From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <adhemerval.zanella@linaro.org>
Received: from mail-qv1-xf36.google.com (mail-qv1-xf36.google.com
 [IPv6:2607:f8b0:4864:20::f36])
 by sourceware.org (Postfix) with ESMTPS id 420E5385840C
 for <libc-help@sourceware.org>; Thu,  7 Oct 2021 19:05:33 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 420E5385840C
Received: by mail-qv1-xf36.google.com with SMTP id j10so4822284qvl.13
 for <libc-help@sourceware.org>; Thu, 07 Oct 2021 12:05:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:subject:to:cc:references:from:message-id:date
 :user-agent:mime-version:in-reply-to:content-language
 :content-transfer-encoding;
 bh=rnNJk/NhjRm/xlhpyEozyt8l4eafc3aRSMl7CALyri8=;
 b=MnPcbymU7HXmaX3nX1ZwerDkGXABuNcciWF/JFe8OgXy8e/Z7jJadLz3wbfnl8/Xa4
 0TVvPaR1RzbsnhEgQmNH1cu8t2IO76Aiv5zWIXX0pYXmWi9XEHlsGsaLiZSRb9AcfHyV
 0OMejJXVbbNkcbPlwyk4zvSYy4NYkJQK1YsmVy/rTSxysHTUdfUjXkaZX275d3eTRT7Q
 ZoxL76xQd1gXwbGH87p8Pr3GVu1HRsitmjc9eE1neThK05HSXfhGhLbJQb2aU6Jji/ZR
 zTfwAjh+z3G6pKyEdtueGBE5iijLc6v2wOCBHnoc9qBVfut6lByh/yyHM4cU/CYLll0e
 VJvA==
X-Gm-Message-State: AOAM531mqrFChydubpIA1sK5VWNAAkSXRoPZonr8muscBADgIqSnEA2Q
 AA6okvHOkCxbTtofZfOShKZubxbChZuAPg==
X-Google-Smtp-Source: ABdhPJx3xAF0R7wh/WjgK2LP2qM/0XnsNDk2BUdUJlI9N5+o3p7XC7aEyGwMfcuVmzpKfrYYM6Pbyw==
X-Received: by 2002:a0c:e183:: with SMTP id p3mr5761727qvl.65.1633633532579;
 Thu, 07 Oct 2021 12:05:32 -0700 (PDT)
Received: from ?IPv6:2804:431:c7cb:807a:2864:3aef:e68:8698?
 ([2804:431:c7cb:807a:2864:3aef:e68:8698])
 by smtp.gmail.com with ESMTPSA id t17sm183960qtq.56.2021.10.07.12.05.31
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Thu, 07 Oct 2021 12:05:32 -0700 (PDT)
Subject: Re: My dynamic loader refuses to load libQt5Core because of the ABI
 tag note
To: Carlos O'Donell <carlos@redhat.com>, noloader@gmail.com,
 =?UTF-8?Q?Krzysztof_=c5=bbelechowski?= <krzysztof.zelechowski@prospeo.com.pl>
Cc: "libc-help@sourceware.org" <libc-help@sourceware.org>
References: <DBAPR08MB5669FB2ED1BAEFE78D664497D7B19@DBAPR08MB5669.eurprd08.prod.outlook.com>
 <CAH8yC8khE2MOCrecL5EtTFqQo7eDxuaRc2A7ZVjrfDi+O-SquA@mail.gmail.com>
 <818412f0-e913-7873-7158-a876d26a1ff4@redhat.com>
From: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Message-ID: <a80c5614-7cb4-4188-626e-0e57f00afc89@linaro.org>
Date: Thu, 7 Oct 2021 16:05:30 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.13.0
MIME-Version: 1.0
In-Reply-To: <818412f0-e913-7873-7158-a876d26a1ff4@redhat.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, KAM_SHORT, NICE_REPLY_A,
 RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: libc-help@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-help mailing list <libc-help.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-help>,
 <mailto:libc-help-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-help/>
List-Help: <mailto:libc-help-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-help>,
 <mailto:libc-help-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Oct 2021 19:05:36 -0000



On 07/10/2021 16:00, Carlos O'Donell via Libc-help wrote:
> On 10/7/21 14:53, Jeffrey Walton via Libc-help wrote:
>> On Thu, Oct 7, 2021 at 2:47 PM Krzysztof Żelechowski via Libc-help
>> <libc-help@sourceware.org> wrote:
>>>
>>> /usr/lib/YaST2/bin/y2controlcenter
>>>                 /usr/lib/YaST2/bin/y2controlcenter: error while loading shared libraries: libQt5Core.so.5: cannot open shared object file: No such file or directory
>>> uname -r
>>>                 4.4.0-19041-Microsoft
>>> ldd /usr/lib64/libQt5Widgets.so.5
>>> libQt5Core.so.5 => not found
>>> /usr/lib64/libQt5Core.so.5
>>>                 This is the QtCore library version Qt 5.12.7 (x86_64-little_endian-lp64 shared (dynamic) release build; by GCC 7.5.0)
>>> Copyright (C) 2016 The Qt Company Ltd.
>>> Contact: http://www.qt.io/licensing/
>>>
>>> Installation prefix: /usr
>>> Library path:        lib64
>>> Include path:        include/qt5
>>> Processor features:  sse2[required] sse3 ssse3 fma sse4.1 sse4.2 movbe popcnt aes avx f16c rdrnd bmi avx2 bmi2 rdseed sha
>>> readelf -n /usr/lib64/libQt5Core.so.5
>>> Displaying notes found in: .note.ABI-tag
>>>   Owner                Data size        Description
>>>   GNU                  0x00000010       NT_GNU_ABI_TAG (ABI version tag)
>>>     OS: Linux, ABI: 3.17.0
>>> objcopy -R .note.ABI-tag /usr/lib64/libQt5Core.so.5 /tmp/libQt5Core.so.5
>>> LD_LIBRARY_PATH=/tmp /usr/lib/YaST2/bin/y2controlcenter
>>
>> Off-topic, this is probably CVE worthy:
>>
>>     LD_LIBRARY_PATH=/tmp
> 
> Why is this CVE worthy?
> 
> The user copied a library to /tmp, stripping a section, and then restarted the binary
> with an LD_LIBRARY_PATH to use the temporary copy of the library with the changes.
> 
> LD_LIBRARY_PATH is used *after* DT_RPATH (if DT_RUNPATH is not present), and so has
> precedence as expected, and is controlled by the user.
> 

And there is some discussion whether is up to glibc to deny preload
of file with NOEXEC mounts [1] (if it is what you might be referring).

[1] https://sourceware.org/pipermail/libc-alpha/2021-August/130403.html