public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
From: "law at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sources.redhat.com
Subject: [Bug dynamic-link/13823] New: Bogus LD_AUDIT can cause target binary to segfault
Date: Thu, 08 Mar 2012 16:54:00 -0000 [thread overview]
Message-ID: <bug-13823-131@http.sourceware.org/bugzilla/> (raw)
http://sourceware.org/bugzilla/show_bug.cgi?id=13823
Bug #: 13823
Summary: Bogus LD_AUDIT can cause target binary to segfault
Product: glibc
Version: 2.15
Status: NEW
Severity: normal
Priority: P2
Component: dynamic-link
AssignedTo: unassigned@sourceware.org
ReportedBy: law@redhat.com
Classification: Unclassified
Specifying an invalid LD_AUDIT file can cause the target application to
segfault.
First, you want the target program you're using to do something like setlocale
right after it starts. /bin/true and /bin/false are good for this purpose.
Second, prelinking is necessary; I don't know why yet, but it was definitely
necessary to run a prelink -a after updating ld.so to trigger the behaviour.
Third, the auditing bits must be bogus, preferably a non-existent file.
So, something like
LD_AUDIT=/blah /bin/true
Where /blah does not exist turns out to be a good reproducer.
>From what I've been able to put together, when LD_AUDIT is specified we call
init_tls earlier than normal:
/* If we have auditing DSOs to load, do it now. */
if (__builtin_expect (audit_list != NULL, 0))
{
/* Iterate over all entries in the list. The order is important. */
struct audit_ifaces *last_audit = NULL;
struct audit_list *al = audit_list->next;
/* Since we start using the auditing DSOs right away we need to
initialize the data structures now. */
tcbp = init_tls ();
...
}
...
/* Load all the libraries specified by DT_NEEDED entries. If LD_PRELOAD
specified some libraries to load, these are inserted before the actual
dependencies in the executable's searchlist for symbol resolution. */
HP_TIMING_NOW (start);
_dl_map_object_deps (main_map, preloads, npreloads, mode == trace, 0);
HP_TIMING_NOW (stop);
HP_TIMING_DIFF (diff, start, stop);
HP_TIMING_ACCUM_NT (load_time, diff);
/* We do not initialize any of the TLS functionality unless any of the
initial modules uses TLS. This makes dynamic loading of modules with
TLS impossible, but to support it requires either eagerly doing setup
now or lazily doing it later. Doing it now makes us incompatible with
an old kernel that can't perform TLS_INIT_TP, even if no TLS is ever
used. Trying to do it lazily is too hairy to try when there could be
multiple threads (from a non-TLS-using libpthread). */
bool was_tls_init_tp_called = tls_init_tp_called;
if (tcbp == NULL)
tcbp = init_tls ();
At the earlier init_tls call we haven't seen a DSO with TLS bits. As a result
init_tls & eventually dl_allocate_tls_init have nothing interesting to do. The
result being the TLS bits in libc.so.6 aren't initialized and all hell breaks
loose in the locale bits as the thread local variables aren't properly
initialized.
Ideally if the auditing module is bogus we should just ignore it and the
application should run normally. Segfaulting is, umm, bad.
I pondered delaying the first init_tls call until we know the auditing module
is loadable, but I'm concerned that's simply too late.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
next reply other threads:[~2012-03-08 16:54 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-08 16:54 law at redhat dot com [this message]
2012-09-10 14:52 ` [Bug dynamic-link/13823] " gopo at mywingsoflove dot com
2013-10-21 6:55 ` neleai at seznam dot cz
2014-06-26 14:01 ` fweimer at redhat dot com
2021-05-26 17:31 ` woodard at redhat dot com
2024-06-18 20:32 ` carlos at redhat dot com
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-13823-131@http.sourceware.org/bugzilla/ \
--to=sourceware-bugzilla@sourceware.org \
--cc=glibc-bugs@sources.redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).