[Bug dynamic-link/14511] New: dlclose DSO unloading fundamentally unsafe

public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed

* [Bug dynamic-link/14511] New: dlclose DSO unloading fundamentally unsafe
@ 2012-08-22 22:24 bugdal at aerifal dot cx
  2012-08-22 22:27 ` [Bug dynamic-link/14511] " bugdal at aerifal dot cx
                   ` (10 more replies)
  0 siblings, 11 replies; 12+ messages in thread
From: bugdal at aerifal dot cx @ 2012-08-22 22:24 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=14511

             Bug #: 14511
           Summary: dlclose DSO unloading fundamentally unsafe
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: dynamic-link
        AssignedTo: unassigned@sourceware.org
        ReportedBy: bugdal@aerifal.cx
    Classification: Unclassified

dlclose attempts to unload/unmap the DSO when closing the last reference.
Unfortunately, this operation is fundamentally unsafe. Consider a program
"main" that links to a library "foo" and dynamically loads another library
"bar" which depends on "foo". In this situation, "bar" is a candidate for
unloading, but "foo" is not. Suppose "bar" was not designed specifically for
use as a dynamic loaded module, just an ordinary library, and suppose "bar"
leaks a reference to functions or objects in its mapping down to "foo" -- for
example, by registering a widget/codec/converter/etc. of some sort for use by
"foo". After "main" closes "bar", the leaked reference remains in storage
belonging to "foo", and will result in UB (crash or worse) when "foo" later
attempts to dereference it.

Note that the problem would not arise if both "foo" and "bar" had been loaded
dynamically with the same reference count (i.e. with "bar" as the only user of
"foo") since "foo" would also get unloaded at this point; nor would it arise if
both were linked into "main".

I'm attaching minimal test cases to demonstrate the problem. The "registration
with foo" concept is idiotically oversimplified in the test case, but you can
imagine it being some fancier data structure that allows multiple registration
and perhaps even unregistration.

Moreover, this kind of issue is not the ONLY way dlclose can break things; it's
just one example. Another example would be a library which starts a thread the
first time it's called and never reports the fact that it started a thread to
the calling application. This will of course crash immediately when dlclose is
called.

For better or worse, there is no way to fix the problem outright without
disabling unmapping on dlclose entirely. As a fix, I recommend disabling
unmapping, and creating a new DT_GNU_UNLOADABLE tag or other similar mechanism
that DSOs can use to tag themselves as safe for unloading. Then, DSOs being
built with the intent of being plugins/loadable-modules can be written to be
unload-safe and tagged as such, and the dynamic linker will no longer trash the
process when closing a plain library file that was not intended to be
unloadable.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 12+ messages in thread

* [Bug dynamic-link/14511] dlclose DSO unloading fundamentally unsafe
  2012-08-22 22:24 [Bug dynamic-link/14511] New: dlclose DSO unloading fundamentally unsafe bugdal at aerifal dot cx
@ 2012-08-22 22:27 ` bugdal at aerifal dot cx
  2012-08-22 22:30 ` bugdal at aerifal dot cx
                   ` (9 subsequent siblings)
  10 siblings, 0 replies; 12+ messages in thread
From: bugdal at aerifal dot cx @ 2012-08-22 22:27 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=14511

--- Comment #1 from Rich Felker <bugdal at aerifal dot cx> 2012-08-22 22:27:15 UTC ---
Created attachment 6601
  --> http://sourceware.org/bugzilla/attachment.cgi?id=6601
source for libfoo.so

compile with gcc -shared -o libfoo.so foo.c

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [Bug dynamic-link/14511] dlclose DSO unloading fundamentally unsafe
  2012-08-22 22:24 [Bug dynamic-link/14511] New: dlclose DSO unloading fundamentally unsafe bugdal at aerifal dot cx
  2012-08-22 22:27 ` [Bug dynamic-link/14511] " bugdal at aerifal dot cx
@ 2012-08-22 22:30 ` bugdal at aerifal dot cx
  2012-08-22 22:32 ` bugdal at aerifal dot cx
                   ` (8 subsequent siblings)
  10 siblings, 0 replies; 12+ messages in thread
From: bugdal at aerifal dot cx @ 2012-08-22 22:30 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=14511

--- Comment #2 from Rich Felker <bugdal at aerifal dot cx> 2012-08-22 22:30:38 UTC ---
Created attachment 6602
  --> http://sourceware.org/bugzilla/attachment.cgi?id=6602
source to libbar.so

compile with gcc -shared -o libbar.so bar.c -L. -lfoo

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [Bug dynamic-link/14511] dlclose DSO unloading fundamentally unsafe
  2012-08-22 22:24 [Bug dynamic-link/14511] New: dlclose DSO unloading fundamentally unsafe bugdal at aerifal dot cx
  2012-08-22 22:27 ` [Bug dynamic-link/14511] " bugdal at aerifal dot cx
  2012-08-22 22:30 ` bugdal at aerifal dot cx
@ 2012-08-22 22:32 ` bugdal at aerifal dot cx
  2012-08-23  5:24 ` ppluzhnikov at google dot com
                   ` (7 subsequent siblings)
  10 siblings, 0 replies; 12+ messages in thread
From: bugdal at aerifal dot cx @ 2012-08-22 22:32 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=14511

