[Bug 1821677] Re: dl_open segment fault in ubuntu18.10 glibc2.28
Balint Reczey
1821677 at bugs.launchpad.net
Mon Dec 7 17:25:51 UTC 2020
** Description changed:
[Impact]
* Dlopen() may crash.
[Test Case]
- $ sudo apt install make gcc
+ $ sudo apt install make gcc
$ wget https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1821677/+attachment/5252188/+files/dl-big-note.tar.xz
- $ tar -xf dl-big-note.tar.xz
+ $ tar -xf dl-big-note.tar.xz
$ cd dl-big-note/
$ make
- $ ./dl-big-note dl-big-note-lib.so
+ $ ./dl-big-note dl-big-note-lib.so
- all ok
-
+ all ok
[Where problems could occur]
* The fix is correcting a patch that was not updated to the new upstream
code that was backported. There is little change in the code, but in
case of an error it can crash again, let dlopen load an invalid ELF file
due to the false positive verification or reject a valid ELF file due to
erroneoudly failing verification (least likely).
+ [Other Info]
- [Original Bug Text]
+ I've tested the fix with an amd64-only build and I'm building the packages here for all arches:
+ https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4242/+packages
+
+ [Original Bug Text]
With following testcase:
~/work/glibc$ cat foo.c
#include <dlfcn.h>
#include <stdio.h>
int main(int argc, char **argv) {
if (argc < 1) return 1;
printf("Trying to open %s\n", argv[1]);
void *liball = dlopen(argv[1], RTLD_NOW);
if(liball == NULL) {
printf("\nERROR: %s", dlerror());
return -1;
}
if(dlclose(liball)==0) {printf("\n all ok\n");}
return 0;
}
compile with
~/work/glibc$ gcc -O0 -g foo.c -ldl
then get segment fault:
~/work/glibc$ ./a.out intel64_lin/libsvml.so
Trying to open intel64_lin/libsvml.so
Segmentation fault (core dumped)
coredump as:
(gdb) bt
#0 __GI___libc_free (mem=0x7ffff7d49010) at malloc.c:3085
#1 0x00007ffff7fdb6b6 in open_verify (
name=0x555555559670 "/home/lilicui/intel64_lin/libsvml.so",
fbp=fbp at entry=0x7fffffffd530, loader=<optimized out>,
mode=mode at entry=-1879048190,
found_other_class=found_other_class at entry=0x7fffffffd51f, free_name=true,
whatcode=0, fd=3) at dl-load.c:1977
#2 0x00007ffff7fdc926 in _dl_map_object (loader=loader at entry=0x7ffff7ffe190,
name=name at entry=0x7fffffffe1b7 "/home/lilicui/intel64_lin/libsvml.so",
type=type at entry=2, trace_mode=trace_mode at entry=0,
mode=mode at entry=-1879048190, nsid=<optimized out>) at dl-load.c:2401
#3 0x00007ffff7fe79c4 in dl_open_worker (a=a at entry=0x7fffffffdaa0)
at dl-open.c:228
#4 0x00007ffff7f1b48f in __GI__dl_catch_exception (exception=<optimized out>,
operate=<optimized out>, args=<optimized out>) at dl-error-skeleton.c:196
#5 0x00007ffff7fe72c6 in _dl_open (
file=0x7fffffffe1b7 "/home/lilicui/intel64_lin/libsvml.so",
mode=-2147483646, caller_dlopen=0x5555555551cb <main+86>,
nsid=<optimized out>, argc=2, argv=0x7fffffffde08, env=0x7fffffffde20)
at dl-open.c:599
#6 0x00007ffff7faa256 in dlopen_doit (a=a at entry=0x7fffffffdcc0) at dlopen.c:66
#7 0x00007ffff7f1b48f in __GI__dl_catch_exception (
exception=exception at entry=0x7fffffffdc60, operate=<optimized out>,
--Type <RET> for more, q to quit, c to continue without paging--
args=<optimized out>) at dl-error-skeleton.c:196
#8 0x00007ffff7f1b51f in __GI__dl_catch_error (
objname=0x7ffff7fae0f0 <last_result+16>,
errstring=0x7ffff7fae0f8 <last_result+24>,
mallocedp=0x7ffff7fae0e8 <last_result+8>, operate=<optimized out>,
args=<optimized out>) at dl-error-skeleton.c:215
#9 0x00007ffff7faaa25 in _dlerror_run (
operate=operate at entry=0x7ffff7faa200 <dlopen_doit>,
args=args at entry=0x7fffffffdcc0) at dlerror.c:163
#10 0x00007ffff7faa2e6 in __dlopen (file=<optimized out>, mode=<optimized out>)
at dlopen.c:87
#11 0x00005555555551cb in main (argc=2, argv=0x7fffffffde08) at foo.c:7
intel64_lin/libsvml.so is icc19.0(aleady released) runtime library,
refer to attachment.
Ubuntu version:
~/work/glibc$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.10
Release: 18.10
Codename: cosmic
Glibc version:
~/work/glibc$ ldd --version
ldd (Ubuntu GLIBC 2.28-0ubuntu1) 2.28
Copyright (C) 2018 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
It works fine with Glibc_2.28 upstream, and Glibc_2.28 on Fedora 29, but
failed with Glibc 2.28 in Ubuntu 18.10
I found ubuntu18.10 was backporting its own patches, would that affect
such testcase?
