public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug dynamic-link/29235] New: Some tests crash in ELF_DYNAMIC_DO_RELR on powerpc64le
@ 2022-06-09 10:19 fweimer at redhat dot com
2022-06-09 10:19 ` [Bug dynamic-link/29235] " fweimer at redhat dot com
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: fweimer at redhat dot com @ 2022-06-09 10:19 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=29235
Bug ID: 29235
Summary: Some tests crash in ELF_DYNAMIC_DO_RELR on powerpc64le
Product: glibc
Version: unspecified
Status: NEW
Severity: critical
Priority: P1
Component: dynamic-link
Assignee: unassigned at sourceware dot org
Reporter: fweimer at redhat dot com
Target Milestone: ---
Target: powerpc64le-*-linux-gnu
Flags: security-
I cleaned up the macro goo for easier debugging, and we crash on line 169:
153 static __always_inline void
154 elf_dynamic_do_relr (struct link_map *map)
155 {
156 ElfW(Addr) l_addr = (map)->l_addr, *where = 0;
157 const ElfW(Relr) *r, *end;
158 if ((map)->l_info[DT_RELR] == NULL)
159 return;
160 r = (const ElfW(Relr) *)D_PTR((map), l_info[DT_RELR]);
161 end = (const ElfW(Relr) *)((const char *)r +
162 (map)->l_info[DT_RELRSZ]->d_un.d_val);
163 for (; r < end; r++)
164 {
165 ElfW(Relr) entry = *r;
166 if ((entry & 1) == 0)
167 {
168 where = (ElfW(Addr) *)(l_addr + entry);
169 *where++ += l_addr;
170 }
171 else
172 {
173 for (long int i = 0; (entry >>= 1) != 0; i++)
174 if ((entry & 1) != 0)
175 where[i] += l_addr;
176 where += CHAR_BIT * sizeof(ElfW(Relr)) - 1;
177 }
178 }
179 }
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7f9f028 in elf_dynamic_do_relr (map=0x7ffff7ff1320) at
dynamic-link.h:169
169 *where++ += l_addr;
(gdb) bt
#0 0x00007ffff7f9f028 in elf_dynamic_do_relr (map=0x7ffff7ff1320) at
dynamic-link.h:169
#1 elf_dynamic_relocate (skip_ifunc=<optimized out>,
consider_profile=<optimized out>,
lazy=1, scope=0x7ffff7ff16c0, map=0x7ffff7ff1320) at dynamic-link.h:198
#2 _dl_relocate_object (l=0x7ffff7ff1320, scope=0x7ffff7ff16c0,
reloc_mode=<optimized out>, consider_profiling=<optimized out>) at
dl-reloc.c:301
#3 0x00007ffff7fb9380 in dl_main (phdr=<optimized out>, phnum=<optimized out>,
user_entry=<optimized out>, auxv=<optimized out>) at rtld.c:2314
#4 0x00007ffff7fb4170 in _dl_sysdep_start (start_argptr=<optimized out>,
dl_main=0x7ffff7fb6d60 <dl_main>) at
../sysdeps/unix/sysv/linux/dl-sysdep.c:140
#5 0x00007ffff7fb5c58 in _dl_start_final (arg=arg@entry=0x7fffffffec60,
info=info@entry=0x7fffffffe650) at rtld.c:497
#6 0x00007ffff7fb68b8 in _dl_start (arg=0x7fffffffec60) at rtld.c:586
#7 0x00007ffff7fb4f38 in _start ()
from
/builddir/build/BUILD/glibc-2.35.9000-583-gace9e3edbc/build-ppc64le-redhat-linux/elf/ld.so
(gdb) print where
$1 = (Elf64_Addr *) 0x7ffff7eb5dc8
(gdb) print *where
$2 = 67536
I'm hitting a debugability issue here, but I think this address is in a
read-only segment of the main executable.
I don't know yet if BFD ld produced wrong relocation data.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread* [Bug dynamic-link/29235] Some tests crash in ELF_DYNAMIC_DO_RELR on powerpc64le
2022-06-09 10:19 [Bug dynamic-link/29235] New: Some tests crash in ELF_DYNAMIC_DO_RELR on powerpc64le fweimer at redhat dot com
@ 2022-06-09 10:19 ` fweimer at redhat dot com
2022-06-09 10:38 ` fweimer at redhat dot com
2022-06-09 10:41 ` fweimer at redhat dot com
2 siblings, 0 replies; 4+ messages in thread
From: fweimer at redhat dot com @ 2022-06-09 10:19 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=29235
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com,
| |i at maskray dot me,
| |tuliom at ascii dot art.br
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread* [Bug dynamic-link/29235] Some tests crash in ELF_DYNAMIC_DO_RELR on powerpc64le
2022-06-09 10:19 [Bug dynamic-link/29235] New: Some tests crash in ELF_DYNAMIC_DO_RELR on powerpc64le fweimer at redhat dot com
2022-06-09 10:19 ` [Bug dynamic-link/29235] " fweimer at redhat dot com
@ 2022-06-09 10:38 ` fweimer at redhat dot com
2022-06-09 10:41 ` fweimer at redhat dot com
2 siblings, 0 replies; 4+ messages in thread
From: fweimer at redhat dot com @ 2022-06-09 10:38 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=29235
--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
With hard-coded paths in tests, I get:
(gdb) print where
$3 = (Elf64_Addr *) 0x100255db8
which is in this read-only mapping:
100160000-100260000 r--p 00160000 08:03 2153963751
/builddir/build/BUILD/glibc-2.35.9000-583-gace9e3edbc/build-2/math/test-tgmath3-fma
0000000000255db8 appears in readelf -rW output, so I don't think ld.so's RELR
implementation is at fault.
It looks like page size issue, and the DT_RELR may be accidental. The system
has 64K pages, but we have for the main executable:
LOAD 0x160000 0x0000000000160000 0x0000000000160000 0x0f10a4
0x0f10a4 R 0x10000
LOAD 0x255db0 0x0000000000265db0 0x0000000000265db0 0x06a40c
0x06a988 RW 0x10000
[…]
GNU_RELRO 0x255db0 0x0000000000265db0 0x0000000000265db0 0x06a250
0x06a250 R 0x1
I'm not sure if this kind of layout is supposed to work with 64K pages. Note
that as discussed elsewhere, ld.so rounds down 0x255db0 to the next multiple of
65,536.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug dynamic-link/29235] Some tests crash in ELF_DYNAMIC_DO_RELR on powerpc64le
2022-06-09 10:19 [Bug dynamic-link/29235] New: Some tests crash in ELF_DYNAMIC_DO_RELR on powerpc64le fweimer at redhat dot com
2022-06-09 10:19 ` [Bug dynamic-link/29235] " fweimer at redhat dot com
2022-06-09 10:38 ` fweimer at redhat dot com
@ 2022-06-09 10:41 ` fweimer at redhat dot com
2 siblings, 0 replies; 4+ messages in thread
From: fweimer at redhat dot com @ 2022-06-09 10:41 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=29235
--- Comment #2 from Florian Weimer <fweimer at redhat dot com> ---
(But we apply RELRO only after RELR processing, so that ALIGN_DOWN for the
RELRO start address should not matter here.)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-06-09 10:41 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-09 10:19 [Bug dynamic-link/29235] New: Some tests crash in ELF_DYNAMIC_DO_RELR on powerpc64le fweimer at redhat dot com
2022-06-09 10:19 ` [Bug dynamic-link/29235] " fweimer at redhat dot com
2022-06-09 10:38 ` fweimer at redhat dot com
2022-06-09 10:41 ` fweimer at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).