Bug#982465: Bug in r-base and r-cran-rcppparallel

Bastian Blank Wed, 10 Feb 2021 10:00:18 -0800

Control: clone -1 -2
Control: reassign -1 r-base 4.0.3-1
Control: retitle -1 r-base: dyn.load not useful for system libraries
Control: affects -1 r-cran-rcppparallel 5.0.2+dfsg-3
Control: severity -1 important
Control: reassign -2 r-cran-rcppparallel 5.0.2+dfsg-3
Control: retitle -2 r-cran-rcppparallel: generates broken load path for libtbb 
and fails on several architectures
Control: severity -2 serious


Hi Andreas

This are actually two bugs:
- r-base dyn.load not accepting relative library names on Linux systems
  and
- r-cran-rcppparallel trying to workaround the bug in dyn.load by
  deducting the full path of libtbb from the architecture instead of the
  correct multiarch setting and failing.

This has nothing to do with r-cran-rstan or r-cran-rstanarm, but it
seems to be the first one to find out.  I've attached patches to fix
both problems, properly re-assigned and adjusted the bugs.

This behaviour of R dyn.load might even be considered a security
vulnerability, because loading libraries from the working directory is a
problem.

Bastian

-- 
Kirk to Enterprise -- beam down yeoman Rand and a six-pack.

diff -Nru r-base-4.0.3/debian/changelog r-base-4.0.3/debian/changelog
--- r-base-4.0.3/debian/changelog       2020-10-10 12:04:31.000000000 +0000
+++ r-base-4.0.3/debian/changelog       2021-02-10 17:37:12.000000000 +0000
@@ -1,3 +1,10 @@
+r-base (4.0.3-1.1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Make dyn.load follow system library path. (closes: #-1)
+
+ -- Bastian Blank <wa...@debian.org>  Wed, 10 Feb 2021 17:37:12 +0000
+
 r-base (4.0.3-1) unstable; urgency=medium
 
   * New upstream version released this morning
diff -Nru r-base-4.0.3/debian/patches/dynload-system 
r-base-4.0.3/debian/patches/dynload-system
--- r-base-4.0.3/debian/patches/dynload-system  1970-01-01 00:00:00.000000000 
+0000
+++ r-base-4.0.3/debian/patches/dynload-system  2021-02-10 17:07:48.000000000 
+0000
@@ -0,0 +1,42 @@
+Description: <short summary of the patch>
+ TODO: Put a short summary on the line above and replace this paragraph
+ with a longer explanation of this change. Complete the meta-information
+ with other relevant fields (see below for details). To make it easier, the
+ information below has been extracted from the changelog. Adjust it or drop
+ it.
+ .
+ r-base (4.0.3-1.fix1) UNRELEASED; urgency=medium
+ .
+   * Test
+Author: Debian 
<b...@debian-sid.uc1w5jib0zdu1hjrgnhfp3r5vb.ax.internal.cloudapp.net>
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: https://bugs.debian.org/<bugnumber>
+Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: 2021-02-10
+
+--- r-base-4.0.3.orig/src/unix/dynload.c
++++ r-base-4.0.3/src/unix/dynload.c
+@@ -220,14 +220,6 @@ static void getFullDLLPath(SEXP call, ch
+ {
+     if(path[0] == '~')
+       strcpy(buf, R_ExpandFileName(path));
+-    else if(path[0] != '/') {
+-#ifdef HAVE_GETCWD
+-      if(!getcwd(buf, PATH_MAX))
+-#endif
+-          errorcall(call, _("cannot get working directory!"));
+-      strcat(buf, "/");
+-      strcat(buf, path);
+-    }
+     else strcpy(buf, path);
+ }
+ 
diff -Nru r-base-4.0.3/debian/patches/series r-base-4.0.3/debian/patches/series
--- r-base-4.0.3/debian/patches/series  2020-04-03 14:27:57.000000000 +0000
+++ r-base-4.0.3/debian/patches/series  2021-02-10 17:07:48.000000000 +0000
@@ -1,3 +1,4 @@
 # gfortran8-changes
 # ppc64_change
 # powerpc_change
+dynload-system

diff -Nru r-cran-rcppparallel-5.0.2+dfsg/debian/changelog 
r-cran-rcppparallel-5.0.2+dfsg/debian/changelog
--- r-cran-rcppparallel-5.0.2+dfsg/debian/changelog     2020-09-30 
13:39:50.000000000 +0000
+++ r-cran-rcppparallel-5.0.2+dfsg/debian/changelog     2021-02-10 
17:43:22.000000000 +0000
@@ -1,3 +1,10 @@
+r-cran-rcppparallel (5.0.2+dfsg-3.1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Load libtbb from system patch. (closes: #-1)
+
+ -- Bastian Blank <wa...@debian.org>  Wed, 10 Feb 2021 17:43:22 +0000
+
 r-cran-rcppparallel (5.0.2+dfsg-3) unstable; urgency=medium
 