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/1821677
Title:
dl_open segment fault in ubuntu18.10 glibc2.28
Status in glibc package in Ubuntu:
Fix Released
Status in glibc source package in Bionic:
Confirmed
Status in glibc source package in Cosmic:
Won't Fix
Status in glibc source package in Disco:
Fix Released
Bug description:
[Impact]
* Dlopen() may crash.
[Test Case]
$ sudo apt install make gcc
$ wget https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1821677/+attachment/5252188/+files/dl-big-note.tar.xz
$ tar -xf dl-big-note.tar.xz
$ cd dl-big-note/
$ make
$ ./dl-big-note dl-big-note-lib.so
all ok
[Where problems could occur]
* The fix is correcting a patch that was not updated to the new
upstream code that was backported. There is little change in the code,
but in case of an error it can crash again, let dlopen load an invalid
ELF file due to the false positive verification or reject a valid ELF
file due to erroneoudly failing verification (least likely).
[Other Info]
I've tested the fix with an amd64-only build and I'm building the packages here for all arches:
https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4242/+packages
[Original Bug Text]
With following testcase:
~/work/glibc$ cat foo.c
#include <dlfcn.h>
#include <stdio.h>
int main(int argc, char **argv) {
if (argc < 1) return 1;
printf("Trying to open %s\n", argv[1]);
void *liball = dlopen(argv[1], RTLD_NOW);
if(liball == NULL) {
printf("\nERROR: %s", dlerror());
return -1;
}
if(dlclose(liball)==0) {printf("\n all ok\n");}
return 0;
}
compile with
~/work/glibc$ gcc -O0 -g foo.c -ldl
then get segment fault:
~/work/glibc$ ./a.out intel64_lin/libsvml.so
Trying to open intel64_lin/libsvml.so
Segmentation fault (core dumped)
coredump as:
(gdb) bt
#0 __GI___libc_free (mem=0x7ffff7d49010) at malloc.c:3085
#1 0x00007ffff7fdb6b6 in open_verify (
name=0x555555559670 "/home/lilicui/intel64_lin/libsvml.so",
fbp=fbp at entry=0x7fffffffd530, loader=<optimized out>,
mode=mode at entry=-1879048190,
found_other_class=found_other_class at entry=0x7fffffffd51f, free_name=true,
whatcode=0, fd=3) at dl-load.c:1977
#2 0x00007ffff7fdc926 in _dl_map_object (loader=loader at entry=0x7ffff7ffe190,
name=name at entry=0x7fffffffe1b7 "/home/lilicui/intel64_lin/libsvml.so",
type=type at entry=2, trace_mode=trace_mode at entry=0,
mode=mode at entry=-1879048190, nsid=<optimized out>) at dl-load.c:2401
#3 0x00007ffff7fe79c4 in dl_open_worker (a=a at entry=0x7fffffffdaa0)
at dl-open.c:228
#4 0x00007ffff7f1b48f in __GI__dl_catch_exception (exception=<optimized out>,
operate=<optimized out>, args=<optimized out>) at dl-error-skeleton.c:196
#5 0x00007ffff7fe72c6 in _dl_open (
file=0x7fffffffe1b7 "/home/lilicui/intel64_lin/libsvml.so",
mode=-2147483646, caller_dlopen=0x5555555551cb <main+86>,
nsid=<optimized out>, argc=2, argv=0x7fffffffde08, env=0x7fffffffde20)
at dl-open.c:599
#6 0x00007ffff7faa256 in dlopen_doit (a=a at entry=0x7fffffffdcc0) at dlopen.c:66
#7 0x00007ffff7f1b48f in __GI__dl_catch_exception (
exception=exception at entry=0x7fffffffdc60, operate=<optimized out>,
--Type <RET> for more, q to quit, c to continue without paging--
args=<optimized out>) at dl-error-skeleton.c:196
#8 0x00007ffff7f1b51f in __GI__dl_catch_error (
objname=0x7ffff7fae0f0 <last_result+16>,
errstring=0x7ffff7fae0f8 <last_result+24>,
mallocedp=0x7ffff7fae0e8 <last_result+8>, operate=<optimized out>,
args=<optimized out>) at dl-error-skeleton.c:215
#9 0x00007ffff7faaa25 in _dlerror_run (
operate=operate at entry=0x7ffff7faa200 <dlopen_doit>,
args=args at entry=0x7fffffffdcc0) at dlerror.c:163
#10 0x00007ffff7faa2e6 in __dlopen (file=<optimized out>, mode=<optimized out>)
at dlopen.c:87
#11 0x00005555555551cb in main (argc=2, argv=0x7fffffffde08) at foo.c:7
intel64_lin/libsvml.so is icc19.0(aleady released) runtime library,
refer to attachment.
Ubuntu version:
~/work/glibc$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.10
Release: 18.10
Codename: cosmic
Glibc version:
~/work/glibc$ ldd --version
ldd (Ubuntu GLIBC 2.28-0ubuntu1) 2.28
Copyright (C) 2018 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
It works fine with Glibc_2.28 upstream, and Glibc_2.28 on Fedora 29,
but failed with Glibc 2.28 in Ubuntu 18.10
I found ubuntu18.10 was backporting its own patches, would that affect
such testcase?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1821677/+subscriptions
More information about the foundations-bugs
mailing list