From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <sourceware-bugzilla@sourceware.org>
Received: by sourceware.org (Postfix, from userid 48)
 id 4A0B3388E80F; Thu, 23 Jul 2020 19:12:35 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 4A0B3388E80F
From: "ajax at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug dynamic-link/15271] dlmopen()ed shared library with LM_ID_NEWLM
 crashes if it fails dlsym() twice
Date: Thu, 23 Jul 2020 19:12:35 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: dynamic-link
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: ajax at redhat dot com
X-Bugzilla-Status: WAITING
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security-
X-Bugzilla-Changed-Fields: attachments.isobsolete cc attachments.created
Message-ID: <bug-15271-131-an9zyPxTMj@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-15271-131@http.sourceware.org/bugzilla/>
References: <bug-15271-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: glibc-bugs@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Glibc-bugs mailing list <glibc-bugs.sourceware.org>
List-Unsubscribe: <http://sourceware.org/mailman/options/glibc-bugs>,
 <mailto:glibc-bugs-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/glibc-bugs/>
List-Help: <mailto:glibc-bugs-request@sourceware.org?subject=help>
List-Subscribe: <http://sourceware.org/mailman/listinfo/glibc-bugs>,
 <mailto:glibc-bugs-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2020 19:12:35 -0000

https://sourceware.org/bugzilla/show_bug.cgi?id=3D15271

Adam Jackson <ajax at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #6929|0                           |1
        is obsolete|                            |
                 CC|                            |ajax at redhat dot com

--- Comment #7 from Adam Jackson <ajax at redhat dot com> ---
Created attachment 12722
  --> https://sourceware.org/bugzilla/attachment.cgi?id=3D12722&action=3Ded=
it
0001-dlerror-Use-check_free-to-free-the-error-string.patch

I've (trivially) rebased this patch to current glibc, and attempted to wire=
 up
the test case to 'make check'. While the patch does fix the crash, it does =
not
make the test case actually pass, and I think there's another bug to be fix=
ed
here.

The test case now yields:

---
datura:~/git/glibc% ./build/testrun.sh ./build/dlfcn/bug-dlmopen1=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20
Opening bug-dlmopen1-lib.so...
./build/dlfcn/bug-dlmopen1: symbol lookup error:
./build/dlfcn/bug-dlmopen1-lib.so: undefined symbol: foo
---

Which is clever, because we're just asking for foo with dlsym(), so this
shouldn't be fatal. Attempting to reproduce this under gdb (I hope, I don't
really understand testrun.sh) yields slightly different (also wrong) result=
s:

---
datura:~/git/glibc% ./build/testrun.sh /usr/bin/gdb -q
./build/dlfcn/bug-dlmopen1
Reading symbols from ./build/dlfcn/bug-dlmopen1...
(gdb) break _dl_signal_cexception
Function "_dl_signal_cexception" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y=20=20
Breakpoint 1 (_dl_signal_cexception) pending.
(gdb) run
Starting program: /home/ajax/git/glibc/build/dlfcn/bug-dlmopen1=20
Opening bug-dlmopen1-lib.so...
failed dlmopen!
[Inferior 1 (process 2482832) exited with code 01]
---

gdb doesn't seem at all aware of the additional link map (hence not finding=
 the
copy of _dl_signal_cexception inside it, I suppose), but the ctor still see=
ms
to be crashing and thus saying dlmopen failed.

LD_DEBUG=3Dall's output isn't super insightful either: (trimmed to the bit =
where
control transfers to main()):

