[Bug 1243473] Re: LD_AUDIT is broken on amd64
Adam Conrad
adconrad at 0c3.net
Wed Oct 23 01:08:46 UTC 2013
** Changed in: eglibc (Ubuntu)
Assignee: (unassigned) => Adam Conrad (adconrad)
** Also affects: eglibc (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: eglibc (Ubuntu Quantal)
Importance: Undecided
Status: New
** Changed in: eglibc (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to eglibc in Ubuntu.
https://bugs.launchpad.net/bugs/1243473
Title:
LD_AUDIT is broken on amd64
Status in “eglibc” package in Ubuntu:
Fix Released
Status in “eglibc” source package in Precise:
New
Status in “eglibc” source package in Quantal:
New
Bug description:
[Impact]
LD_AUDIT is an "auditing interface" for the dynamic linker (ld.so), which allows an audit library specified in that environment variable to register hooks for loading and unloading objects, resolving relocations, and calling functions across dynamic libraries. It is particularly useful as a debugging tool; the command "latrace" is based on this functionality. It is also useful for making certain runtime changes to how libraries or symbols are resolved, similar to LD_PRELOAD but more powerful. See rtld-audit(7) for details.
In glibc before 2.17 (i.e., Precise and Quantal), on amd64, almost any
use of LD_AUDIT on amd64 crashes with the following backtrace:
[1538449.702152] python[13400]: segfault at 60 ip 00007fdeaa97e8a3 sp 00007ffffd50bb00 error 4 in ld-2.15.so[7fdeaa970000+22000]
(gdb) bt
#0 _dl_profile_fixup (l=0x7fdeaab679d8, reloc_arg=3, retaddr=140594303358361, regs=0x7ffffd50bbd0, framesizep=0x7ffffd50bf28) at ../elf/dl-runtime.c:177
#1 0x00007fdeaa9856e8 in _dl_runtime_profile () at ../sysdeps/x86_64/dl-trampoline.h:49
...
In particular, l->l_reloc_result is NULL, and ld.so proceeds to
dereference it.
That code has since been patched upstream with the following comment:
if (l->l_reloc_result == NULL)
{
/* BZ #14843: ELF_DYNAMIC_RELOCATE is called before l_reloc_result
is allocated. We will get here if ELF_DYNAMIC_RELOCATE calls a
resolver function to resolve an IRELATIVE relocation and that
resolver calls a function that is not yet resolved (lazy). For
example, the resolver in x86-64 libm.so calls __get_cpu_features
defined in libc.so. Skip audit and resolve the external function
in this case. */
The referenced upstream bug (which unfortunately doesn't mention that it's fixed) is
http://sourceware.org/bugzilla/show_bug.cgi?id=14843
The full upstream commit is
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=2e64d2659d3edaebc792ac596a9863f1626e5c25
and only adds that one if statement and a test case.
[Test Case]
Install the latrace package, and try to trace anything that links libm.so (as described above) or anything else using the same functionality. `python -c 1` is a good test. Note that it segfaults:
salmon-of-wisdom:/tmp gthomas$ latrace python -c 1
python finished - killed by signal 11
The expected result is tracing output. Taken from an schroot with the
fix applied:
(precise-amd64)root at salmon-of-wisdom:/tmp# latrace python -c 1
30242 _dl_get_tls_static_info [/lib64/ld-linux-x86-64.so.2]
30242 getrlimit [/lib/x86_64-linux-gnu/libc.so.6]
30242 __libc_dl_error_tsd [/lib/x86_64-linux-gnu/libc.so.6]
30242 __libc_pthread_init [/lib/x86_64-linux-gnu/libc.so.6]
...
You can also test this with a simple LD_AUDIT module:
salmon-of-wisdom:/tmp gthomas$ cat audit.c
unsigned int la_version(unsigned int version)
{
return version;
}
salmon-of-wisdom:/tmp gthomas$ gcc -fPIC -shared -o audit.so audit.c
salmon-of-wisdom:/tmp gthomas$ LD_AUDIT=/tmp/audit.so python -c 1
Segmentation fault (core dumped)
[Regression Potential]
It seems highly unlikely to me that this patch introduces the possibility of regression: it checks for a NULL in a case where ld.so was previously not checking and instead dereferencing the NULL pointer, so we were already going to crash if we hit the code added by this patch.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/1243473/+subscriptions
More information about the foundations-bugs
mailing list