public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
* [Bug dynamic-link/13823] New: Bogus LD_AUDIT can cause target binary to segfault
@ 2012-03-08 16:54 law at redhat dot com
2012-09-10 14:52 ` [Bug dynamic-link/13823] " gopo at mywingsoflove dot com
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: law at redhat dot com @ 2012-03-08 16:54 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13823
Bug #: 13823
Summary: Bogus LD_AUDIT can cause target binary to segfault
Product: glibc
Version: 2.15
Status: NEW
Severity: normal
Priority: P2
Component: dynamic-link
AssignedTo: unassigned@sourceware.org
ReportedBy: law@redhat.com
Classification: Unclassified
Specifying an invalid LD_AUDIT file can cause the target application to
segfault.
First, you want the target program you're using to do something like setlocale
right after it starts. /bin/true and /bin/false are good for this purpose.
Second, prelinking is necessary; I don't know why yet, but it was definitely
necessary to run a prelink -a after updating ld.so to trigger the behaviour.
Third, the auditing bits must be bogus, preferably a non-existent file.
So, something like
LD_AUDIT=/blah /bin/true
Where /blah does not exist turns out to be a good reproducer.
>From what I've been able to put together, when LD_AUDIT is specified we call
init_tls earlier than normal:
/* If we have auditing DSOs to load, do it now. */
if (__builtin_expect (audit_list != NULL, 0))
{
/* Iterate over all entries in the list. The order is important. */
struct audit_ifaces *last_audit = NULL;
struct audit_list *al = audit_list->next;
/* Since we start using the auditing DSOs right away we need to
initialize the data structures now. */
tcbp = init_tls ();
...
}
...
/* Load all the libraries specified by DT_NEEDED entries. If LD_PRELOAD
specified some libraries to load, these are inserted before the actual
dependencies in the executable's searchlist for symbol resolution. */
HP_TIMING_NOW (start);
_dl_map_object_deps (main_map, preloads, npreloads, mode == trace, 0);
HP_TIMING_NOW (stop);
HP_TIMING_DIFF (diff, start, stop);
HP_TIMING_ACCUM_NT (load_time, diff);
/* We do not initialize any of the TLS functionality unless any of the
initial modules uses TLS. This makes dynamic loading of modules with
TLS impossible, but to support it requires either eagerly doing setup
now or lazily doing it later. Doing it now makes us incompatible with
an old kernel that can't perform TLS_INIT_TP, even if no TLS is ever
used. Trying to do it lazily is too hairy to try when there could be
multiple threads (from a non-TLS-using libpthread). */
bool was_tls_init_tp_called = tls_init_tp_called;
if (tcbp == NULL)
tcbp = init_tls ();
At the earlier init_tls call we haven't seen a DSO with TLS bits. As a result
init_tls & eventually dl_allocate_tls_init have nothing interesting to do. The
result being the TLS bits in libc.so.6 aren't initialized and all hell breaks
loose in the locale bits as the thread local variables aren't properly
initialized.
Ideally if the auditing module is bogus we should just ignore it and the
application should run normally. Segfaulting is, umm, bad.
I pondered delaying the first init_tls call until we know the auditing module
is loadable, but I'm concerned that's simply too late.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug dynamic-link/13823] Bogus LD_AUDIT can cause target binary to segfault 2012-03-08 16:54 [Bug dynamic-link/13823] New: Bogus LD_AUDIT can cause target binary to segfault law at redhat dot com @ 2012-09-10 14:52 ` gopo at mywingsoflove dot com 2013-10-21 6:55 ` neleai at seznam dot cz ` (3 subsequent siblings) 4 siblings, 0 replies; 6+ messages in thread From: gopo at mywingsoflove dot com @ 2012-09-10 14:52 UTC (permalink / raw) To: glibc-bugs http://sourceware.org/bugzilla/show_bug.cgi?id=13823 Gopobandhu Sahu <gopo at mywingsoflove dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |gopo at mywingsoflove dot | |com --- Comment #1 from Gopobandhu Sahu <gopo at mywingsoflove dot com> 2012-09-10 14:52:37 UTC --- I have found that it's not necessary that it needs to be a bogus LD_AUDIT library. for latrace also it's failing while linking the second level libraries (i.e. dependent libraries of libraries) You can reproduce this issue by running > latrace gedit the above command cause segfault in the application -- Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug dynamic-link/13823] Bogus LD_AUDIT can cause target