From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-alpha-return-74644-listarch-libc-alpha=sources.redhat.com@sourceware.org>
Received: (qmail 80239 invoked by alias); 10 Nov 2016 15:39:07 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>, <http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Received: (qmail 79056 invoked by uid 89); 10 Nov 2016 15:39:06 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-4.8 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=carrying, HTo:D*ucla.edu, auditing, H*M:e444
X-HELO: mx1.redhat.com
Subject: Re: [PATCH] malloc: Implement heap protector
To: Paul Eggert <eggert@cs.ucla.edu>,
        GNU C Library <libc-alpha@sourceware.org>
References: <dd818b8d-7176-8490-0780-e6e25756323a@redhat.com>
 <7b7d32d4-b66c-4b87-9509-a9ed4df62b85@cs.ucla.edu>
 <296af8bd-17ab-439e-90d1-bfadf3684c7f@redhat.com>
From: Florian Weimer <fweimer@redhat.com>
Message-ID: <e87a9201-9310-e444-d508-f01864c0ed5b@redhat.com>
Date: Thu, 10 Nov 2016 15:39:00 -0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <296af8bd-17ab-439e-90d1-bfadf3684c7f@redhat.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-SW-Source: 2016-11/txt/msg00397.txt.bz2

On 11/08/2016 04:13 PM, Florian Weimer wrote:
> diff --git a/sysdeps/generic/ldsodefs.h b/sysdeps/generic/ldsodefs.h
> index f68fdf4..801ded8 100644
> --- a/sysdeps/generic/ldsodefs.h
> +++ b/sysdeps/generic/ldsodefs.h
> @@ -607,6 +607,10 @@ struct rtld_global_ro
>    /* List of auditing interfaces.  */
>    struct audit_ifaces *_dl_audit;
>    unsigned int _dl_naudit;
> +
> +  /* malloc protection keys. */
> +  uintptr_t _dl_malloc_header_guard;
> +  uintptr_t _dl_malloc_footer_guard;
>  };
>  # define __rtld_global_attribute__
>  # if IS_IN (rtld)

This way of carrying information from ld.so to libc.so.6 does not work 
in the static dlopen case because rtld_global_ro is only initialized 
from the static initializer.  The code in security_init is never called, 
and so the two cookie values are always 0.

I believe this is a pre-existing bug in static dlopen, but I'll need to 
write a test case first.

Florian