From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-vk1-xa35.google.com (mail-vk1-xa35.google.com [IPv6:2607:f8b0:4864:20::a35]) by sourceware.org (Postfix) with ESMTPS id DDA2A3858C2F for ; Tue, 5 Jul 2022 17:04:16 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org DDA2A3858C2F Received: by mail-vk1-xa35.google.com with SMTP id u82so895264vkb.11 for ; Tue, 05 Jul 2022 10:04:16 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=qB00b9jsBzH3qA0D+Nc6sj+K2KyyKPPYToAvfSWPo9Y=; b=2lfolwXah+1CrnzZM4TRiagNqhQxBM1v5EbAKqfSyVhs2qZecYCO4bdd01zxVcScaA 5yD+CMur8N31/vnJNQEbDWQaXeyQc9nN2Rm9seW3yGJHj6tIriB9G1tVZ6YN6SuqxI6O mjdiU0HqmTD7T4gseD3Fti5D92d1PHtYAF9J7r30gqUMahLKIurs205F+DxrbnYogp9g pcyfQ1h/D2KiNA67w/5fwVcTYIY6vC3/CeX012k3SncJsnZq+gPZeqd24LggMjuTkhdI Rmm4rPaeqtlMdQ4YJjH0TeYOKhYK5yp3/1s4NOzZsDSaBAMdraAyWiaOg8fcH8BmBpwd ONKA== X-Gm-Message-State: AJIora/tWYJQZkrM0rRK0hfYEG7e0h66gC6FrdjP0arMezlgr+C8vcK9 dS1J6Xkd0A/QUWI3ZtzGVQShmw== X-Google-Smtp-Source: AGRyM1vmGTkDXLe+hUSzUFcg3JCI89ZfAj+nidrVVKgQCy4lYstloSjbqQyCoHJdXdmVvzGf++lxuQ== X-Received: by 2002:a1f:1890:0:b0:374:14c2:e0a3 with SMTP id 138-20020a1f1890000000b0037414c2e0a3mr1930018vky.16.1657040655813; Tue, 05 Jul 2022 10:04:15 -0700 (PDT) Received: from smtpclient.apple ([2804:431:c7cb:fef6:fc57:dc88:c1a6:22c5]) by smtp.gmail.com with ESMTPSA id a4-20020a9f3744000000b0038290663410sm3527265uae.13.2022.07.05.10.04.14 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 05 Jul 2022 10:04:15 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\)) Subject: Re: Possible glibc 2.35 ARM regression in LD_BIND_NOT From: Adhemerval Zanella In-Reply-To: Date: Tue, 5 Jul 2022 14:04:12 -0300 Cc: libc-help@sourceware.org Content-Transfer-Encoding: quoted-printable Message-Id: <0B99F4E6-2C9D-4346-B60F-D351A75936D4@linaro.org> References: <055beaf8-d0ba-523b-499f-50f13834111b@whitebeamsec.com> To: Nathan Nye X-Mailer: Apple Mail (2.3696.100.31) X-Spam-Status: No, score=-6.2 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-help@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-help mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jul 2022 17:04:19 -0000 > On 5 Jul 2022, at 11:34, Nathan Nye wrote: >=20 > All, >=20 > I isolated the issue. When compiling binaries using gcc on Ubuntu = 20.04 or below, the resulting binary does not have PIE - regardless of = the -pie argument being passed to the compiler. Ubuntu 22.04 correctly = reflects the default build flags being PIE and the binaries have PIE = unless the arguments passed to gcc include -no-pie. >=20 > Thanks, > Nathan Nye The problem is not in fact PIE, but rather that newer toolchain default = to bindnow. Using the provided example on=20 * Ubuntu 14 (glibc 2.19), Ubuntu 16 (glibc 2.23), and Ubuntu 18 (glibc = 2.27) $ gcc -Wall runevp.c -o runevp -Wl,-z,lazy $ gcc -Wall -fPIC -shared -o auditlib.so auditlib.c $ LD_AUDIT=3D./auditlib.so LD_BIND_NOT=3D1 LD_BIND_NOW=3D1 ./runevp $ * And on Ubuntu 22.04 (glibc 2.35) $ gcc -Wall runevp.c -o runevp -Wl,-z,lazy $ gcc -Wall -fPIC -shared -o auditlib.so auditlib.c $ LD_AUDIT=3D./auditlib.so LD_BIND_NOT=3D1 LD_BIND_NOW=3D1 ./runevp symbol binding for =E2=80=98execvp' On glibc 2.34 we now see a bind-now la_symbind event, different than previous version. If you build with -Wl,-z,lazy we will see the = previous behavior where la_symbind will be called on each symbol resolution. Now for LD_BIND_NOT and bind-now, I think this is the correct behavior: we need to always update the GOT entry since runtime won=E2=80=99t setup = a lazy resolution PLT entry (symbols resolution is always setup at=20 startup phase). Otherwise we will need to add a hack similar to LD_PROFILE and I really don=E2=80=99t think this is the best strategy. >=20 > On 7/4/22 3:31 PM, Nathan Nye wrote: >> +Adhemerval >>=20 >> Hi Adhemerval, >>=20 >> I think you may know the relevant source best if this issue exists. = Your feedback would be really valuable if you're able to test it. >>=20 >> Very respectfully, >> Nathan Nye >>=20 >> On 7/4/22 3:14 PM, Nathan Nye wrote: >>> Good afternoon, >>>=20 >>> I'm reviewing what could be a regression in LD_BIND_NOT's = functionality in glibc 2.35 on ARM architectures (there were a few = recent ARM audit changes). Symbol binding only occurs a single time on = glibc 2.35/ARM, even when LD_BIND_NOT is enabled. I've tested: >>> =E2=80=A2 Ubuntu 22.04 x86_64 glibc 2.35 >>> =E2=80=A2 Ubuntu 20.04 ARM glibc 2.34 >>> =E2=80=A2 Ubuntu 22.04 ARM glibc 2.35 >>> I could use a second pair of eyes on this issue to verify it exists. = Here is the test case I cobbled together, please excuse the poor C code = I wrote while testing: https://pastebin.com/raw/HSSYjemj >>>=20 >>> I've also attached the test case to this email. Thanks! >>>=20 >>> Very respectfully, >>> Nathan Nye >>=20 >=20 >