--- Comment #3 from Rich Felker <bugdal at aerifal dot cx> 2012-08-22 22:32:29 UTC ---
Created attachment 6603
  --> http://sourceware.org/bugzilla/attachment.cgi?id=6603
source for main test program

compile with gcc main.c -L. -lfoo -ldl to see the bug; add -lbar to see it go
away

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [Bug dynamic-link/14511] dlclose DSO unloading fundamentally unsafe
  2012-08-22 22:24 [Bug dynamic-link/14511] New: dlclose DSO unloading fundamentally unsafe bugdal at aerifal dot cx
                   ` (2 preceding siblings ...)
  2012-08-22 22:32 ` bugdal at aerifal dot cx
@ 2012-08-23  5:24 ` ppluzhnikov at google dot com
  2012-08-23  6:50 ` jakub at redhat dot com
                   ` (6 subsequent siblings)
  10 siblings, 0 replies; 12+ messages in thread
From: ppluzhnikov at google dot com @ 2012-08-23  5:24 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=14511

Paul Pluzhnikov <ppluzhnikov at google dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ppluzhnikov at google dot
                   |                            |com

--- Comment #4 from Paul Pluzhnikov <ppluzhnikov at google dot com> 2012-08-23 05:24:13 UTC ---
> Unfortunately, this operation is fundamentally unsafe.

No, it isn't. Unloading a library that wasn't designed to be unloadable is
unsafe, so don't do that.

Unloading in general is very useful, so blank disable of unloading you proposed
would be akin to throwing the baby out with the bathwater.

Finally, a library can be linked with -Wl,-z,nodelete, which would prevent it
from  ever being unloaded.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [Bug dynamic-link/14511] dlclose DSO unloading fundamentally unsafe
  2012-08-22 22:24 [Bug dynamic-link/14511] New: dlclose DSO unloading fundamentally unsafe bugdal at aerifal dot cx
                   ` (3 preceding siblings ...)
  2012-08-23  5:24 ` ppluzhnikov at google dot com
@ 2012-08-23  6:50 ` jakub at redhat dot com
  2012-08-23 12:01 ` bugdal at aerifal dot cx
                   ` (5 subsequent siblings)
  10 siblings, 0 replies; 12+ messages in thread
From: jakub at redhat dot com @ 2012-08-23  6:50 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=14511

Jakub Jelinek <jakub at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |jakub at redhat dot com
         Resolution|                            |INVALID

--- Comment #5 from Jakub Jelinek <jakub at redhat dot com> 2012-08-23 06:50:25 UTC ---
The testcase is invalid.  As Paul said, you can use DF_1_NODELETE on libraries
that you don't want to unload ever, or if a library (libfoo) in this case
performs a cal to a function from libbar, it will have a dynamic dependency on
libbar through symbol resolution and thus would allow libbar to be unmapped
only when libfoo is about to go away too.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [Bug dynamic-link/14511] dlclose DSO unloading fundamentally unsafe
  2012-08-22 22:24 [Bug dynamic-link/14511] New: dlclose DSO unloading fundamentally unsafe bugdal at aerifal dot cx
                   ` (4 preceding siblings ...)
  2012-08-23  6:50 ` jakub at redhat dot com
@ 2012-08-23 12:01 ` bugdal at aerifal dot cx
  2012-08-23 12:04 ` jakub at redhat dot com
                   ` (4 subsequent siblings)
  10 siblings, 0 replies; 12+ messages in thread
From: bugdal at aerifal dot cx @ 2012-08-23 12:01 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=14511

Rich Felker <bugdal at aerifal dot cx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|INVALID                     |

--- Comment #6 from Rich Felker <bugdal at aerifal dot cx> 2012-08-23 12:00:37 UTC ---
Add an extra level of libraries then. For example, consider myplugin.so that
depends on libbar.so which depends on libfoo.so. If myplugin.so is designed to
be unload-safe, but libbar.so isn't, the application has no way of knowing it's
unsafe to call dlclose on myplugin.so.

I agree DF_1_NODELETE/-Wl,-z,nodelete is part of the fix, but the default is
backwards. A library is not safely unloadable by default. It's only safely
unloadable if it was explicitly designed to be. Perhaps if libtool added
-Wl,-z,nodelete by default except when configured not to, that would solve the
problem...

