[Bug dynamic-link/27609] New: In elf/dl-open.c (_dl_open) we might use __LM_ID_CALLER to index GL(dl_ns)[]

[Bug dynamic-link/27609] New: In elf/dl-open.c (_dl_open) we might use __LM_ID_CALLER to index GL(dl_ns)[]

[carlos at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=27609

            Bug ID: 27609
           Summary: In elf/dl-open.c (_dl_open) we might use
                    __LM_ID_CALLER to index GL(dl_ns)[]
           Product: glibc
           Version: 2.33
            Status: NEW
          Severity: normal
          Priority: P2
         Component: dynamic-link
          Assignee: unassigned at sourceware dot org
          Reporter: carlos at redhat dot com
  Target Milestone: ---

AFAICT we *might* get here with an __LM_ID_CALLER value... and using -2 into
the index would not yield the expected result.

881       /* Avoid keeping around a dangling reference to the libc.so link
882          map in case it has been cached in libc_map.  */
883       if (!args.libc_already_loaded)
884         GL(dl_ns)[nsid].libc_map = NULL;
885 

We should review this and ensure we can never get __LM_ID_CALLER here, or that
if we can that it should be OK.

It doesn't look we get here because of the guard !args.libc_already_loaded, but
I could be wrong so I'm filling this bug to check on that.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug dynamic-link/27609] In elf/dl-open.c (_dl_open) we might use __LM_ID_CALLER to index GL(dl_ns)[]

[hjl.tools at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=27609

H.J. Lu <hjl.tools at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |hjl.tools at gmail dot com

--- Comment #1 from H.J. Lu <hjl.tools at gmail dot com> ---
It does get here in nptl/tst-setuid1,c:

(gdb) bt
#0  _dl_open (file=<optimized out>, mode=-2147483646, 
    caller_dlopen=<optimized out>, nsid=-2, argc=2, argv=<optimized out>, 
    env=0xffffce70) at dl-open.c:851
#1  0xf7f194f2 in do_dlopen (ptr=ptr@entry=0xffffc990) at dl-libc.c:96
#2  0xf7f19ede in __GI__dl_catch_exception (
    exception=exception@entry=0xffffc934, operate=<optimized out>, 
    args=<optimized out>)
    at /export/gnu/import/git/gitlab/x86-glibc/elf/dl-error-skeleton.c:208
#3  0xf7f19f83 in __GI__dl_catch_error (objname=<optimized out>, 
    errstring=<optimized out>, mallocedp=<optimized out>, 
    operate=<optimized out>, args=<optimized out>)
    at /export/gnu/import/git/gitlab/x86-glibc/elf/dl-error-skeleton.c:227
#4  0xf7f1946d in dlerror_run (operate=operate@entry=0xf7f194b0 <do_dlopen>, 
    args=args@entry=0xffffc990) at dl-libc.c:46
#5  0xf7f195f4 in __libc_dlopen_mode (name=<optimized out>, 
    mode=mode@entry=-2147483646) at dl-libc.c:163
#6  0xf7efefc9 in module_load (module=<optimized out>) at nss_module.c:191
#7  0xf7eff545 in __nss_module_load (module=<optimized out>)
    at nss_module.c:310
#8  __nss_module_get_function (module=<optimized out>, 
    name=name@entry=0xf7f7d737 "getpwnam_r") at nss_module.c:333
#9  0xf7efd538 in __GI___nss_lookup_function (fct_name=<optimized out>, 
    ni=<optimized out>) at nsswitch.c:138
--Type <RET> for more, q to quit, c to continue without paging--
#10 __GI___nss_lookup (ni=<optimized out>, fct_name=<optimized out>, 
    fct2_name=<optimized out>, fctp=<optimized out>) at nsswitch.c:68
#11 0xf7efe723 in __GI___nss_passwd_lookup2 (ni=ni@entry=0xffffcbe8, 
    fct_name=fct_name@entry=0xf7f7d737 "getpwnam_r", 
    fct2_name=fct2_name@entry=0x0, fctp=fctp@entry=0xffffcbec)
    at /export/gnu/import/git/gitlab/x86-glibc/nss/XXX-lookup.c:58
#12 0xf7ea2927 in __getpwnam_r (name=name@entry=0x4060fa "nobody", 
    resbuf=resbuf@entry=0xf7fbd6d0 <resbuf>, buffer=<optimized out>, 
    buflen=buflen@entry=1024, result=result@entry=0xffffcc3c)
    at ../nss/getXXbyYY_r.c:265
#13 0xf7ea2480 in getpwnam (name=name@entry=0x4060fa "nobody")
    at ../nss/getXXbyYY.c:135
#14 0x00403e6b in do_test () at tst-setuid1.c:1029
#15 legacy_test_function (argc=<optimized out>, argv=<optimized out>)
    at ../test-skeleton.c:56
#16 0x004049e1 in support_test_main (argc=1, argv=0xffffce68, 
    config=config@entry=0xffffcd20) at support_test_main.c:403
#17 0x00402774 in main (argc=<optimized out>, argv=<optimized out>)
    at ../support/test-driver.c:168
(gdb)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug dynamic-link/27609] [2.32/2.33/2.34 Regression] In elf/dl-open.c (_dl_open) we might use __LM_ID_CALLER to index GL(dl_ns)[]

