From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 3949F384F4A0; Thu, 14 Dec 2023 22:36:09 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 3949F384F4A0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1702593369; bh=ij3nusgVcpEEehlO2xz/MEDakZXhQNo/HWHLT1CLa4c=; h=From:To:Subject:Date:From; b=gr9UIdsILhpIuQyDH9DGIOwCX0bsBa4gVaIiBaZxYi2bApDj/QJj4ie8pwCAaXnj4 S+HOkCg3N4RM1jMPJQ+0873Q/xJup6SY5IqD0BMquaivXKoA5X8aa0mZQ6uLtIpYOu ARUR9SKQ/m0LJ6zTyAKHD5HDMUJmyNEw4v9yB7iA= From: "srk31 at srcf dot ucam.org" To: glibc-bugs@sourceware.org Subject: [Bug dynamic-link/31168] New: ld.so startup segfaults if constructor does dlopen with RTLD_GLOBAL Date: Thu, 14 Dec 2023 22:35:45 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: dynamic-link X-Bugzilla-Version: 2.35 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: srk31 at srcf dot ucam.org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D31168 Bug ID: 31168 Summary: ld.so startup segfaults if constructor does dlopen with RTLD_GLOBAL Product: glibc Version: 2.35 Status: UNCONFIRMED Severity: normal Priority: P2 Component: dynamic-link Assignee: unassigned at sourceware dot org Reporter: srk31 at srcf dot ucam.org Target Milestone: --- Created attachment 15260 --> https://sourceware.org/bugzilla/attachment.cgi?id=3D15260&action=3Ded= it small reproducer The ld.so of glibc 2.36 (and likely later but I haven't tested) may crash during _dl_init of the main executable, if an early constructor does a dlop= en with RTLD_GLOBAL. The problem seems to be that `add_to_global_update()` adds to `main_map->l_searchlist.r_nlist` but `main_map->l_initfini` is not resized = to match. This is a problem since `r_nlist` is used to bound the call_init loo= p in dl-init.c, which ranges over `l_initfini`:=20 135 i =3D main_map->l_searchlist.r_nlist; 136 while (i-- > 0) 137 call_init (main_map->l_initfini[i], argc, argv, env); ... meaning the loop will run off the end of the `l_initfini` list, calling `call_init` passing the NULL terminator value instead of a link map. See attached test case... this is doing dlopen during the constructor of an initfirst preloaded object. I'm not sure whether it can be reproduced witho= ut initfirst and/or preloading... this combination closely models my use case, which was working fine until at least 2.28. --=20 You are receiving this mail because: You are on the CC list for the bug.=