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [Bug dynamic-link/14511] dlclose DSO unloading fundamentally unsafe
  2012-08-22 22:24 [Bug dynamic-link/14511] New: dlclose DSO unloading fundamentally unsafe bugdal at aerifal dot cx
                   ` (5 preceding siblings ...)
  2012-08-23 12:01 ` bugdal at aerifal dot cx
@ 2012-08-23 12:04 ` jakub at redhat dot com
  2014-06-17  5:54 ` fweimer at redhat dot com
                   ` (3 subsequent siblings)
  10 siblings, 0 replies; 12+ messages in thread
From: jakub at redhat dot com @ 2012-08-23 12:04 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=14511

Jakub Jelinek <jakub at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|                            |INVALID

--- Comment #7 from Jakub Jelinek <jakub at redhat dot com> 2012-08-23 12:04:00 UTC ---
Doesn't matter what levels of libraries you have.  It is users responsibility
to ensure pointers to library code aren't accessed after library is unloaded. 
The default is correct, and has been that way since the beginning.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [Bug dynamic-link/14511] dlclose DSO unloading fundamentally unsafe
  2012-08-22 22:24 [Bug dynamic-link/14511] New: dlclose DSO unloading fundamentally unsafe bugdal at aerifal dot cx
                   ` (6 preceding siblings ...)
  2012-08-23 12:04 ` jakub at redhat dot com
@ 2014-06-17  5:54 ` fweimer at redhat dot com
  2023-08-07 10:10 ` sam at gentoo dot org
                   ` (2 subsequent siblings)
  10 siblings, 0 replies; 12+ messages in thread
From: fweimer at redhat dot com @ 2014-06-17  5:54 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=14511

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
              Flags|                            |security-

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [Bug dynamic-link/14511] dlclose DSO unloading fundamentally unsafe
  2012-08-22 22:24 [Bug dynamic-link/14511] New: dlclose DSO unloading fundamentally unsafe bugdal at aerifal dot cx
                   ` (7 preceding siblings ...)
  2014-06-17  5:54 ` fweimer at redhat dot com
@ 2023-08-07 10:10 ` sam at gentoo dot org
  2023-08-07 10:10 ` sam at gentoo dot org
  2024-02-06 14:42 ` gabravier at gmail dot com
  10 siblings, 0 replies; 12+ messages in thread
From: sam at gentoo dot org @ 2023-08-07 10:10 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=14511

Sam James <sam at gentoo dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://sourceware.org/bugz
                   |                            |illa/show_bug.cgi?id=14512

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 12+ messages in thread

* [Bug dynamic-link/14511] dlclose DSO unloading fundamentally unsafe
  2012-08-22 22:24 [Bug dynamic-link/14511] New: dlclose DSO unloading fundamentally unsafe bugdal at aerifal dot cx
                   ` (8 preceding siblings ...)
  2023-08-07 10:10 ` sam at gentoo dot org
@ 2023-08-07 10:10 ` sam at gentoo dot org
  2024-02-06 14:42 ` gabravier at gmail dot com
  10 siblings, 0 replies; 12+ messages in thread
From: sam at gentoo dot org @ 2023-08-07 10:10 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=14511

Sam James <sam at gentoo dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sam at gentoo dot org

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 12+ messages in thread

* [Bug dynamic-link/14511] dlclose DSO unloading fundamentally unsafe
  2012-08-22 22:24 [Bug dynamic-link/14511] New: dlclose DSO unloading fundamentally unsafe bugdal at aerifal dot cx
                   ` (9 preceding siblings ...)
  2023-08-07 10:10 ` sam at gentoo dot org
@ 2024-02-06 14:42 ` gabravier at gmail dot com
  10 siblings, 0 replies; 12+ messages in thread
From: gabravier at gmail dot com @ 2024-02-06 14:42 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=14511

Gabriel Ravier <gabravier at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |gabravier at gmail dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 12+ messages in thread

end of thread, other threads:[~2024-02-06 14:42 UTC | newest]

Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-08-22 22:24 [Bug dynamic-link/14511] New: dlclose DSO unloading fundamentally unsafe bugdal at aerifal dot cx
2012-08-22 22:27 ` [Bug dynamic-link/14511] " bugdal at aerifal dot cx
2012-08-22 22:30 ` bugdal at aerifal dot cx
2012-08-22 22:32 ` bugdal at aerifal dot cx
2012-08-23  5:24 ` ppluzhnikov at google dot com
2012-08-23  6:50 ` jakub at redhat dot com
2012-08-23 12:01 ` bugdal at aerifal dot cx
2012-08-23 12:04 ` jakub at redhat dot com
2014-06-17  5:54 ` fweimer at redhat dot com
2023-08-07 10:10 ` sam at gentoo dot org
2023-08-07 10:10 ` sam at gentoo dot org
2024-02-06 14:42 ` gabravier at gmail dot com

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).