[Bug dynamic-link/14511] New: dlclose DSO unloading fundamentally unsafe

[Bug dynamic-link/14511] New: dlclose DSO unloading fundamentally unsafe

[bugdal at aerifal dot cx]

http://sourceware.org/bugzilla/show_bug.cgi?id=14511

             Bug #: 14511
           Summary: dlclose DSO unloading fundamentally unsafe
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: dynamic-link
        AssignedTo: unassigned@sourceware.org
        ReportedBy: bugdal@aerifal.cx
    Classification: Unclassified


dlclose attempts to unload/unmap the DSO when closing the last reference.
Unfortunately, this operation is fundamentally unsafe. Consider a program
"main" that links to a library "foo" and dynamically loads another library
"bar" which depends on "foo". In this situation, "bar" is a candidate for
unloading, but "foo" is not. Suppose "bar" was not designed specifically for
use as a dynamic loaded module, just an ordinary library, and suppose "bar"
leaks a reference to functions or objects in its mapping down to "foo" -- for
example, by registering a widget/codec/converter/etc. of some sort for use by
"foo". After "main" closes "bar", the leaked reference remains in storage
belonging to "foo", and will result in UB (crash or worse) when "foo" later
attempts to dereference it.

Note that the problem would not arise if both "foo" and "bar" had been loaded
dynamically with the same reference count (i.e. with "bar" as the only user of
"foo") since "foo" would also get unloaded at this point; nor would it arise if
both were linked into "main".

I'm attaching minimal test cases to demonstrate the problem. The "registration
with foo" concept is idiotically oversimplified in the test case, but you can
imagine it being some fancier data structure that allows multiple registration
and perhaps even unregistration.

Moreover, this kind of issue is not the ONLY way dlclose can break things; it's
just one example. Another example would be a library which starts a thread the
first time it's called and never reports the fact that it started a thread to
the calling application. This will of course crash immediately when dlclose is
called.

For better or worse, there is no way to fix the problem outright without
disabling unmapping on dlclose entirely. As a fix, I recommend disabling
unmapping, and creating a new DT_GNU_UNLOADABLE tag or other similar mechanism
that DSOs can use to tag themselves as safe for unloading. Then, DSOs being
built with the intent of being plugins/loadable-modules can be written to be
unload-safe and tagged as such, and the dynamic linker will no longer trash the
process when closing a plain library file that was not intended to be
unloadable.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug dynamic-link/14511] dlclose DSO unloading fundamentally unsafe

[bugdal at aerifal dot cx]

http://sourceware.org/bugzilla/show_bug.cgi?id=14511

--- Comment #1 from Rich Felker <bugdal at aerifal dot cx> 2012-08-22 22:27:15 UTC ---
Created attachment 6601
  --> http://sourceware.org/bugzilla/attachment.cgi?id=6601
source for libfoo.so

compile with gcc -shared -o libfoo.so foo.c

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug dynamic-link/14511] dlclose DSO unloading fundamentally unsafe

[bugdal at aerifal dot cx]

http://sourceware.org/bugzilla/show_bug.cgi?id=14511

--- Comment #2 from Rich Felker <bugdal at aerifal dot cx> 2012-08-22 22:30:38 UTC ---
Created attachment 6602
  --> http://sourceware.org/bugzilla/attachment.cgi?id=6602
source to libbar.so

compile with gcc -shared -o libbar.so bar.c -L. -lfoo

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug dynamic-link/14511] dlclose DSO unloading fundamentally unsafe

[bugdal at aerifal dot cx]

http://sourceware.org/bugzilla/show_bug.cgi?id=14511

--- Comment #3 from Rich Felker <bugdal at aerifal dot cx> 2012-08-22 22:32:29 UTC ---
Created attachment 6603
  --> http://sourceware.org/bugzilla/attachment.cgi?id=6603
source for main test program

compile with gcc main.c -L. -lfoo -ldl to see the bug; add -lbar to see it go
away

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug dynamic-link/14511] dlclose DSO unloading fundamentally unsafe

[ppluzhnikov at google dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=14511

Paul Pluzhnikov <ppluzhnikov at google dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ppluzhnikov at google dot
                   |                            |com

--- Comment #4 from Paul Pluzhnikov <ppluzhnikov at google dot com> 2012-08-23 05:24:13 UTC ---
> Unfortunately, this operation is fundamentally unsafe.

No, it isn't. Unloading a library that wasn't designed to be unloadable is
unsafe, so don't do that.

Unloading in general is very useful, so blank disable of unloading you proposed
would be akin to throwing the baby out with the bathwater.

Finally, a library can be linked with -Wl,-z,nodelete, which would prevent it
from  ever being unloaded.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug dynamic-link/14511] dlclose DSO unloading fundamentally unsafe

[jakub at redhat dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=14511

Jakub Jelinek <jakub at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |jakub at redhat dot com
         Resolution|                            |INVALID

--- Comment #5 from Jakub Jelinek <jakub at redhat dot com> 2012-08-23 06:50:25 UTC ---
The testcase is invalid.  As Paul said, you can use DF_1_NODELETE on libraries
that you don't want to unload ever, or if a library (libfoo) in this case
performs a cal to a function from libbar, it will have a dynamic dependency on
libbar through symbol resolution and thus would allow libbar to be unmapped
only when libfoo is about to go away too.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug dynamic-link/14511] dlclose DSO unloading fundamentally unsafe

[bugdal at aerifal dot cx]

http://sourceware.org/bugzilla/show_bug.cgi?id=14511

Rich Felker <bugdal at aerifal dot cx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|INVALID                     |

--- Comment #6 from Rich Felker <bugdal at aerifal dot cx> 2012-08-23 12:00:37 UTC ---
Add an extra level of libraries then. For example, consider myplugin.so that
depends on libbar.so which depends on libfoo.so. If myplugin.so is designed to
be unload-safe, but libbar.so isn't, the application has no way of knowing it's
unsafe to call dlclose on myplugin.so.

I agree DF_1_NODELETE/-Wl,-z,nodelete is part of the fix, but the default is
backwards. A library is not safely unloadable by default. It's only safely
unloadable if it was explicitly designed to be. Perhaps if libtool added
-Wl,-z,nodelete by default except when configured not to, that would solve the
problem...

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug dynamic-link/14511] dlclose DSO unloading fundamentally unsafe

[jakub at redhat dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=14511

Jakub Jelinek <jakub at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|                            |INVALID

--- Comment #7 from Jakub Jelinek <jakub at redhat dot com> 2012-08-23 12:04:00 UTC ---
Doesn't matter what levels of libraries you have.  It is users responsibility
to ensure pointers to library code aren't accessed after library is unloaded. 
The default is correct, and has been that way since the beginning.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug dynamic-link/14511] dlclose DSO unloading fundamentally unsafe

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=14511

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
              Flags|                            |security-

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug dynamic-link/14511] dlclose DSO unloading fundamentally unsafe

[sam at gentoo dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=14511

Sam James <sam at gentoo dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://sourceware.org/bugz
                   |                            |illa/show_bug.cgi?id=14512

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug dynamic-link/14511] dlclose DSO unloading fundamentally unsafe

[sam at gentoo dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=14511

Sam James <sam at gentoo dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sam at gentoo dot org

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug dynamic-link/14511] dlclose DSO unloading fundamentally unsafe

[gabravier at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=14511

Gabriel Ravier <gabravier at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |gabravier at gmail dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.