From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-hacker-return-8272-listarch-libc-hacker=sources.redhat.com@sources.redhat.com>
Received: (qmail 8476 invoked by alias); 7 Feb 2005 10:49:56 -0000
Mailing-List: contact libc-hacker-help@sources.redhat.com; run by ezmlm
Precedence: bulk
List-Subscribe: <mailto:libc-hacker-subscribe@sources.redhat.com>
List-Archive: <http://sources.redhat.com/ml/libc-hacker/>
List-Post: <mailto:libc-hacker@sources.redhat.com>
List-Help: <mailto:libc-hacker-help@sources.redhat.com>, <http://sources.redhat.com/ml/#faqs>
Sender: libc-hacker-owner@sources.redhat.com
Received: (qmail 8459 invoked from network); 7 Feb 2005 10:49:54 -0000
Received: from unknown (HELO sunsite.mff.cuni.cz) (195.113.15.26)
  by sourceware.org with SMTP; 7 Feb 2005 10:49:54 -0000
Received: from sunsite.mff.cuni.cz (sunsite.mff.cuni.cz [127.0.0.1])
	by sunsite.mff.cuni.cz (8.13.1/8.13.1) with ESMTP id j17Ann9w024761;
	Mon, 7 Feb 2005 11:49:49 +0100
Received: (from jj@localhost)
	by sunsite.mff.cuni.cz (8.13.1/8.13.1/Submit) id j17Annml024760;
	Mon, 7 Feb 2005 11:49:49 +0100
Date: Mon, 07 Feb 2005 10:49:00 -0000
From: Jakub Jelinek <jakub@redhat.com>
To: Ulrich Drepper <drepper@redhat.com>
Cc: Glibc hackers <libc-hacker@sources.redhat.com>
Subject: [PATCH] Fix segfault in open_path
Message-ID: <20050207104949.GA4777@sunsite.mff.cuni.cz>
Reply-To: Jakub Jelinek <jakub@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.1i
X-SW-Source: 2005-02/txt/msg00005.txt.bz2

Hi!

Running:
#include <dlfcn.h>
#include <unistd.h>

int main (void)
{
  chroot ("/tmp/foobar");
  dlopen ("libnss_compat.so.2", RTLD_LAZY);
}
as root after rm -rf /tmp/foobar; mkdir /tmp/foobar
results in a segfault.  The problem is that rtld_search_dirs are
attribute_relro, but open_path if it doesn't find any of the standard
search directories wants to clear it.
One solution would be to remove attribute_relro from rtld_search_dirs,
but that's a variable that IMHO should be protected from changing,
so this patch just avoids writing into it instead.  Because standard
search paths are almost always present and only in very rare situations
like this chroot testcase none of them is, I think letting ld.so
in this case cycle through open_path and see that all dirs in it are
nonexisting is not a big deal.  rtld_search_dirs.malloced is 0, so
it is not freed either.

2005-01-07  Jakub Jelinek  <jakub@redhat.com>

	* elf/dl-load.c (open_path): If rtld_search_dirs is in RELRO segment,
	avoid writing to it if none of the standard search directories
	exist.

--- libc/elf/dl-load.c.jj	2005-01-19 14:12:38.000000000 +0100
+++ libc/elf/dl-load.c	2005-02-07 11:24:58.611074914 +0100
@@ -1876,7 +1876,12 @@ open_path (const char *name, size_t name
 	 must not be freed using the general free() in libc.  */
       if (sps->malloced)
 	free (sps->dirs);
-      sps->dirs = (void *) -1;
+#ifdef HAVE_Z_RELRO
+      /* rtld_search_dirs is attribute_relro, therefore avoid writing
+	 into it.  */
+      if (sps != &rtld_search_dirs)
+#endif
+	sps->dirs = (void *) -1;
     }
 
   return -1;

	Jakub