Re: How to detect symbol interposition?

[Carlos O'Donell <carlos at redhat dot com>]

On 06/28/2016 10:12 AM, Florian Weimer wrote:
> I need a way to detect symbol interposition from within libc.

I assume you mean you will be writing code that lives in libc and needs
to determine that ld.so has interposed a libc symbol with a symbol from
another library?

> It seems that this is not directly distinguishable from interposition
> based on addresses alone:

[snip]

> If I have a hidden alias of malloc within libc (say, __libc_malloc),
> so that I can get the original address, it will be not equal to
> malloc because malloc in the entire process will point to the PLT
> stub.  The PLT stub will call malloc, of course, but you cannot tell
> this from its address.

And this changes depending on the architecture details.

IMO it is a defect in x86 that the address of the function points to
the PLT. Taking the address _should_ generate a relocation that resolves
the address of the function so you have a canonical address. This is what
architectures with OPDs do like hppa or ppc64.

Without such a canonical address mechanism you have no way to tell where
the resolution goes to.

> Any suggestions?

The only solution that I know of is to use the LD_AUDIT mechanisms to
catch the PLT resolution and observe the final address of the resolution.

This won't be possible if we get -fno-plt since there will only be
a GOT reloc that is adjusted at startup, and no PLT (prevents auditing).

At which point we'd need to extend the auditing to a per-reloc auditing
process in order to detect interposition.

We need Ben Woodards proposed optimization too which finalizes an audited
symbol if all modules only wanted to look at the results once
(https://sourceware.org/ml/libc-alpha/2015-07/msg00266.html).

-- 
Cheers,
Carlos.