From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx0a-0010f301.pphosted.com (mx0a-0010f301.pphosted.com [148.163.149.254]) by sourceware.org (Postfix) with ESMTPS id D21E638582AC for ; Fri, 31 Mar 2023 14:52:44 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org D21E638582AC Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=rice.edu Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=rice.edu Received: from pps.filterd (m0315582.ppops.net [127.0.0.1]) by mx0b-0010f301.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 32VE5Aj1021592; Fri, 31 Mar 2023 09:52:41 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rice.edu; h=message-id : subject : from : to : date : in-reply-to : references : content-type : content-transfer-encoding : mime-version; s=ricemail; bh=lLGJTAg1/ODlkGQ3AmJTUGc8eOuI+vpPJKrJpGcj3ZU=; b=UV7sQu7Y1SLXQjokrPETrgBfowpcnV6xy9oP+TuRYlpvaGqmxVe72/Q4buZ0MCQplDOF yESZ6Zl3CRrXj1Aj/aKi7IgpmuVZUd0vyYJnw0oxArjheki/sAUMQtlabhGMchhLBE9X oYMscilhFqMHi0ZrwKMaNmFKm71ZhZBnaCsyOomNHay1SLRJDBWNV1zz7uBWqwHBAzcc J5RXTM7M8igSXbLNdxXyqkBNXw6cgvXvJQcZFGlCC5ZM3D7arXdBG1/Ck5vzvUdsa1cr MQ+dHqV2Cr1l4LY1R+/Vsh17f0nsj46TFsQQkphhoOuwlUu0vQ49yg1A62EDiugiaHX1 hQ== Received: from mx1.mail.rice.edu (mx1.mail.rice.edu [128.42.201.100]) by mx0b-0010f301.pphosted.com (PPS) with ESMTPS id 3pmqprcbad-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 31 Mar 2023 09:52:41 -0500 Received: from mx1.mail.rice.edu (localhost [127.0.0.1]) by mx1.mail.rice.edu (Postfix) with ESMTP id 52A4E42EDDE; Fri, 31 Mar 2023 09:52:40 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by mx1.mail.rice.edu (Postfix) with ESMTP id 506CA42EDD6; Fri, 31 Mar 2023 09:52:40 -0500 (CDT) X-Virus-Scanned: by amavis-2.12.1 at mx1.mail.rice.edu, auth channel Received: from mx1.mail.rice.edu ([127.0.0.1]) by localhost (mx1.mail.rice.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id y2aXjsyadAgf; Fri, 31 Mar 2023 09:52:40 -0500 (CDT) Received: from deepthought.hsd1.tx.comcast.net (c-76-30-157-230.hsd1.tx.comcast.net [76.30.157.230]) (using TLSv1.2 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jma14) by mx1.mail.rice.edu (Postfix) with ESMTPSA id 1E3D4209C86; Fri, 31 Mar 2023 09:52:40 -0500 (CDT) Message-ID: <0eb8cc4762942f5cf42ea11c3253280564204d96.camel@rice.edu> Subject: Re: RTLD_DEEPBIND interaction with LD_PRELOAD From: Jonathon Anderson To: Matthew Parkinson , "libc-alpha@sourceware.org" Date: Fri, 31 Mar 2023 09:52:39 -0500 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.4-1 MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-03-31_07,2023-03-31_01,2023-02-09_01 X-Spam-Status: No, score=-3.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Hello all, Wrapping symbols is of interest to us (the HPCToolkit folks), so I thought = I would jump in here and bring up a 3rd option that we are excited about: L= D_AUDIT-powered symbol injection. We currently use LD_PRELOAD + dlsym(RTLD_NEXT) to wrap critical symbols, ho= wever we have also encountered unavoidable limitations with the approach fo= r some applications in the wild. We haven't run into RTLD_DEEPBIND before, = but we have found many other issues: - dlsym(): If the symbol is fetched directly with dlsym() LD_PRELOAD does = not apply. (And yes, there is code out there that does `dlsym(dlopen(libc.s= o.6))`. :/) - dlopen(RTLD_LOCAL): dlsym(RTLD_NEXT) fails if the "victim" symbol is onl= y loaded as the dependency of a library loaded with dlopen(RTLD_LOCAL). - dlmopen() namespaces: LD_PRELOAD only applies to the main namespace, sym= bols in private dlmopen() namespaces are unaffected. The alternative we are considering uses LD_AUDIT's la_symbind hook to injec= t our wrappers. This hook fires *every* time a symbol gets bound or on dlsy= m(), avoiding the narrow application issues with LD_PRELOAD. The hook also = receives the to-be-bound target as an argument, avoiding the issues with dl= sym(RTLD_NEXT). The high power of this approach makes it a very appealing a= lternative to LD_PRELOAD. We have not yet tried LD_AUDIT-powered symbol injection in the wild, but I = did write [a small test matrix with some possible wrapper implementations][= 1] for preliminary research. So far, the basic LD_AUDIT-powered implementat= ions are very promising and avoid the issues we see with LD_PRELOAD. [1]: https://gitlab.com/blue42u/ldaudit-power-tests/-/tree/main/symbol-wrap= ping -Jonathon