Bug#1065540: libxdmcp6: Please rebuild to avoid overly huge ELF segment alignment

To: Mathias Krause <minipli@grsecurity.net>, 1065540@bugs.debian.org
Subject: Bug#1065540: libxdmcp6: Please rebuild to avoid overly huge ELF segment alignment
From: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Thu, 7 Mar 2024 10:42:47 +0100
Message-id: <[🔎] 735d3187-b356-43de-97e0-6bdaf0a4d360@debian.org>
Reply-to: Emilio Pozuelo Monfort <pochu@debian.org>, 1065540@bugs.debian.org
In-reply-to: <[🔎] 170972677785.63845.14431104130975351963.reportbug@x1>
References: <[🔎] 170972677785.63845.14431104130975351963.reportbug@x1> <[🔎] 170972677785.63845.14431104130975351963.reportbug@x1>

Hi Mathias,

On 06/03/2024 13:06, Mathias Krause wrote:

Package: libxdmcp6
Version: 1:1.1.2-3
Severity: normal
X-Debbugs-Cc: minipli@grsecurity.net

Dear Maintainer,

After investigating ELF binaries and libraries on Debian systems, I
noticed that libxdmcp6 uses an overly huge alignemnt for its segments.
This will lead to an unnecessary ASLR degradation for (transitive) users
of this library like xserver-xorg-core, lightdm, cinnamon-session,
cinnamon-settings-daemon, pipewire-bin and many others.

Below is the relevant output:

minipli@bell:~/src/paxtest (master)$ ./contrib/check_align.sh /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0
/usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0 (max align=0x200000)
minipli@bell:~/src/paxtest (master)$ readelf -Wl /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0 | grep -B2 LOAD
Program Headers:
   Type           Offset   VirtAddr           PhysAddr           FileSiz  MemSiz   Flg Align
   LOAD           0x000000 0x0000000000000000 0x0000000000000000 0x0046c4 0x0046c4 R E 0x200000
   LOAD           0x004de0 0x0000000000204de0 0x0000000000204de0 0x000308 0x000310 RW  0x200000

The cause for the excessive segment alignment of 2MB instead of the
usual 4kB is binutils' ld which did, from versions v2.11 up to v2.30 (in
Debian, at least), use a huge default, even if no segment required such
a huge alignment. That was fixed in Debian with the release of buster,
which makes use of binutils v2.31+.

The full technical background behind overly huge alignment was reported
here: https://grsecurity.net/toolchain_necromancy_past_mistakes_haunting_aslr

Rebuilding the package will implicitly make use of a recent version of
ld and thereby fix the issue which is what I'm herby requesting.

I don't know if there are many more bugs like this (I only noticed three), ifthere are, this should have been discussed in debian-devel@, see [1].

The solution to this is to request rebuilds to the Release team. Could you emaildebian-release@ with a summary of the problem and a list of packages (andpossibly architectures) that need to be rebuilt?


Cheers,
Emilio

[1]https://www.debian.org/doc/manuals/developers-reference/beyond-pkging.en.html#reporting-lots-of-bugs-at-once-mass-bug-filing

Reply to:

References:
- Bug#1065540: libxdmcp6: Please rebuild to avoid overly huge ELF segment alignment
  - From: Mathias Krause <minipli@grsecurity.net>

Prev by Date: Bug#1063088: weston: NMU diff for 64-bit time_t transition
Next by Date: Bug#1065654: mesa ftbfs with time_t64
Previous by thread: Bug#1065540: libxdmcp6: Please rebuild to avoid overly huge ELF segment alignment
Next by thread: Bug#1065541: libxshmfence1: Please rebuild to avoid overly huge ELF segment alignment
Index(es):
- Date
- Thread