[Bug 1821677] Re: dl_open segment fault in ubuntu18.10 glibc2.28

Tue Dec 8 19:02:36 UTC 2020

Hello hongtao.liu, or anyone else affected,

Accepted glibc into bionic-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/glibc/2.27-3ubuntu1.4
in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
bionic to verification-done-bionic. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-bionic. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: glibc (Ubuntu Bionic)
       Status: Confirmed => Fix Committed

** Tags added: verification-needed verification-needed-bionic

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/1821677

Title:
  dl_open segment fault in ubuntu18.10 glibc2.28

Status in glibc package in Ubuntu:
  Fix Released
Status in glibc source package in Bionic:
  Fix Committed
Status in glibc source package in Cosmic:
  Won't Fix
Status in glibc source package in Disco:
  Fix Released

Bug description:
  [Impact]

  * Dlopen() may crash.

  [Test Case]

  $ sudo apt install make gcc
  $ wget https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1821677/+attachment/5252188/+files/dl-big-note.tar.xz
  $ tar -xf dl-big-note.tar.xz
  $ cd dl-big-note/
  $ make
  $ ./dl-big-note dl-big-note-lib.so

   all ok

  [Where problems could occur]

  * The fix is correcting a patch that was not updated to the new
  upstream code that was backported. There is little change in the code,
  but in case of an error it can crash again, let dlopen load an invalid
  ELF file due to the false positive verification or reject a valid ELF
  file due to erroneoudly failing verification (least likely).

  [Other Info]

  I've tested the fix with an amd64-only build and I'm building the packages here for all arches: 
  https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4242/+packages

  [Original Bug Text]
  With following testcase:

  ~/work/glibc$ cat foo.c

  #include <dlfcn.h>
  #include <stdio.h>

  int main(int argc, char **argv) {
    if (argc < 1) return 1;
    printf("Trying to open %s\n", argv[1]);
    void *liball = dlopen(argv[1], RTLD_NOW);
    if(liball == NULL) {
      printf("\nERROR: %s", dlerror());
      return -1;
    }
    if(dlclose(liball)==0) {printf("\n all ok\n");}
    return 0;
  }

  compile with
  ~/work/glibc$ gcc -O0 -g foo.c -ldl

  then get segment fault:

  ~/work/glibc$ ./a.out intel64_lin/libsvml.so
  Trying to open intel64_lin/libsvml.so
  Segmentation fault (core dumped)

  coredump as:

  (gdb) bt
  #0  __GI___libc_free (mem=0x7ffff7d49010) at malloc.c:3085
  #1  0x00007ffff7fdb6b6 in open_verify (
      name=0x555555559670 "/home/lilicui/intel64_lin/libsvml.so",
      fbp=fbp at entry=0x7fffffffd530, loader=<optimized out>,
      mode=mode at entry=-1879048190,
      found_other_class=found_other_class at entry=0x7fffffffd51f, free_name=true,
      whatcode=0, fd=3) at dl-load.c:1977
  #2  0x00007ffff7fdc926 in _dl_map_object (loader=loader at entry=0x7ffff7ffe190,
      name=name at entry=0x7fffffffe1b7 "/home/lilicui/intel64_lin/libsvml.so",
      type=type at entry=2, trace_mode=trace_mode at entry=0,
      mode=mode at entry=-1879048190, nsid=<optimized out>) at dl-load.c:2401
  #3  0x00007ffff7fe79c4 in dl_open_worker (a=a at entry=0x7fffffffdaa0)
      at dl-open.c:228
  #4  0x00007ffff7f1b48f in __GI__dl_catch_exception (exception=<optimized out>,
      operate=<optimized out>, args=<optimized out>) at dl-error-skeleton.c:196
  #5  0x00007ffff7fe72c6 in _dl_open (
      file=0x7fffffffe1b7 "/home/lilicui/intel64_lin/libsvml.so",
      mode=-2147483646, caller_dlopen=0x5555555551cb <main+86>,
      nsid=<optimized out>, argc=2, argv=0x7fffffffde08, env=0x7fffffffde20)
      at dl-open.c:599
  #6  0x00007ffff7faa256 in dlopen_doit (a=a at entry=0x7fffffffdcc0) at dlopen.c:66
  #7  0x00007ffff7f1b48f in __GI__dl_catch_exception (
      exception=exception at entry=0x7fffffffdc60, operate=<optimized out>,
  --Type <RET> for more, q to quit, c to continue without paging--
      args=<optimized out>) at dl-error-skeleton.c:196
  #8  0x00007ffff7f1b51f in __GI__dl_catch_error (
      objname=0x7ffff7fae0f0 <last_result+16>,
      errstring=0x7ffff7fae0f8 <last_result+24>,
      mallocedp=0x7ffff7fae0e8 <last_result+8>, operate=<optimized out>,
      args=<optimized out>) at dl-error-skeleton.c:215
  #9  0x00007ffff7faaa25 in _dlerror_run (
      operate=operate at entry=0x7ffff7faa200 <dlopen_doit>,
      args=args at entry=0x7fffffffdcc0) at dlerror.c:163
  #10 0x00007ffff7faa2e6 in __dlopen (file=<optimized out>, mode=<optimized out>)
      at dlopen.c:87
  #11 0x00005555555551cb in main (argc=2, argv=0x7fffffffde08) at foo.c:7

  intel64_lin/libsvml.so is icc19.0(aleady released) runtime library,
  refer to attachment.

  Ubuntu version:

  ~/work/glibc$ lsb_release -a
  No LSB modules are available.
  Distributor ID:	Ubuntu
  Description:	Ubuntu 18.10
  Release:	18.10
  Codename:	cosmic

  Glibc version:

  ~/work/glibc$ ldd --version
  ldd (Ubuntu GLIBC 2.28-0ubuntu1) 2.28
  Copyright (C) 2018 Free Software Foundation, Inc.
  This is free software; see the source for copying conditions.  There is NO
  warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
  Written by Roland McGrath and Ulrich Drepper.

  It works fine with Glibc_2.28 upstream, and Glibc_2.28 on Fedora 29,
  but failed with Glibc 2.28 in Ubuntu 18.10

  I found ubuntu18.10 was backporting its own patches, would that affect
  such testcase?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1821677/+subscriptions