
> Series: prelink: fixed segmentation fault when install libqb
> Revision: 1
> URL   : https://patchwork.openembedded.org/series/13549/
> State : failure
> 
> == Summary ==
> 
> 
> Thank you for submitting this patch series to OpenEmbedded Core. This is
> an automated response. Several tests have been executed on the proposed
> series by patchtest resulting in the following failures:
> 
> 
> 
> * Issue             Upstream-Status is Submitted, but it is not mentioned where [test_upstream_status_presence_format]
>    Suggested fix    Include where 0001-src-dso.c-use-ehdr.e_shstrndx-as-index.patch was submitted
>    Current          Upstream-Status: Submitted
>    Standard format  Upstream-Status: Submitted [where]

Fixed in the repo:

Upstream-Status: Submitted 
[https://lists.yoctoproject.org/pipermail/yocto/2018-August/042240.html]
Upstream-Status: Submitted 
[https://sourceware.org/ml/elfutils-devel/2018-q3/msg00065.html]

// Robert

> 
> 
> 
> If you believe any of these test results are incorrect, please reply to the
> mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
> Otherwise we would appreciate you correcting the issues and submitting a new
> version of the patchset if applicable. Please ensure you add/increment the
> version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
> [PATCH v3] -> ...).
> 
> ---
> Guidelines:     https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
> Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
> Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
> 
>