From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <sourceware-bugzilla@sourceware.org>
Received: by sourceware.org (Postfix, from userid 48)
 id B2D9B3951847; Fri, 18 Sep 2020 21:44:20 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org B2D9B3951847
From: "ludo at gnu dot org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug dynamic-link/26634] New: ld.so stats raw file names, bypassing
 the audit module
Date: Fri, 18 Sep 2020 21:44:20 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: dynamic-link
X-Bugzilla-Version: 2.31
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: ludo at gnu dot org
X-Bugzilla-Status: NEW
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status
 bug_severity priority component assigned_to reporter target_milestone
 attachments.created
Message-ID: <bug-26634-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: glibc-bugs@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Glibc-bugs mailing list <glibc-bugs.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/glibc-bugs>,
 <mailto:glibc-bugs-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/glibc-bugs/>
List-Help: <mailto:glibc-bugs-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/glibc-bugs>,
 <mailto:glibc-bugs-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Sep 2020 21:44:20 -0000

https://sourceware.org/bugzilla/show_bug.cgi?id=3D26634

            Bug ID: 26634
           Summary: ld.so stats raw file names, bypassing the audit module
           Product: glibc
           Version: 2.31
            Status: NEW
          Severity: normal
          Priority: P2
         Component: dynamic-link
          Assignee: unassigned at sourceware dot org
          Reporter: ludo at gnu dot org
  Target Milestone: ---

Created attachment 12850
  --> https://sourceware.org/bugzilla/attachment.cgi?id=3D12850&action=3Ded=
it
Audit module that can be used as a reproducer

Unless I'm mistaken, the loader can end up stat'ing raw directory names
(DT_RUNPATH entries) instead of stat'ing names returned by the audit module=
's
'la_objsearch'.

The attached audit module illustrates that.  It's supposed to add "/PREFIX"
anytime 'name' has a leading slash (typically LA_SER_RUNPATH); yet, strace'=
ing
it shows that it calls 'stat' on the original file name, without "/PREFIX":

> $ strace -E LD_AUDIT=3D$PWD/audit.so -e stat expr --version
> [...]
> la_objsearch 4 '/gnu/store/35afkywncrr5xsb4cxcljf6rpjcb7f61-gmp-6.2.0/lib=
/haswell/libgmp.so.10' -> '/PREFIX/gnu/store/35afkywncrr5xsb4cxcljf6rpjcb7f=
61-gmp-6.2.0/lib/haswell/libgmp.so.10'
> stat("/gnu/store/35afkywncrr5xsb4cxcljf6rpjcb7f61-gmp-6.2.0/lib/haswell",=
 0x7ffe9f84c240) =3D -1 ENOENT (Dosiero a=C5=AD dosierujo ne ekzistas)
> la_objsearch 4 '/gnu/store/35afkywncrr5xsb4cxcljf6rpjcb7f61-gmp-6.2.0/lib=
/x86_64/libgmp.so.10' -> '/PREFIX/gnu/store/35afkywncrr5xsb4cxcljf6rpjcb7f6=
1-gmp-6.2.0/lib/x86_64/libgmp.so.10'
> stat("/gnu/store/35afkywncrr5xsb4cxcljf6rpjcb7f61-gmp-6.2.0/lib/x86_64", =
0x7ffe9f84c240) =3D -1 ENOENT (Dosiero a=C5=AD dosierujo ne ekzistas)
> la_objsearch 4 '/gnu/store/35afkywncrr5xsb4cxcljf6rpjcb7f61-gmp-6.2.0/lib=
/libgmp.so.10' -> '/PREFIX/gnu/store/35afkywncrr5xsb4cxcljf6rpjcb7f61-gmp-6=
.2.0/lib/libgmp.so.10'
> stat("/gnu/store/35afkywncrr5xsb4cxcljf6rpjcb7f61-gmp-6.2.0/lib", {st_mod=
e=3DS_IFDIR|0555, st_size=3D4096, ...}) =3D 0
> [...]

(Here the /gnu/store directory is from expr's DT_RUNPATH; notice that 'stat'
ignores "/PREFIX".)

The consequence is that some search path entries get marked as 'nonexisting'
even though they potentially shouldn't.

The culprit appears to be 'open_path' in 'dl-load.c':

          fd =3D open_verify (buf, -1, fbp, loader, whatcode, mode,
                            found_other_class, false);
          if (this_dir->status[cnt] =3D=3D unknown)
            {
              if (fd !=3D -1)
                this_dir->status[cnt] =3D existing;
              /* Do not update the directory information when loading
                 auditing code.  We must try to disturb the program as
                 little as possible.  */
              else if (loader =3D=3D NULL
                       || GL(dl_ns)[loader->l_ns]._ns_loaded->l_auditing =
=3D=3D 0)
                {
                  /* We failed to open machine dependent library.  Let's
                     test whether there is any directory at all.  */
                  struct stat64 st;

                  buf[buflen - namelen - 1] =3D '\0';

                  if (__xstat64 (_STAT_VER, buf, &st) !=3D 0
                      || ! S_ISDIR (st.st_mode))
                    /* The directory does not exist or it is no directory. =
 */
                    this_dir->status[cnt] =3D nonexisting;
                  else
                    this_dir->status[cnt] =3D existing;
                }
            }

Here 'buf' contains the original name.  'open_verify' is passed that origin=
al
name, calls the audit module's 'objsearch' function, and works on that.=20
However, the '__xstat64' call right below is passed 'buf'--i.e., the origin=
al
name.

Does that make sense?

(This stems from <https://issues.guix.gnu.org/43491>.)

--=20
You are receiving this mail because:
You are on the CC list for the bug.=