[Pkg-utopia-maintainers] Bug#1065484: libatasmart4: Please rebuild to avoid overly huge ELF segment alignment

Mathias Krause minipli at grsecurity.net
Tue Mar 5 11:07:00 GMT 2024 

Package: libatasmart4
Version: 0.19-5
Severity: normal
X-Debbugs-Cc: minipli at grsecurity.net

Dear Maintainer,

After investigating ELF binaries and libraries on Debian systems, I
noticed that libatasmart4 uses an overly huge alignemnt for its
segments. This will lead to an unnecessary ASLR degradation for users of
this library like udisks2.

Below is the relevant output:

minipli at x1:~/src/paxtest (master)$ ./contrib/check_align.sh /usr/lib/x86_64-linux-gnu/libatasmart.so.4.0.5
/usr/lib/x86_64-linux-gnu/libatasmart.so.4.0.5 (max align=0x200000)
minipli at x1:~/src/paxtest (master)$ readelf -Wl /usr/lib/x86_64-linux-gnu/libatasmart.so.4.0.5 | grep -B2 LOAD 
Program Headers:
  Type           Offset   VirtAddr           PhysAddr           FileSiz  MemSiz   Flg Align
  LOAD           0x000000 0x0000000000000000 0x0000000000000000 0x009f58 0x009f58 R E 0x200000
  LOAD           0x00a390 0x000000000020a390 0x000000000020a390 0x001e40 0x001e48 RW  0x200000

The cause for the excessive segment alignment of 2MB instead of the
usual 4kB is binutils' ld which did, from versions v2.11 up to v2.30 (in
Debian, at least), use a huge default, even if no segment required such
a huge alignment. That was fixed in Debian with the release of buster,
which makes use of binutils v2.31+.

The full technical background behind overly huge alignment was reported
here: https://grsecurity.net/toolchain_necromancy_past_mistakes_haunting_aslr

Rebuilding the package will implicitly make use of a recent version of
ld and thereby fix the issue which is what I'm herby requesting.

Thanks,
Mathias

-- System Information:
Debian Release: 12.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-18-amd64 (SMP w/20 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libatasmart4 depends on:
ii  libc6     2.36-9+deb12u4
ii  libudev1  252.22-1~deb12u1

libatasmart4 recommends no packages.

libatasmart4 suggests no packages.

-- no debconf information

More information about the Pkg-utopia-maintainers mailing list