[Bug dynamic-link/13823] New: Bogus LD_AUDIT can cause target binary to segfault

[Bug dynamic-link/13823] New: Bogus LD_AUDIT can cause target binary to segfault

[law at redhat dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13823

             Bug #: 13823
           Summary: Bogus LD_AUDIT can cause target binary to segfault
           Product: glibc
           Version: 2.15
            Status: NEW
          Severity: normal
          Priority: P2
         Component: dynamic-link
        AssignedTo: unassigned@sourceware.org
        ReportedBy: law@redhat.com
    Classification: Unclassified


Specifying an invalid LD_AUDIT file can cause the target application to
segfault.

First, you want the target program you're using to do something like setlocale
right after it starts.  /bin/true and /bin/false are good for this purpose.

Second, prelinking is necessary; I don't know why yet, but it was definitely
necessary to run a prelink -a after updating ld.so to trigger the behaviour.

Third, the auditing bits must be bogus, preferably a non-existent file.

So, something like

LD_AUDIT=/blah /bin/true

Where /blah does not exist turns out to be a good reproducer.

>From what I've been able to put together, when LD_AUDIT is specified we call
init_tls earlier than normal:

 /* If we have auditing DSOs to load, do it now.  */
  if (__builtin_expect (audit_list != NULL, 0))
    {
      /* Iterate over all entries in the list.  The order is important.  */
      struct audit_ifaces *last_audit = NULL;
      struct audit_list *al = audit_list->next;

      /* Since we start using the auditing DSOs right away we need to
         initialize the data structures now.  */
      tcbp = init_tls ();
      ...
    }
  ...

 /* Load all the libraries specified by DT_NEEDED entries.  If LD_PRELOAD
     specified some libraries to load, these are inserted before the actual
     dependencies in the executable's searchlist for symbol resolution.  */
  HP_TIMING_NOW (start);
  _dl_map_object_deps (main_map, preloads, npreloads, mode == trace, 0);
  HP_TIMING_NOW (stop);
  HP_TIMING_DIFF (diff, start, stop);
  HP_TIMING_ACCUM_NT (load_time, diff);


 /* We do not initialize any of the TLS functionality unless any of the
     initial modules uses TLS.  This makes dynamic loading of modules with
     TLS impossible, but to support it requires either eagerly doing setup
     now or lazily doing it later.  Doing it now makes us incompatible with
     an old kernel that can't perform TLS_INIT_TP, even if no TLS is ever
     used.  Trying to do it lazily is too hairy to try when there could be
     multiple threads (from a non-TLS-using libpthread).  */
  bool was_tls_init_tp_called = tls_init_tp_called;
  if (tcbp == NULL)
    tcbp = init_tls ();

At the earlier init_tls call we haven't seen a DSO with TLS bits.  As a result
init_tls & eventually dl_allocate_tls_init have nothing interesting to do.  The
result being the TLS bits in libc.so.6 aren't initialized and all hell breaks
loose in the locale bits as the thread local variables aren't properly
initialized.

Ideally if the auditing module is bogus we should just ignore it and the
application should run normally.  Segfaulting is, umm, bad.

I pondered delaying the first init_tls call until we know the auditing module
is loadable, but I'm concerned that's simply too late.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug dynamic-link/13823] Bogus LD_AUDIT can cause target binary to segfault

[gopo at mywingsoflove dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13823

Gopobandhu Sahu <gopo at mywingsoflove dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |gopo at mywingsoflove dot
                   |                            |com

--- Comment #1 from Gopobandhu Sahu <gopo at mywingsoflove dot com> 2012-09-10 14:52:37 UTC ---
I have found that it's not necessary that it needs to be a bogus LD_AUDIT
library.
for latrace also it's failing while linking the second level libraries (i.e.
dependent libraries of libraries)

You can reproduce this issue by running

> latrace gedit

the above command cause segfault in the application

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug dynamic-link/13823] Bogus LD_AUDIT can cause target binary to segfault

[neleai at seznam dot cz]

https://sourceware.org/bugzilla/show_bug.cgi?id=13823

Ondrej Bilka <neleai at seznam dot cz> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |neleai at seznam dot cz

--- Comment #2 from Ondrej Bilka <neleai at seznam dot cz> ---
Looks almost as duplicate of 15199.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug dynamic-link/13823] Bogus LD_AUDIT can cause target binary to segfault

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=13823

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |security-

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug dynamic-link/13823] Bogus LD_AUDIT can cause target binary to segfault

[woodard at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=13823

Ben Woodard <woodard at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |woodard at redhat dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug dynamic-link/13823] Bogus LD_AUDIT can cause target binary to segfault

[carlos at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=13823

Carlos O'Donell <carlos at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED
   Target Milestone|---                         |2.29

--- Comment #5 from Carlos O'Donell <carlos at redhat dot com> ---
$ LD_AUDIT=/blah /bin/true
ERROR: ld.so: object '/blah' cannot be loaded as audit interface: cannot open
shared object file; ignored.

The error messages were reorganized and fixed up by Florian in 2019.

commit 3b856d093f5197637a5927c37d6c07dad8c86d45
Author: Florian Weimer <fweimer@redhat.com>
Date:   Tue Feb 12 13:36:56 2019 +0100

    elf: Ignore LD_AUDIT interfaces if la_version returns 0 [BZ #24122]

    This change moves the audit module loading and early notification into
    separate functions out of dl_main.

    It restores the bug fix from commit
    8e889c5da3c5981c5a46a93fec02de40131ac5a6  ("elf: Fix LD_AUDIT for
    modules with invalid version (BZ#24122)") which was reverted in commit
    83e6b59625f45db1eee93e5684091f740c52a083  ("[elf] Revert 8e889c5da3
    (BZ#24122)").

    The actual bug fix is the separate error message for the case when
    la_version returns zero.  The dynamic linker error message (which is
    NULL in this case) is no longer used.  Based on the intended use of
    version zero (ignore this module due to explicit request), the message
    is only printed if debugging is enabled.

I'm considering this fixed in glibc 2.29.

-- 
You are receiving this mail because:
You are on the CC list for the bug.