From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <sourceware-bugzilla@sourceware.org>
Received: by sourceware.org (Postfix, from userid 48)
 id 1E33E3841445; Thu,  9 Jun 2022 10:19:35 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 1E33E3841445
From: "fweimer at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug dynamic-link/29235] New: Some tests crash in
 ELF_DYNAMIC_DO_RELR on powerpc64le
Date: Thu, 09 Jun 2022 10:19:35 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: dynamic-link
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: critical
X-Bugzilla-Who: fweimer at redhat dot com
X-Bugzilla-Status: NEW
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P1
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security-
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status
 bug_severity priority component assigned_to reporter target_milestone
 cf_gcctarget flagtypes.name
Message-ID: <bug-29235-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: glibc-bugs@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Glibc-bugs mailing list <glibc-bugs.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/glibc-bugs>,
 <mailto:glibc-bugs-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/glibc-bugs/>
List-Help: <mailto:glibc-bugs-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/glibc-bugs>,
 <mailto:glibc-bugs-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jun 2022 10:19:36 -0000

https://sourceware.org/bugzilla/show_bug.cgi?id=3D29235

            Bug ID: 29235
           Summary: Some tests crash in ELF_DYNAMIC_DO_RELR on powerpc64le
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: critical
          Priority: P1
         Component: dynamic-link
          Assignee: unassigned at sourceware dot org
          Reporter: fweimer at redhat dot com
  Target Milestone: ---
            Target: powerpc64le-*-linux-gnu
             Flags: security-

I cleaned up the macro goo for easier debugging, and we crash on line 169:

153     static __always_inline void
154     elf_dynamic_do_relr (struct link_map *map)
155     {
156         ElfW(Addr) l_addr =3D (map)->l_addr, *where =3D 0;=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20
157         const ElfW(Relr) *r, *end;=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20
158         if ((map)->l_info[DT_RELR] =3D=3D NULL)=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20
159           return;
160         r =3D (const ElfW(Relr) *)D_PTR((map), l_info[DT_RELR]);=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20
161         end =3D (const ElfW(Relr) *)((const char *)r +=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20
162                                    (map)->l_info[DT_RELRSZ]->d_un.d_val=
);=20=20=20
163         for (; r < end; r++)=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20
164           {=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20
165             ElfW(Relr) entry =3D *r;=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20
166             if ((entry & 1) =3D=3D 0)=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20
167               {=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20
168                 where =3D (ElfW(Addr) *)(l_addr + entry);=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20
169                 *where++ +=3D l_addr;=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20
170               }=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20
171             else=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20
172               {=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20
173                 for (long int i =3D 0; (entry >>=3D 1) !=3D 0; i++)=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20
174                   if ((entry & 1) !=3D 0)=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20
175                     where[i] +=3D l_addr;=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20
176                 where +=3D CHAR_BIT * sizeof(ElfW(Relr)) - 1;=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20
177               }=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20
178           }=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20
179     }

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7f9f028 in elf_dynamic_do_relr (map=3D0x7ffff7ff1320) at
dynamic-link.h:169
169                 *where++ +=3D l_addr;=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20
(gdb) bt
#0  0x00007ffff7f9f028 in elf_dynamic_do_relr (map=3D0x7ffff7ff1320) at
dynamic-link.h:169
#1  elf_dynamic_relocate (skip_ifunc=3D<optimized out>,
consider_profile=3D<optimized out>,=20
    lazy=3D1, scope=3D0x7ffff7ff16c0, map=3D0x7ffff7ff1320) at dynamic-link=
.h:198
#2  _dl_relocate_object (l=3D0x7ffff7ff1320, scope=3D0x7ffff7ff16c0,=20
    reloc_mode=3D<optimized out>, consider_profiling=3D<optimized out>) at
dl-reloc.c:301
#3  0x00007ffff7fb9380 in dl_main (phdr=3D<optimized out>, phnum=3D<optimiz=
ed out>,=20
    user_entry=3D<optimized out>, auxv=3D<optimized out>) at rtld.c:2314
#4  0x00007ffff7fb4170 in _dl_sysdep_start (start_argptr=3D<optimized out>,=
=20
    dl_main=3D0x7ffff7fb6d60 <dl_main>) at
../sysdeps/unix/sysv/linux/dl-sysdep.c:140
#5  0x00007ffff7fb5c58 in _dl_start_final (arg=3Darg@entry=3D0x7fffffffec60=
,=20
    info=3Dinfo@entry=3D0x7fffffffe650) at rtld.c:497
#6  0x00007ffff7fb68b8 in _dl_start (arg=3D0x7fffffffec60) at rtld.c:586
#7  0x00007ffff7fb4f38 in _start ()
   from
/builddir/build/BUILD/glibc-2.35.9000-583-gace9e3edbc/build-ppc64le-redhat-=
linux/elf/ld.so

(gdb) print where
$1 =3D (Elf64_Addr *) 0x7ffff7eb5dc8
(gdb) print *where
$2 =3D 67536

I'm hitting a debugability issue here, but I think this address is in a
read-only segment of the main executable.

I don't know yet if BFD ld produced wrong relocation data.

--=20
You are receiving this mail because:
You are on the CC list for the bug.=