[Bug dynamic-link/29235] New: Some tests crash in ELF_DYNAMIC_DO_RELR on powerpc64le

public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed

From: "fweimer at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug dynamic-link/29235] New: Some tests crash in ELF_DYNAMIC_DO_RELR on powerpc64le
Date: Thu, 09 Jun 2022 10:19:35 +0000	[thread overview]
Message-ID: <bug-29235-131@http.sourceware.org/bugzilla/> (raw)

https://sourceware.org/bugzilla/show_bug.cgi?id=29235

            Bug ID: 29235
           Summary: Some tests crash in ELF_DYNAMIC_DO_RELR on powerpc64le
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: critical
          Priority: P1
         Component: dynamic-link
          Assignee: unassigned at sourceware dot org
          Reporter: fweimer at redhat dot com
  Target Milestone: ---
            Target: powerpc64le-*-linux-gnu
             Flags: security-

I cleaned up the macro goo for easier debugging, and we crash on line 169:

153     static __always_inline void
154     elf_dynamic_do_relr (struct link_map *map)
155     {
156         ElfW(Addr) l_addr = (map)->l_addr, *where = 0;                      
157         const ElfW(Relr) *r, *end;                                          
158         if ((map)->l_info[DT_RELR] == NULL)                                 
159           return;
160         r = (const ElfW(Relr) *)D_PTR((map), l_info[DT_RELR]);              
161         end = (const ElfW(Relr) *)((const char *)r +                        
162                                    (map)->l_info[DT_RELRSZ]->d_un.d_val);   
163         for (; r < end; r++)                                                
164           {                                                                 
165             ElfW(Relr) entry = *r;                                          
166             if ((entry & 1) == 0)                                           
167               {                                                             
168                 where = (ElfW(Addr) *)(l_addr + entry);                     
169                 *where++ += l_addr;                                         
170               }                                                             
171             else                                                            
172               {                                                             
173                 for (long int i = 0; (entry >>= 1) != 0; i++)               
174                   if ((entry & 1) != 0)                                     
175                     where[i] += l_addr;                                     
176                 where += CHAR_BIT * sizeof(ElfW(Relr)) - 1;                 
177               }                                                             
178           }                                                                 
179     }

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7f9f028 in elf_dynamic_do_relr (map=0x7ffff7ff1320) at
dynamic-link.h:169
169                 *where++ += l_addr;                                         
(gdb) bt
#0  0x00007ffff7f9f028 in elf_dynamic_do_relr (map=0x7ffff7ff1320) at
dynamic-link.h:169
#1  elf_dynamic_relocate (skip_ifunc=<optimized out>,
consider_profile=<optimized out>, 
    lazy=1, scope=0x7ffff7ff16c0, map=0x7ffff7ff1320) at dynamic-link.h:198
#2  _dl_relocate_object (l=0x7ffff7ff1320, scope=0x7ffff7ff16c0, 
    reloc_mode=<optimized out>, consider_profiling=<optimized out>) at
dl-reloc.c:301
#3  0x00007ffff7fb9380 in dl_main (phdr=<optimized out>, phnum=<optimized out>, 
    user_entry=<optimized out>, auxv=<optimized out>) at rtld.c:2314
#4  0x00007ffff7fb4170 in _dl_sysdep_start (start_argptr=<optimized out>, 
    dl_main=0x7ffff7fb6d60 <dl_main>) at
../sysdeps/unix/sysv/linux/dl-sysdep.c:140
#5  0x00007ffff7fb5c58 in _dl_start_final (arg=arg@entry=0x7fffffffec60, 
    info=info@entry=0x7fffffffe650) at rtld.c:497
#6  0x00007ffff7fb68b8 in _dl_start (arg=0x7fffffffec60) at rtld.c:586
#7  0x00007ffff7fb4f38 in _start ()
   from
/builddir/build/BUILD/glibc-2.35.9000-583-gace9e3edbc/build-ppc64le-redhat-linux/elf/ld.so

(gdb) print where
$1 = (Elf64_Addr *) 0x7ffff7eb5dc8
(gdb) print *where
$2 = 67536

I'm hitting a debugability issue here, but I think this address is in a
read-only segment of the main executable.

I don't know yet if BFD ld produced wrong relocation data.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

next             reply	other threads:[~2022-06-09 10:19 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-06-09 10:19 fweimer at redhat dot com [this message]
2022-06-09 10:19 ` [Bug dynamic-link/29235] " fweimer at redhat dot com
2022-06-09 10:38 ` fweimer at redhat dot com
2022-06-09 10:41 ` fweimer at redhat dot com

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-29235-131@http.sourceware.org/bugzilla/ \
    --to=sourceware-bugzilla@sourceware.org \
    --cc=glibc-bugs@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).