Bug 2372409 - scanelf crash with version pax-utils-1.3.8-2.el9 on RHEL 9.6
Summary: scanelf crash with version pax-utils-1.3.8-2.el9 on RHEL 9.6
Keywords:
Status: ASSIGNED
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: pax-utils
Version: epel9
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Dominik 'Rathann' Mierzejewski
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-06-12 08:28 UTC by Christophe Piault
Modified: 2025-06-12 22:19 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: Bug
Embargoed:

Attachments (Terms of Use)
Archive containing library causing scanelf crash (14.68 MB, application/gzip)
2025-06-12 08:28 UTC, Christophe Piault 		no flags Details
Output for successful run of the scenario with pax-utils-1.3.3-1.el8 (516.45 KB, text/plain)
2025-06-12 08:30 UTC, Christophe Piault 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Gentoo 957985 0 None None None 2025-06-12 22:19:54 UTC

Description Christophe Piault 2025-06-12 08:28:55 UTC 
Created attachment 2093741 [details]
Archive containing library causing scanelf crash

Description of problem:
We are facing a scanelf crash on RHEL 9.6 when processing library libECMAScriptKernel.so.

Version-Release number of selected component (if applicable):
pax-utils-1.3.8-2.el9 from https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-cc54cfc32f

How reproducible:
Every time it process file libECMAScriptKernel.so

Steps to Reproduce:
1. Install pax-utils-1.3.8-2.el9 produced by https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-cc54cfc32f on RHEL 9.6
2. Download attached archive libECMAScriptKernel.tgz
3. Untar + Unzip libECMAScriptKernel.tgz
4. run /bin/scanelf -B -E ET_DYN -M 64 -s %ogd% libECMAScriptKernel.so

Actual results:
Reading symbols from /usr/bin/scanelf...
Reading symbols from /usr/lib/debug/usr/bin/scanelf-1.3.8-2.el9.x86_64.debug...
[New LWP 693932]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/bin/scanelf -B -E ET_DYN -M 64 -s %ogd% libECMAScriptKernel.so'.
Program terminated with signal SIGSYS, Bad system call.
#0  0x00007fd22ef0f57e in mremap () at ../sysdeps/unix/syscall-template.S:117
117	T_PSEUDO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS,
(gdb) bt
#0  0x00007fd22ef0f57e in mremap () at ../sysdeps/unix/syscall-template.S:117
#1  0x00007fd22ee9a656 in mremap_chunk (new_size=237568, p=0x7fd22f13c000) at malloc.c:2962
#2  __GI___libc_realloc (oldmem=oldmem@entry=0x7fd22f13c010, bytes=237094) at malloc.c:3320
#3  0x00005639a8d6dc65 in xstrncat (dst=dst@entry=0x7ffedb380e00, 
    src=src@entry=0x7fd22c23b1b0 "_ZZN2v88internal29StaticCallInterfaceDescriptorINS0_26TestTurbofanTypeDescriptorEE10InitializeEPNS0_27CallInterfaceDescriptorDataEE16return_registers", curr_len=curr_len@entry=0x7ffedb380e18, n=0)
    at ../xfuncs.c:46
#4  0x00005639a8d6df6d in scanelf_match_symname (elf=elf@entry=0x5639a9bd6370, 
    found_sym=found_sym@entry=0x7ffedb380df7 "\001", ret=ret@entry=0x7ffedb380e00, 
    ret_len=ret_len@entry=0x7ffedb380e18, 
    symname=symname@entry=0x7fd22c23b1b0 "_ZZN2v88internal29StaticCallInterfaceDescriptorINS0_26TestTurbofanTypeDescriptorEE10InitializeEPNS0_27CallInterfaceDescriptorDataEE16return_registers", stt=1, stb=10, stv=0, shn=13, size=3)
    at ../scanelf.c:1292
#5  0x00005639a8d6fc4e in scanelf_file_sym (found_sym=0x7ffedb380df7 "\001", elf=0x5639a9bd6370)
    at ../scanelf.c:1346
#6  scanelf_elfobj (elf=elf@entry=0x5639a9bd6370) at ../scanelf.c:1533
#7  0x00005639a8d71754 in scanelf_elf (len=<optimized out>, fd=3, filename=0x7ffedb38389c "libECMAScriptKernel.so")
    at ../scanelf.c:1598
#8  scanelf_fileat (dir_fd=dir_fd@entry=-100, filename=filename@entry=0x7ffedb38389c "libECMAScriptKernel.so", 
    st_cache=st_cache@entry=0x7ffedb381150) at ../scanelf.c:1665
#9  0x00005639a8d72065 in scanelf_dirat (dir_fd=-100, path=0x7ffedb38389c "libECMAScriptKernel.so")
    at ../scanelf.c:1699
#10 0x00005639a8d735be in scanelf_dir (path=<optimized out>) at ../paxinc.c:245
#11 parseargs (argc=argc@entry=9, argv=argv@entry=0x7ffedb382528) at ../scanelf.c:2231
#12 0x00005639a8d689a9 in main (argc=9, argv=0x7ffedb382528) at ../scanelf.c:2319


Expected results:
pax-utils-1.3.3-1.el8 find 4 310 symbols without crashing on RHEL 9.6. See attached output.

Additional info:
Comment 1 Christophe Piault 2025-06-12 08:30:04 UTC 
Created attachment 2093742 [details]
Output for successful run of the scenario with pax-utils-1.3.3-1.el8
Comment 2 Dominik 'Rathann' Mierzejewski 2025-06-12 21:48:32 UTC 
Thanks for the report. This is reproducible on F42, too.
Comment 3 Dominik 'Rathann' Mierzejewski 2025-06-12 22:19:54 UTC 
Reported upstream.
Note You need to log in before you can comment on or make changes to this bug.