   * Fix patch to make sure '-L' option will not be left out
diff -Nru r-cran-rcppparallel-5.0.2+dfsg/debian/control 
r-cran-rcppparallel-5.0.2+dfsg/debian/control
--- r-cran-rcppparallel-5.0.2+dfsg/debian/control       2020-09-30 
13:39:50.000000000 +0000
+++ r-cran-rcppparallel-5.0.2+dfsg/debian/control       2021-02-10 
17:43:22.000000000 +0000
@@ -7,7 +7,7 @@
 Priority: optional
 Build-Depends: debhelper-compat (= 13),
                dh-r,
-               r-base-dev,
+               r-base-dev (>= 4.0.3-1.1~),
                libtbb-dev
 Standards-Version: 4.5.0
 Vcs-Browser: https://salsa.debian.org/r-pkg-team/r-cran-rcppparallel
diff -Nru 
r-cran-rcppparallel-5.0.2+dfsg/debian/patches/use_debian_packaged_libtbb.patch 
r-cran-rcppparallel-5.0.2+dfsg/debian/patches/use_debian_packaged_libtbb.patch
--- 
r-cran-rcppparallel-5.0.2+dfsg/debian/patches/use_debian_packaged_libtbb.patch  
    2020-09-30 13:39:50.000000000 +0000
+++ 
r-cran-rcppparallel-5.0.2+dfsg/debian/patches/use_debian_packaged_libtbb.patch  
    2021-02-10 17:43:22.000000000 +0000
@@ -3,8 +3,10 @@
 Description: Do not try to build removed tbb code copy but
  rather link to Debian packaged version
 
---- r-cran-rcppparallel.orig/src/Makevars.in
-+++ r-cran-rcppparallel/src/Makevars.in
+Index: r-cran-rcppparallel-5.0.2+dfsg/src/Makevars.in
+===================================================================
+--- r-cran-rcppparallel-5.0.2+dfsg.orig/src/Makevars.in
++++ r-cran-rcppparallel-5.0.2+dfsg/src/Makevars.in
 @@ -1,6 +1,7 @@
  
  PKG_CPPFLAGS = -I../inst/include
@@ -13,7 +15,7 @@
  
  ifeq ($(OS), Windows_NT)
  
-@@ -86,20 +87,10 @@
+@@ -86,20 +87,10 @@ endif
  all: tbb $(SHLIB)
  
  tbb:
@@ -36,9 +38,11 @@
  
  endif
  
---- r-cran-rcppparallel.orig/R/build.R
-+++ r-cran-rcppparallel/R/build.R
-@@ -53,13 +53,8 @@
+Index: r-cran-rcppparallel-5.0.2+dfsg/R/build.R
+===================================================================
+--- r-cran-rcppparallel-5.0.2+dfsg.orig/R/build.R
++++ r-cran-rcppparallel-5.0.2+dfsg/R/build.R
+@@ -53,37 +53,8 @@ tbbCxxFlags <- function() {
  
  # Return the linker flags requried for TBB on this platform
  tbbLdFlags <- function() {
@@ -49,15 +53,17 @@
 -   } else {
 -      ""
 -   }
-+   tbb <- tbbLibPath()
-+   paste("-L", asBuildPath(dirname(tbb)), " -ltbb -ltbbmalloc", sep = "")
- }
- 
- # Determine the platform-specific path to the TBB library
-@@ -71,15 +66,7 @@
-       "Windows" = paste("tbb", suffix, ".dll", sep = ""),
-       "SunOS" = paste("libtbb", suffix, ".so", sep = "")
-    )
+-}
+-
+-# Determine the platform-specific path to the TBB library
+-tbbLibPath <- function(suffix = "") {
+-   sysname <- Sys.info()['sysname']
+-   tbbSupported <- list(
+-      "Darwin" = paste("libtbb", suffix, ".dylib", sep = ""), 
+-      "Linux" = paste("libtbb", suffix, ".so.2", sep = ""), 
+-      "Windows" = paste("tbb", suffix, ".dll", sep = ""),
+-      "SunOS" = paste("libtbb", suffix, ".so", sep = "")
+-   )
 -   if ((sysname %in% names(tbbSupported)) && !isSparc()) {
 -      libDir <- "lib/"
 -      if (sysname == "Windows")
@@ -67,7 +73,41 @@
 -   } else {
 -      NULL
 -   }
-+   libDir <- paste("/usr/lib/", version$arch, "-linux-gnu/libtbb.so", sep = 
"")
+-}
+-
+-isSparc <- function() {
+-   Sys.info()['sysname'] == "SunOS" && Sys.info()[["machine"]] != "i86pc"
++   tbb <- tbbLibPath()
++   paste(" -ltbb -ltbbmalloc", sep = "")
  }
  
- isSparc <- function() {
+ # Helper function to ape the behavior of the R build system
+Index: r-cran-rcppparallel-5.0.2+dfsg/R/hooks.R
+===================================================================
+--- r-cran-rcppparallel-5.0.2+dfsg.orig/R/hooks.R
++++ r-cran-rcppparallel-5.0.2+dfsg/R/hooks.R
+@@ -5,22 +5,8 @@ mallocDllInfo <- NULL
+ .onLoad <- function(libname, pkgname) {
+    
+    # load tbb and tbbmalloc on supported platforms   
+-   tbb <- tbbLibPath()
+-   if (!is.null(tbb)) {
+-      if (!file.exists(tbb)) {
+-         warning(paste("TBB library", tbb, "not found."))
+-      } else {
+-         dllInfo <<- dyn.load(tbb, local = FALSE, now = TRUE)
+-      }
+-   }
+-   tbbMalloc <- tbbLibPath("malloc")
+-   if (!is.null(tbbMalloc)) {
+-      if (!file.exists(tbbMalloc)) {
+-         warning(paste("TBB malloc library", tbbMalloc, "not found."))
+-      } else {
+-         mallocDllInfo <<- dyn.load(tbbMalloc, local = FALSE, now = TRUE)
+-      }
+-   }
++   dllInfo <<- dyn.load("libtbb.so.2", local = FALSE, now = TRUE)
++   mallocDllInfo <<- dyn.load("libtbbmalloc.so.2", local = FALSE, now = TRUE)
+    
+    # load the package library
+    library.dynam("RcppParallel", pkgname, libname)

Bug#982465: Bug in r-base and r-cran-rcppparallel

Reply via email to