[hjl.tools at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=27609

H.J. Lu <hjl.tools at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|In elf/dl-open.c (_dl_open) |[2.32/2.33/2.34 Regression]
                   |we might use __LM_ID_CALLER |In elf/dl-open.c (_dl_open)
                   |to index GL(dl_ns)[]        |we might use __LM_ID_CALLER
                   |                            |to index GL(dl_ns)[]
            Version|2.33                        |2.32
                 CC|                            |fweimer at redhat dot com

--- Comment #2 from H.J. Lu <hjl.tools at gmail dot com> ---
commit ec935dea6332cb22f9881cd1162bad156173f4b0
Author: Florian Weimer <fweimer@redhat.com>
Date:   Fri Apr 24 22:31:15 2020 +0200

    elf: Implement __libc_early_init

has

@@ -856,6 +876,11 @@ no more namespaces available for dlmopen()"));
   /* See if an error occurred during loading.  */
   if (__glibc_unlikely (exception.errstring != NULL))
     {
+      /* Avoid keeping around a dangling reference to the libc.so link
+   map in case it has been cached in libc_map.  */
+      if (!args.libc_already_loaded)
+  GL(dl_ns)[nsid].libc_map = NULL;
+

do_dlopen calls _dl_open with nsid == __LM_ID_CALLER (-2), which calls
dl_open_worker with args.nsid = nsid.  dl_open_worker updates args.nsid
if it is __LM_ID_CALLER.  After dl_open_worker returns, it is wrong to
use nsid.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug dynamic-link/27609] [2.32/2.33/2.34 Regression] In elf/dl-open.c (_dl_open) we might use __LM_ID_CALLER to index GL(dl_ns)[]

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=27609

--- Comment #3 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by H.J. Lu <hjl@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1e1ecea62e899acb58c3fdf3b320a0833ddd0dff

commit 1e1ecea62e899acb58c3fdf3b320a0833ddd0dff
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Thu Sep 30 10:29:17 2021 -0700

    elf: Replace nsid with args.nsid [BZ #27609]

    commit ec935dea6332cb22f9881cd1162bad156173f4b0
    Author: Florian Weimer <fweimer@redhat.com>
    Date:   Fri Apr 24 22:31:15 2020 +0200

        elf: Implement __libc_early_init

    has

    @@ -856,6 +876,11 @@ no more namespaces available for dlmopen()"));
       /* See if an error occurred during loading.  */
       if (__glibc_unlikely (exception.errstring != NULL))
         {
    +      /* Avoid keeping around a dangling reference to the libc.so link
    +   map in case it has been cached in libc_map.  */
    +      if (!args.libc_already_loaded)
    +  GL(dl_ns)[nsid].libc_map = NULL;
    +

    do_dlopen calls _dl_open with nsid == __LM_ID_CALLER (-2), which calls
    dl_open_worker with args.nsid = nsid.  dl_open_worker updates args.nsid
    if it is __LM_ID_CALLER.  After dl_open_worker returns, it is wrong to
    use nsid.

    Replace nsid with args.nsid after dl_open_worker returns.  This fixes
    BZ #27609.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug dynamic-link/27609] [2.32/2.33/2.34 Regression] In elf/dl-open.c (_dl_open) we might use __LM_ID_CALLER to index GL(dl_ns)[]

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=27609

--- Comment #4 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.34/master branch has been updated by H.J. Lu
<hjl@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=79528414dc1578800cbf1fba2fbdb6335f4f39bf

commit 79528414dc1578800cbf1fba2fbdb6335f4f39bf
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Thu Sep 30 10:29:17 2021 -0700

    elf: Replace nsid with args.nsid [BZ #27609]

    commit ec935dea6332cb22f9881cd1162bad156173f4b0
    Author: Florian Weimer <fweimer@redhat.com>
    Date:   Fri Apr 24 22:31:15 2020 +0200

        elf: Implement __libc_early_init

    has

    @@ -856,6 +876,11 @@ no more namespaces available for dlmopen()"));
       /* See if an error occurred during loading.  */
       if (__glibc_unlikely (exception.errstring != NULL))
         {
    +      /* Avoid keeping around a dangling reference to the libc.so link
    +   map in case it has been cached in libc_map.  */
    +      if (!args.libc_already_loaded)
    +  GL(dl_ns)[nsid].libc_map = NULL;
    +

    do_dlopen calls _dl_open with nsid == __LM_ID_CALLER (-2), which calls
    dl_open_worker with args.nsid = nsid.  dl_open_worker updates args.nsid
    if it is __LM_ID_CALLER.  After dl_open_worker returns, it is wrong to
    use nsid.

