From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 17C943858012; Thu, 7 Oct 2021 19:03:54 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 17C943858012 From: "adhemerval.zanella at linaro dot org" To: glibc-bugs@sourceware.org Subject: [Bug dynamic-link/28366] Calling name() on a locale object (std::locale) with LD_AUDIT library loaded results in SIGSEGV on aarch64 platforms Date: Thu, 07 Oct 2021 19:03:54 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: dynamic-link X-Bugzilla-Version: 2.31 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: adhemerval.zanella at linaro dot org X-Bugzilla-Status: WAITING X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: glibc-bugs@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Glibc-bugs mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Oct 2021 19:03:55 -0000 https://sourceware.org/bugzilla/show_bug.cgi?id=3D28366 --- Comment #6 from Adhemerval Zanella --- (In reply to Nathan Nye from comment #5) > I'm sharing the progress I've made so far on this issue. >=20 > It's most likely the same issue Ben Woordard linked > (https://www.sourceware.org/bugzilla/show_bug.cgi?id=3D26643), but the pa= tch > doesn't cover this case. As Adhemerval Zanella found, when name() gets > called, it tries to read the address at $x8 which was previously overwrit= ten > by the dynamic linker as 0x7f7f7f7f7f7f7f7f in strcmp.S and never restore= d: >=20 > #0 strcmp () at ../sysdeps/aarch64/strcmp.S:174 > #1 0x0000fffff7fd6140 in check_match > (undef_name=3Dundef_name@entry=3D0xaaaaaaaa04bd "_ZNKSt6locale4nameB5cxx1= 1Ev", > ref=3Dref@entry=3D0xaaaaaaaa03c0, version=3Dversion@entry=3D0xfffff7ff40d= 0, > flags=3Dflags@entry=3D1,=20 > type_class=3Dtype_class@entry=3D1, sym=3D0xfffff7c5ab48, symidx=3D315, > strtab=3Dstrtab@entry=3D0xfffff7c7c460 "", map=3Dmap@entry=3D0xfffff7ff69= c0, > versioned_sym=3Dversioned_sym@entry=3D0xffffffffeae8,=20 > num_versions=3Dnum_versions@entry=3D0xffffffffeae4) at dl-lookup.c:94 > #2 0x0000fffff7fd65c8 in do_lookup_x > (undef_name=3Dundef_name@entry=3D0xaaaaaaaa04bd "_ZNKSt6locale4nameB5cxx1= 1Ev", > new_hash=3Dnew_hash@entry=3D718167616, old_hash=3Dold_hash@entry=3D0xffff= ffffebb8,=20 > ref=3D0xaaaaaaaa03c0, result=3Dresult@entry=3D0xffffffffebc8, scope= =3D out>, i=3D1, version=3Dversion@entry=3D0xfffff7ff40d0, flags=3Dflags@entr= y=3D1, > skip=3D, skip@entry=3D0x0,=20 > type_class=3D, type_class@entry=3D1, > undef_map=3Dundef_map@entry=3D0xfffff7fff200) at dl-lookup.c:436 > #3 0x0000fffff7fd6e10 in _dl_lookup_symbol_x (undef_name=3D0xaaaaaaaa04bd > "_ZNKSt6locale4nameB5cxx11Ev", undef_map=3Dundef_map@entry=3D0xfffff7fff2= 00, > ref=3Dref@entry=3D0xffffffffecb0,=20 > symbol_scope=3D0xfffff7fff598, version=3D0xfffff7ff40d0, > type_class=3Dtype_class@entry=3D1, flags=3D1, skip_map=3Dskip_map@entry= =3D0x0) at > dl-lookup.c:861 > #4 0x0000fffff7fdb1e0 in _dl_profile_fixup (l=3D0xfffff7fff200, > reloc_arg=3D, retaddr=3D187649984433000, regs=3D0xffffffff= edc0, > framesizep=3D0xffffffffecf8) at dl-runtime.c:257 > #5 0x0000fffff7fe0fa0 in _dl_runtime_profile () at > ../sysdeps/aarch64/dl-trampoline.S:221 > #6 0x0000aaaaaaaa0b68 in main () >=20 > I'm still searching for what is responsible for restoring $x8 in this > instance. At the same time, I'm exploring a couple fixes for existing > LD_AUDIT libraries that wouldn't require the linker itself to be patched: If you check the patch [1], it extends the La_aarch64_regs to include 'x8', which is saved and restored at _dl_profile_fixup. >=20 > 1. Turning profiling off: la_objsearch gets called, but the rest of the > RTLD_AUDIT interfaces such as la_symbind{32,64} don't get called. (Fail) >=20 > 2. Setting the framesizep (stack frame size) to 0 in > la_aarch64_gnu_pltenter: Neither the test case of this issue nor the simp= le > one in the linked issue crashes, but this leads to some problems later on. > (Fail) >=20 > It may be resolved through some combination of la_aarch64_gnu_pltenter and > la_aarch64_gnu_pltexit restoring the $x8 register. Could you check if the patchset I posted fixed the issue you are seeing? Th= ere is another issue that might interfere with locales usage within audit modules [2] that the patchset also fixed. [1] https://patchwork.sourceware.org/project/glibc/patch/20210730194715.881900-= 21-adhemerval.zanella@linaro.org/ [2] https://patchwork.sourceware.org/project/glibc/patch/20210730194715.881900-= 6-adhemerval.zanella@linaro.org/ --=20 You are receiving this mail because: You are on the CC list for the bug.=