From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 35D60385840E; Fri, 8 Oct 2021 01:09:20 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 35D60385840E From: "nnye at whitebeamsec dot com" To: glibc-bugs@sourceware.org Subject: [Bug dynamic-link/28366] Calling name() on a locale object (std::locale) with LD_AUDIT library loaded results in SIGSEGV on aarch64 platforms Date: Fri, 08 Oct 2021 01:09:20 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: dynamic-link X-Bugzilla-Version: 2.31 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: nnye at whitebeamsec dot com X-Bugzilla-Status: WAITING X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: glibc-bugs@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Glibc-bugs mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Oct 2021 01:09:20 -0000 https://sourceware.org/bugzilla/show_bug.cgi?id=3D28366 --- Comment #7 from Nathan Nye --- (In reply to Adhemerval Zanella from comment #6) > (In reply to Nathan Nye from comment #5) > > I'm sharing the progress I've made so far on this issue. > >=20 > > It's most likely the same issue Ben Woordard linked > > (https://www.sourceware.org/bugzilla/show_bug.cgi?id=3D26643), but the = patch > > doesn't cover this case. As Adhemerval Zanella found, when name() gets > > called, it tries to read the address at $x8 which was previously overwr= itten > > by the dynamic linker as 0x7f7f7f7f7f7f7f7f in strcmp.S and never resto= red: > >=20 > > #0 strcmp () at ../sysdeps/aarch64/strcmp.S:174 > > #1 0x0000fffff7fd6140 in check_match > > (undef_name=3Dundef_name@entry=3D0xaaaaaaaa04bd "_ZNKSt6locale4nameB5cx= x11Ev", > > ref=3Dref@entry=3D0xaaaaaaaa03c0, version=3Dversion@entry=3D0xfffff7ff4= 0d0, > > flags=3Dflags@entry=3D1,=20 > > type_class=3Dtype_class@entry=3D1, sym=3D0xfffff7c5ab48, symidx=3D3= 15, > > strtab=3Dstrtab@entry=3D0xfffff7c7c460 "", map=3Dmap@entry=3D0xfffff7ff= 69c0, > > versioned_sym=3Dversioned_sym@entry=3D0xffffffffeae8,=20 > > num_versions=3Dnum_versions@entry=3D0xffffffffeae4) at dl-lookup.c:= 94 > > #2 0x0000fffff7fd65c8 in do_lookup_x > > (undef_name=3Dundef_name@entry=3D0xaaaaaaaa04bd "_ZNKSt6locale4nameB5cx= x11Ev", > > new_hash=3Dnew_hash@entry=3D718167616, old_hash=3Dold_hash@entry=3D0xff= ffffffebb8,=20 > > ref=3D0xaaaaaaaa03c0, result=3Dresult@entry=3D0xffffffffebc8, scope= =3D > out>, i=3D1, version=3Dversion@entry=3D0xfffff7ff40d0, flags=3Dflags@en= try=3D1, > > skip=3D, skip@entry=3D0x0,=20 > > type_class=3D, type_class@entry=3D1, > > undef_map=3Dundef_map@entry=3D0xfffff7fff200) at dl-lookup.c:436 > > #3 0x0000fffff7fd6e10 in _dl_lookup_symbol_x (undef_name=3D0xaaaaaaaa0= 4bd > > "_ZNKSt6locale4nameB5cxx11Ev", undef_map=3Dundef_map@entry=3D0xfffff7ff= f200, > > ref=3Dref@entry=3D0xffffffffecb0,=20 > > symbol_scope=3D0xfffff7fff598, version=3D0xfffff7ff40d0, > > type_class=3Dtype_class@entry=3D1, flags=3D1, skip_map=3Dskip_map@entry= =3D0x0) at > > dl-lookup.c:861 > > #4 0x0000fffff7fdb1e0 in _dl_profile_fixup (l=3D0xfffff7fff200, > > reloc_arg=3D, retaddr=3D187649984433000, regs=3D0xffffff= ffedc0, > > framesizep=3D0xffffffffecf8) at dl-runtime.c:257 > > #5 0x0000fffff7fe0fa0 in _dl_runtime_profile () at > > ../sysdeps/aarch64/dl-trampoline.S:221 > > #6 0x0000aaaaaaaa0b68 in main () > >=20 > > I'm still searching for what is responsible for restoring $x8 in this > > instance. At the same time, I'm exploring a couple fixes for existing > > LD_AUDIT libraries that wouldn't require the linker itself to be patche= d: >=20 > If you check the patch [1], it extends the La_aarch64_regs to include 'x8= ', > which is saved and restored at _dl_profile_fixup. > >=20 > > 1. Turning profiling off: la_objsearch gets called, but the rest of the > > RTLD_AUDIT interfaces such as la_symbind{32,64} don't get called. (Fail) > >=20 > > 2. Setting the framesizep (stack frame size) to 0 in > > la_aarch64_gnu_pltenter: Neither the test case of this issue nor the si= mple > > one in the linked issue crashes, but this leads to some problems later = on. > > (Fail) > >=20 > > It may be resolved through some combination of la_aarch64_gnu_pltenter = and > > la_aarch64_gnu_pltexit restoring the $x8 register. >=20 > Could you check if the patchset I posted fixed the issue you are seeing? > There > is another issue that might interfere with locales usage within audit > modules [2] that the patchset also fixed. >=20 >=20 > [1] > https://patchwork.sourceware.org/project/glibc/patch/20210730194715.88190= 0- > 21-adhemerval.zanella@linaro.org/ > [2] > https://patchwork.sourceware.org/project/glibc/patch/20210730194715.88190= 0-6- > adhemerval.zanella@linaro.org/ I had no idea the patch I was using (V2 from the Sourceware issue) was out = of date! When I applied both of the patches you linked (from Patchwork) the problem is now fully resolved. Incredible! I'll still be looking for a way = to provide backwards compatibility in existing LD_AUDIT libraries, which may be desirable for projects such as HPCTookit. For now it seems this issue is a = dupe of existing issues opened by you and Ben! Thank you very much Adhemerval. --=20 You are receiving this mail because: You are on the CC list for the bug.=