UPX - a powerful executable packer

This Tracker item was closed automatically by the system. It was
previously set to a Pending status, and the original submitter
did not respond within 14 days (the time period specified by
the administrator of this Tracker).

The behavior occurs because ld-linux.so.2 uses readlink("/proc/self/exe",)
when expanding $ORIGIN for rpath. The upx runtime decompression stub is so
good at removing all traces of itself, that *all* pages of the original
executable are unmapped, and under these circumstances the kernel erases
the symlink for /proc/self/exe. Removing all traces of the stub is
desirable so that the process has no interference with its address space
because of compression.

The upx decompression stub saves the original value of
readlink("/proc/self/exe",) as the value of new environment variable " "
[three spaces.] Also, the linux kernel puts the filename that was
specified as the first argument to execve(), into the process address space
as (char *)(1+ strlen(env[-1+ n_env]) + env[-1+ n_env]) where env and n_env
are the original environment and number of environment variables. The upx
decompression stub adds its environment variable " " [three spaces] in a
compatible way.

If readlink("/proc/self/exe",) fails then ld-linux should use some other
algorithm, such as the one involving env[-1 + n_env]. That is faster
anyway; but it requires ld-linux to save [a pointer to] the value upon
invocation, and it might regquire that the linux kernel admit [document]
its behavior. Complain to ld-linux. Note that $ORIGIN fails anyway if
some other process unmounts it between the execve() and the search for the
library; thus -rpath is not robust.

I need to mention that this applies only to executables using $ORIGIN in
rpath