---
datura:~/git/glibc% ./build/testrun.sh /usr/bin/env LD_DEBUG=3Dall=20
./build/dlfcn/bug-dlmopen1
# ...=20=20=20
   2482863:     transferring control: ./build/dlfcn/bug-dlmopen1
   2482863:=20=20=20=20=20
   2482863:     symbol=3Dprintf;  lookup in file=3D./build/dlfcn/bug-dlmope=
n1 [0]
   2482863:     symbol=3Dprintf;  lookup in file=3D/lib64/libdl.so.2 [0]
   2482863:     symbol=3Dprintf;  lookup in file=3D/lib64/libc.so.6 [0]
   2482863:     binding file ./build/dlfcn/bug-dlmopen1 [0] to /lib64/libc.=
so.6
[0]: normal symbol `printf' [GLIBC_2.2.5]
Opening bug-dlmopen1-lib.so...
   2482863:     symbol=3Ddlmopen;  lookup in file=3D./build/dlfcn/bug-dlmop=
en1 [0]
   2482863:     symbol=3Ddlmopen;  lookup in file=3D/lib64/libdl.so.2 [0]
   2482863:     binding file ./build/dlfcn/bug-dlmopen1 [0] to
/lib64/libdl.so.2 [0]: normal symbol `dlmopen' [GLIBC_2.3.4]
   2482863:=20=20=20=20=20
   2482863:     file=3Dbug-dlmopen1-lib.so [1];  dynamically loaded by
./build/dlfcn/bug-dlmopen1 [0]
   2482863:     find library=3Dbug-dlmopen1-lib.so [1]; searching
   2482863:      search cache=3D/etc/ld.so.cache
   2482863:      search
path=3D/lib64/tls/haswell/x86_64:/lib64/tls/haswell:/lib64/tls/x86_64:/lib6=
4/tls:/lib64/haswell/x86_64:/lib64/haswell:/lib64/x86_64:/lib64:/usr/lib64/=
tls/haswell/x86_64:/usr/lib64/tls/haswell:/usr/lib64/tls/x86_64:/usr/lib64/=
tls:/usr/lib64/haswell/x86_64:/usr/lib64/haswell:/usr/lib64/x86_64:/usr/lib=
64
           (system search path)
   2482863:       trying file=3D/lib64/tls/haswell/x86_64/bug-dlmopen1-lib.=
so
   2482863:       trying file=3D/lib64/tls/haswell/bug-dlmopen1-lib.so
   2482863:       trying file=3D/lib64/tls/x86_64/bug-dlmopen1-lib.so
   2482863:       trying file=3D/lib64/tls/bug-dlmopen1-lib.so
   2482863:       trying file=3D/lib64/haswell/x86_64/bug-dlmopen1-lib.so
   2482863:       trying file=3D/lib64/haswell/bug-dlmopen1-lib.so
   2482863:       trying file=3D/lib64/x86_64/bug-dlmopen1-lib.so
   2482863:       trying file=3D/lib64/bug-dlmopen1-lib.so
   2482863:       trying file=3D/usr/lib64/tls/haswell/x86_64/bug-dlmopen1-=
lib.so
   2482863:       trying file=3D/usr/lib64/tls/haswell/bug-dlmopen1-lib.so
   2482863:       trying file=3D/usr/lib64/tls/x86_64/bug-dlmopen1-lib.so
   2482863:       trying file=3D/usr/lib64/tls/bug-dlmopen1-lib.so
   2482863:       trying file=3D/usr/lib64/haswell/x86_64/bug-dlmopen1-lib.=
so
   2482863:       trying file=3D/usr/lib64/haswell/bug-dlmopen1-lib.so
   2482863:       trying file=3D/usr/lib64/x86_64/bug-dlmopen1-lib.so
   2482863:       trying file=3D/usr/lib64/bug-dlmopen1-lib.so
   2482863:=20=20=20=20=20
   2482863:     symbol=3Dputs;  lookup in file=3D./build/dlfcn/bug-dlmopen1=
 [0]
   2482863:     symbol=3Dputs;  lookup in file=3D/lib64/libdl.so.2 [0]
   2482863:     symbol=3Dputs;  lookup in file=3D/lib64/libc.so.6 [0]
   2482863:     binding file ./build/dlfcn/bug-dlmopen1 [0] to /lib64/libc.=
so.6
[0]: normal symbol `puts' [GLIBC_2.2.5]
failed dlmopen!
   2482863:=20=20=20=20=20
   2482863:     calling fini: ./build/dlfcn/bug-dlmopen1 [0]
   2482863:=20=20=20=20=20
   2482863:=20=20=20=20=20
   2482863:     calling fini: /lib64/libdl.so.2 [0]
   2482863:=20=20=20=20=20
---

--=20
You are receiving this mail because:
You are on the CC list for the bug.=