From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id E6AE73858C60; Thu, 7 Oct 2021 15:40:36 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org E6AE73858C60 From: "nnye at whitebeamsec dot com" To: glibc-bugs@sourceware.org Subject: [Bug dynamic-link/28366] Calling name() on a locale object (std::locale) with LD_AUDIT library loaded results in SIGSEGV on aarch64 platforms Date: Thu, 07 Oct 2021 15:40:36 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: dynamic-link X-Bugzilla-Version: 2.31 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: nnye at whitebeamsec dot com X-Bugzilla-Status: WAITING X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: glibc-bugs@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Glibc-bugs mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Oct 2021 15:40:37 -0000 https://sourceware.org/bugzilla/show_bug.cgi?id=3D28366 --- Comment #5 from Nathan Nye --- I'm sharing the progress I've made so far on this issue. It's most likely the same issue Ben Woordard linked (https://www.sourceware.org/bugzilla/show_bug.cgi?id=3D26643), but the patch doesn't cover this case. As Adhemerval Zanella found, when name() gets call= ed, it tries to read the address at $x8 which was previously overwritten by the dynamic linker as 0x7f7f7f7f7f7f7f7f in strcmp.S and never restored: #0 strcmp () at ../sysdeps/aarch64/strcmp.S:174 #1 0x0000fffff7fd6140 in check_match (undef_name=3Dundef_name@entry=3D0xaaaaaaaa04bd "_ZNKSt6locale4nameB5cxx11E= v", ref=3Dref@entry=3D0xaaaaaaaa03c0, version=3Dversion@entry=3D0xfffff7ff40d0, flags=3Dflags@entry=3D1,=20 type_class=3Dtype_class@entry=3D1, sym=3D0xfffff7c5ab48, symidx=3D315, strtab=3Dstrtab@entry=3D0xfffff7c7c460 "", map=3Dmap@entry=3D0xfffff7ff69c0, versioned_sym=3Dversioned_sym@entry=3D0xffffffffeae8,=20 num_versions=3Dnum_versions@entry=3D0xffffffffeae4) at dl-lookup.c:94 #2 0x0000fffff7fd65c8 in do_lookup_x (undef_name=3Dundef_name@entry=3D0xaaaaaaaa04bd "_ZNKSt6locale4nameB5cxx11E= v", new_hash=3Dnew_hash@entry=3D718167616, old_hash=3Dold_hash@entry=3D0xffffff= ffebb8,=20 ref=3D0xaaaaaaaa03c0, result=3Dresult@entry=3D0xffffffffebc8, scope=3D<= optimized out>, i=3D1, version=3Dversion@entry=3D0xfffff7ff40d0, flags=3Dflags@entry= =3D1, skip=3D, skip@entry=3D0x0,=20 type_class=3D, type_class@entry=3D1, undef_map=3Dundef_map@entry=3D0xfffff7fff200) at dl-lookup.c:436 #3 0x0000fffff7fd6e10 in _dl_lookup_symbol_x (undef_name=3D0xaaaaaaaa04bd "_ZNKSt6locale4nameB5cxx11Ev", undef_map=3Dundef_map@entry=3D0xfffff7fff200, ref=3Dref@entry=3D0xffffffffecb0,=20 symbol_scope=3D0xfffff7fff598, version=3D0xfffff7ff40d0, type_class=3Dtype_class@entry=3D1, flags=3D1, skip_map=3Dskip_map@entry=3D0= x0) at dl-lookup.c:861 #4 0x0000fffff7fdb1e0 in _dl_profile_fixup (l=3D0xfffff7fff200, reloc_arg=3D, retaddr=3D187649984433000, regs=3D0xffffffffed= c0, framesizep=3D0xffffffffecf8) at dl-runtime.c:257 #5 0x0000fffff7fe0fa0 in _dl_runtime_profile () at ../sysdeps/aarch64/dl-trampoline.S:221 #6 0x0000aaaaaaaa0b68 in main () I'm still searching for what is responsible for restoring $x8 in this insta= nce. At the same time, I'm exploring a couple fixes for existing LD_AUDIT librar= ies that wouldn't require the linker itself to be patched: 1. Turning profiling off: la_objsearch gets called, but the rest of the RTLD_AUDIT interfaces such as la_symbind{32,64} don't get called. (Fail) 2. Setting the framesizep (stack frame size) to 0 in la_aarch64_gnu_pltente= r: Neither the test case of this issue nor the simple one in the linked issue crashes, but this leads to some problems later on. (Fail) It may be resolved through some combination of la_aarch64_gnu_pltenter and la_aarch64_gnu_pltexit restoring the $x8 register. --=20 You are receiving this mail because: You are on the CC list for the bug.=