    Replace nsid with args.nsid after dl_open_worker returns.  This fixes
    BZ #27609.

    (cherry picked from commit 1e1ecea62e899acb58c3fdf3b320a0833ddd0dff)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug dynamic-link/27609] [2.32/2.33/2.34 Regression] In elf/dl-open.c (_dl_open) we might use __LM_ID_CALLER to index GL(dl_ns)[]

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=27609

--- Comment #5 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.33/master branch has been updated by H.J. Lu
<hjl@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6090cf1330faf2deb17285758f327cb23b89ebf1

commit 6090cf1330faf2deb17285758f327cb23b89ebf1
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Thu Sep 30 10:29:17 2021 -0700

    elf: Replace nsid with args.nsid [BZ #27609]

    commit ec935dea6332cb22f9881cd1162bad156173f4b0
    Author: Florian Weimer <fweimer@redhat.com>
    Date:   Fri Apr 24 22:31:15 2020 +0200

        elf: Implement __libc_early_init

    has

    @@ -856,6 +876,11 @@ no more namespaces available for dlmopen()"));
       /* See if an error occurred during loading.  */
       if (__glibc_unlikely (exception.errstring != NULL))
         {
    +      /* Avoid keeping around a dangling reference to the libc.so link
    +   map in case it has been cached in libc_map.  */
    +      if (!args.libc_already_loaded)
    +  GL(dl_ns)[nsid].libc_map = NULL;
    +

    do_dlopen calls _dl_open with nsid == __LM_ID_CALLER (-2), which calls
    dl_open_worker with args.nsid = nsid.  dl_open_worker updates args.nsid
    if it is __LM_ID_CALLER.  After dl_open_worker returns, it is wrong to
    use nsid.

    Replace nsid with args.nsid after dl_open_worker returns.  This fixes
    BZ #27609.

    (cherry picked from commit 1e1ecea62e899acb58c3fdf3b320a0833ddd0dff)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug dynamic-link/27609] [2.32/2.33/2.34 Regression] In elf/dl-open.c (_dl_open) we might use __LM_ID_CALLER to index GL(dl_ns)[]

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=27609

--- Comment #6 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.32/master branch has been updated by H.J. Lu
<hjl@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=53c8f3f1255f4e45084476c9c23d63e99516ad3b

commit 53c8f3f1255f4e45084476c9c23d63e99516ad3b
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Thu Sep 30 10:29:17 2021 -0700

    elf: Replace nsid with args.nsid [BZ #27609]

    commit ec935dea6332cb22f9881cd1162bad156173f4b0
    Author: Florian Weimer <fweimer@redhat.com>
    Date:   Fri Apr 24 22:31:15 2020 +0200

        elf: Implement __libc_early_init

    has

    @@ -856,6 +876,11 @@ no more namespaces available for dlmopen()"));
       /* See if an error occurred during loading.  */
       if (__glibc_unlikely (exception.errstring != NULL))
         {
    +      /* Avoid keeping around a dangling reference to the libc.so link
    +   map in case it has been cached in libc_map.  */
    +      if (!args.libc_already_loaded)
    +  GL(dl_ns)[nsid].libc_map = NULL;
    +

    do_dlopen calls _dl_open with nsid == __LM_ID_CALLER (-2), which calls
    dl_open_worker with args.nsid = nsid.  dl_open_worker updates args.nsid
    if it is __LM_ID_CALLER.  After dl_open_worker returns, it is wrong to
    use nsid.

    Replace nsid with args.nsid after dl_open_worker returns.  This fixes
    BZ #27609.

    (cherry picked from commit 1e1ecea62e899acb58c3fdf3b320a0833ddd0dff)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug dynamic-link/27609] [2.32/2.33/2.34 Regression] In elf/dl-open.c (_dl_open) we might use __LM_ID_CALLER to index GL(dl_ns)[]

[hjl.tools at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=27609

H.J. Lu <hjl.tools at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED
   Target Milestone|---                         |2.35

--- Comment #7 from H.J. Lu <hjl.tools at gmail dot com> ---
Fixed for 2.35 and 2.34/2.33/2.32 branches.

-- 
You are receiving this mail because:
You are on the CC list for the bug.