binary to segfault 2012-03-08 16:54 [Bug dynamic-link/13823] New: Bogus LD_AUDIT can cause target binary to segfault law at redhat dot com 2012-09-10 14:52 ` [Bug dynamic-link/13823] " gopo at mywingsoflove dot com @ 2013-10-21 6:55 ` neleai at seznam dot cz 2014-06-26 14:01 ` fweimer at redhat dot com ` (2 subsequent siblings) 4 siblings, 0 replies; 6+ messages in thread From: neleai at seznam dot cz @ 2013-10-21 6:55 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=13823 Ondrej Bilka <neleai at seznam dot cz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |neleai at seznam dot cz --- Comment #2 from Ondrej Bilka <neleai at seznam dot cz> --- Looks almost as duplicate of 15199. -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug dynamic-link/13823] Bogus LD_AUDIT can cause target binary to segfault 2012-03-08 16:54 [Bug dynamic-link/13823] New: Bogus LD_AUDIT can cause target binary to segfault law at redhat dot com 2012-09-10 14:52 ` [Bug dynamic-link/13823] " gopo at mywingsoflove dot com 2013-10-21 6:55 ` neleai at seznam dot cz @ 2014-06-26 14:01 ` fweimer at redhat dot com 2021-05-26 17:31 ` woodard at redhat dot com 2024-06-18 20:32 ` carlos at redhat dot com 4 siblings, 0 replies; 6+ messages in thread From: fweimer at redhat dot com @ 2014-06-26 14:01 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=13823 Florian Weimer <fweimer at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |security- -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug dynamic-link/13823] Bogus LD_AUDIT can cause target binary to segfault 2012-03-08 16:54 [Bug dynamic-link/13823] New: Bogus LD_AUDIT can cause target binary to segfault law at redhat dot com ` (2 preceding siblings ...) 2014-06-26 14:01 ` fweimer at redhat dot com @ 2021-05-26 17:31 ` woodard at redhat dot com 2024-06-18 20:32 ` carlos at redhat dot com 4 siblings, 0 replies; 6+ messages in thread From: woodard at redhat dot com @ 2021-05-26 17:31 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=13823 Ben Woodard <woodard at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |woodard at redhat dot com -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug dynamic-link/13823] Bogus LD_AUDIT can cause target binary to segfault 2012-03-08 16:54 [Bug dynamic-link/13823] New: Bogus LD_AUDIT can cause target binary to segfault law at redhat dot com ` (3 preceding siblings ...) 2021-05-26 17:31 ` woodard at redhat dot com @ 2024-06-18 20:32 ` carlos at redhat dot com 4 siblings, 0 replies; 6+ messages in thread From: carlos at redhat dot com @ 2024-06-18 20:32 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=13823 Carlos O'Donell <carlos at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED Target Milestone|--- |2.29 --- Comment #5 from Carlos O'Donell <carlos at redhat dot com> --- $ LD_AUDIT=/blah /bin/true ERROR: ld.so: object '/blah' cannot be loaded as audit interface: cannot open shared object file; ignored. The error messages were reorganized and fixed up by Florian in 2019. commit 3b856d093f5197637a5927c37d6c07dad8c86d45 Author: Florian Weimer <fweimer@redhat.com> Date: Tue Feb 12 13:36:56 2019 +0100 elf: Ignore LD_AUDIT interfaces if la_version returns 0 [BZ #24122] This change moves the audit module loading and early notification into separate functions out of dl_main. It restores the bug fix from commit 8e889c5da3c5981c5a46a93fec02de40131ac5a6 ("elf: Fix LD_AUDIT for modules with invalid version (BZ#24122)") which was reverted in commit 83e6b59625f45db1eee93e5684091f740c52a083 ("[elf] Revert 8e889c5da3 (BZ#24122)"). The actual bug fix is the separate error message for the case when la_version returns zero. The dynamic linker error message (which is NULL in this case) is no longer used. Based on the intended use of version zero (ignore this module due to explicit request), the message is only printed if debugging is enabled. I'm considering this fixed in glibc 2.29. -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-06-18 20:32 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2012-03-08 16:54 [Bug dynamic-link/13823] New: Bogus LD_AUDIT can cause target binary to segfault law at redhat dot com 2012-09-10 14:52 ` [Bug dynamic-link/13823] " gopo at mywingsoflove dot com 2013-10-21 6:55 ` neleai at seznam dot cz 2014-06-26 14:01 ` fweimer at redhat dot com 2021-05-26 17:31 ` woodard at redhat dot com 2024-06-18 20:32 ` carlos at redhat dot com
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).