[Bug libc/31596] New: On the llvm-arm32 platform, dlopen("not_exist.so", -1) triggers segmentation fault

[Bug libc/31596] New: On the llvm-arm32 platform, dlopen("not_exist.so", -1) triggers segmentation fault

[xiaojiangfeng at huawei dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31596

            Bug ID: 31596
           Summary: On the llvm-arm32 platform, dlopen("not_exist.so", -1)
                    triggers segmentation fault
           Product: glibc
           Version: 2.34
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: xiaojiangfeng at huawei dot com
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

The following are my reproduction cases:

```
#include <dlfcn.h>

int main(void)
{
        (void)dlopen("not_exist.so", -1);

        return 0;
}

```

However, this case cannot be reproduced in a common environment.

I reproduced this issue in the arm32 environment.
Glibc in the environment is compiled using the Clang compiler.
The glibc version is 2.34. (The patches that supports Clang
compilation has been applied to this version)

I have not figured out why the lcatch variable
in the _dl_signal_error function is null.
As a result, the exception branch
fatal_error(0, NULL, NULL, NULL, "invalid mode parameter")
is executed.
Maybe my Clang compiler's compilation parameters
are not configured properly.


I will try to follow up on this issue and update the progress.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/31596] On the llvm-arm32 platform, dlopen("not_exist.so", -1) triggers segmentation fault

[hjl.tools at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31596

H.J. Lu <hjl.tools at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
     Ever confirmed|0                           |1
             Status|UNCONFIRMED                 |NEW
                 CC|                            |hjl.tools at gmail dot com
   Last reconfirmed|                            |2024-04-02

--- Comment #1 from H.J. Lu <hjl.tools at gmail dot com> ---
objname in

void
_dl_signal_error (int errcode, const char *objname, const char *occasion,
                  const char *errstring) 

is NULL in

dlfcn/dlinfo.c:      _dl_signal_error (0, NULL, NULL, N_("unsupported dlinfo
request"));
dlfcn/dlmopen.c:  _dl_signal_error (EINVAL, NULL, NULL, N_("invalid
namespace"));
dlfcn/dlmopen.c:  _dl_signal_error (EINVAL, NULL, NULL, N_("invalid mode"));
dlfcn/dlopen.c:    _dl_signal_error (0, NULL, NULL, _("invalid mode
parameter"));
elf/dl-fptr.c:    _dl_signal_error (errno, NULL, NULL,
elf/dl-fptr.c:    _dl_signal_error (errno, NULL, NULL,
elf/dl-fptr.c:    _dl_signal_error (0, NULL, NULL,
elf/dl-hwcaps.c:    _dl_signal_error (ENOMEM, NULL, NULL,
elf/dl-hwcaps.c:    _dl_signal_error (ENOMEM, NULL, NULL,
elf/dl-load.c:     _dl_signal_error (ENOMEM, NULL, NULL,
elf/dl-load.c:      _dl_signal_error (ENOMEM, NULL, NULL, errstring);
elf/dl-load.c:      _dl_signal_error (ENOMEM, NULL, NULL, errstring);
elf/dl-sym.c:      _dl_signal_error (0, NULL, NULL, N_("\
sysdeps/hppa/dl-fptr.c:    _dl_signal_error (errno, NULL, NULL,
sysdeps/hppa/dl-fptr.c:    _dl_signal_error (errno, NULL, NULL,
sysdeps/hppa/dl-fptr.c:    _dl_signal_error (0, NULL, NULL,
sysdeps/mips/dl-trampoline.c:  _dl_signal_error (0, NULL, NULL, "cannot find
runtime link map");

We should handle it properly.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/31596] On the llvm-arm32 platform, dlopen("not_exist.so", -1) triggers segmentation fault

[hjl.tools at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31596

--- Comment #2 from H.J. Lu <hjl.tools at gmail dot com> ---
We have:

---
void
_dl_signal_error (int errcode, const char *objname, const char *occasion,
                  const char *errstring)
{
  struct rtld_catch *lcatch = get_catch ();

  if (! errstring)
    errstring = N_("DYNAMIC LINKER BUG!!!");

  if (lcatch != NULL)
    {
      _dl_exception_create (lcatch->exception, objname, errstring);
      *lcatch->errcode = errcode;

      /* We do not restore the signal mask because none was saved.  */
      __longjmp (lcatch->env[0].__jmpbuf, 1);
    }
  else
    fatal_error (errcode, objname, occasion, errstring);
}
---

Under what conditions will get_catch return NULL?

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/31596] On the llvm-arm32 platform, dlopen("not_exist.so", -1) triggers segmentation fault

[hjl.tools at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31596

H.J. Lu <hjl.tools at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |WAITING

--- Comment #3 from H.J. Lu <hjl.tools at gmail dot com> ---
There is

#if IS_IN (rtld)
static struct rtld_catch *rtld_catch_notls;
#endif

static struct rtld_catch *
get_catch (void)
{ 
#if IS_IN (rtld)
  if (!__rtld_tls_init_tp_called)
    return rtld_catch_notls;
  else
#endif
    return THREAD_GETMEM (THREAD_SELF, rtld_catch);
}

I don't see how it can return NULL.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/31596] On the llvm-arm32 platform, dlopen("not_exist.so", -1) triggers segmentation fault

[hjl.tools at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31596

--- Comment #4 from H.J. Lu <hjl.tools at gmail dot com> ---
_dl_signal_error should only be called from _dl_catch_exception
and get_catch shouldn't return NULL.  _dl_exception_create can
handle objname == NULL.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/31596] On the llvm-arm32 platform, dlopen("not_exist.so", -1) triggers segmentation fault

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=31596

--- Comment #5 from Sourceware Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by H.J. Lu <hjl@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1cce91d8aed5c3eca2b6f47767c82d9ed3e9e33f

commit 1cce91d8aed5c3eca2b6f47767c82d9ed3e9e33f
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Mon Apr 8 09:06:09 2024 -0700

    elf: Check objname before calling fatal_error

    _dl_signal_error may be called with objname == NULL.  _dl_exception_create
    checks objname == NULL.  But fatal_error doesn't.  Check objname before
    calling fatal_error.  This fixes BZ #31596.
    Reviewed-by: Sunil K Pandey <skpgkp2@gmail.com>

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/31596] On the llvm-arm32 platform, dlopen("not_exist.so", -1) triggers segmentation fault

[hjl.tools at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31596

H.J. Lu <hjl.tools at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|WAITING                     |RESOLVED
   Target Milestone|---                         |2.40
         Resolution|---                         |FIXED

--- Comment #6 from H.J. Lu <hjl.tools at gmail dot com> ---
Fixed for 2.40.

-- 
You are receiving this mail because:
You are on the CC list for the bug.