public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
From: "aburgess at redhat dot com" <sourceware-bugzilla@sourceware.org> To: glibc-bugs@sourceware.org Subject: [Bug dynamic-link/30766] New: The reloc_complete probe can be hit when not all libraries have been relocated Date: Tue, 15 Aug 2023 14:23:44 +0000 [thread overview] Message-ID: <bug-30766-131@http.sourceware.org/bugzilla/> (raw) https://sourceware.org/bugzilla/show_bug.cgi?id=30766 Bug ID: 30766 Summary: The reloc_complete probe can be hit when not all libraries have been relocated Product: glibc Version: unspecified Status: NEW Severity: normal Priority: P2 Component: dynamic-link Assignee: unassigned at sourceware dot org Reporter: aburgess at redhat dot com Target Milestone: --- Created attachment 15061 --> https://sourceware.org/bugzilla/attachment.cgi?id=15061&action=edit Patch that exposes the issue described in this bug. The attached patch applies to current(ish) master (d6fe19facc) and exposes the issue described in this bug report. With this patch applied I see: $ make test t=dlfcn/tst-rec-dlopen ... snip ... DSO moddummy1.so loaded when it shouldn't be make[2]: Leaving directory '/tmp/glibc/src/dlfcn' FAIL: dlfcn/tst-rec-dlopen original exit status 1 Called dummy2() Called dummy2() make[1]: Leaving directory '/tmp/glibc/src' This bug was found while investigating some GDB behaviour, and relates to the reloc_complete probe (elf/dl-open.c). The docs for reloc_complete say: reloc_complete: The linker has relocated all objects in the specified namespace. The namespace's r_debug structure is consistent and may be inspected, and all objects in the namespace's link-map are guaranteed to have been relocated. However, there are times that reloc_complete is called when not every object in the namespace's link-map have been relocated, and worse, there is no way for the debugger, when walking the link-map, to tell the difference between a relocated, and non-relocated object. This results in GDB bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30765 In the glibc test I modified a situation is setup where a recursive dlopen will be performed; the test overrides malloc and has the new malloc perform a dlopen. At the top level (in do_test) we dlopen a library, while this dlopen is being performed glibc calls malloc. These malloc calls themselves trigger a dlopen call (we take care to avoid infinite recursion here). The problem is, that, while servicing the top-level dlopen, the library is added to the namespace's link-map list, and then malloc is called *before* the library has been relocated. As a result, this second-level malloc call results in another dlopen call, and, when we hit the reloc_complete probe for this second-level dlopen call, the first library is already in the link-map list, but is not yet relocated, in clear violation of the documented API. In GDB we hook the reloc_complete probe to figure out when the library has been loaded. It is possible for a user to stop at this point an examine the inferior's memory, which can include examining global state that should have been relocated, but (due to this bug) has not. -- You are receiving this mail because: You are on the CC list for the bug.
next reply other threads:[~2023-08-15 14:23 UTC|newest] Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top 2023-08-15 14:23 aburgess at redhat dot com [this message] 2023-08-15 14:31 ` [Bug dynamic-link/30766] " aburgess at redhat dot com 2023-08-15 23:42 ` tromey at sourceware dot org 2023-08-16 12:35 ` fweimer at redhat dot com 2024-03-08 9:41 ` fweimer at redhat dot com
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-30766-131@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=glibc-bugs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).