Re: [PATCH] elf/dl-deps.c: Make _dl_build_local_scope breadth first

[Mark Hatle <mark.hatle@kernel.crashing.org>]

On 1/11/22 1:26 PM, Adhemerval Zanella wrote:
> 
> 
> On 09/12/2021 20:53, Khem Raj via Libc-alpha wrote:
>> From: Mark Hatle <mark.hatle@windriver.com>
>>
>> According to the ELF specification:
>>
>> When resolving symbolic references, the dynamic linker examines the symbol
>> tables with a breadth-first search.
>>
>> This function was using a depth first search.  By doing so the conflict
>> resolution reported to the prelinker (when LD_TRACE_PRELINKING=1 is set)
>> was incorrect.  This caused problems when their were various circular
>> dependencies between libraries.  The problem usually manifested itself by
>> the wrong IFUNC being executed.
>>
>> Similar issue has been reported here [1]
>>
>> [BZ# 20488]
>>
>> [1] https://sourceware.org/legacy-ml/libc-alpha/2016-05/msg00034.html
>>
>> Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
>> Signed-off-by: Khem Raj <raj.khem@gmail.com>
> 
> I am trying to understand why it this only an issue for LD_TRACE_PRELINKING=1,
> do we have a testcase that stress it for a default usercase?

The underlying issue here is that resolution is happening depth first and not 
breadth first.  According to the ELF spec, all resolution should be breadth-first.


As noted in item in above, the prelinker just happens to be a way to actually 
show that the behavior is incorrect.  (There even appears to be a related defect 
with a reproducer.)


When taking the values from LD_TRACE_PRELINKING=1, various addresses and 
conflict resolutions are specified.  When you compare what is reported, vs what 
happens, vs what the spec says they don't align as they should.


> When you say the 'wrong IFUNC being executed' what exactly you mean here?
> Could we use a testcase based on this?


The prelinker (and possibly just in general), the IFUNC address used is the one 
from the wrong library scope.  I personally have never tried to reproduce this 
outside of the prelinking use-case, but based on the referenced report and the 
code at the time of the change, it is believed this could happen (but rarely) 
without a prelinked system in a very complex case with multiple libraries 
providing the same functions.

The main issue (my memory is sketchy sorry this might be wrong) is that if one 
or more functions is an IFUNC and one or more functions is NOT, then the you can 
get into a situation with a conflict of the wrong function being called using 
the wrong mechanism.

Definitely in the prelink case, the resolver gave the address of a regular 
function which was then placed into an IFUNC (or maybe it was the other way 
around) triggering the runtime segfault.

--Mark

>> ---
>>   elf/dl-deps.c | 14 ++++++++++----
>>   1 file changed, 10 insertions(+), 4 deletions(-)
>>
>> diff --git a/elf/dl-deps.c b/elf/dl-deps.c
>> index 237d9636c5..e15f7f83d8 100644
>> --- a/elf/dl-deps.c
>> +++ b/elf/dl-deps.c
>> @@ -73,13 +73,19 @@ _dl_build_local_scope (struct link_map **list, struct link_map *map)
>>   {
>>     struct link_map **p = list;
>>     struct link_map **q;
>> +  struct link_map **r;
>>   
>>     *p++ = map;
>>     map->l_reserved = 1;
>> -  if (map->l_initfini)
>> -    for (q = map->l_initfini + 1; *q; ++q)
>> -      if (! (*q)->l_reserved)
>> -	p += _dl_build_local_scope (p, *q);
>> +
>> +  for (r = list; r < p; ++r)
>> +    if ((*r)->l_initfini)
>> +      for (q = (*r)->l_initfini + 1; *q; ++q)
>> +	if (! (*q)->l_reserved)
>> +	  {
>> +	    *p++ = *q;
>> +	    (*q)->l_reserved = 1;
>> +	  }
>>     return p - list;
>>   }
>>