Bug 24133

Summary:	Potential NULL-pointer dereference in CET library setup
Product:	glibc	Reporter:	Carlos O'Donell <carlos>
Component:	libc	Assignee:	Not yet assigned to anyone <unassigned>
Status:	WAITING ---
Severity:	normal	CC:	drepper.fsp, hjl.tools
Priority:	P2	Flags:	fweimer: security-
Version:	2.30
Target Milestone:	---
Host:		Target:
Build:		Last reconfirmed:
Bug Depends on:	24259
Bug Blocks:

Description Carlos O'Donell 2019-01-24 20:28:36 UTC

In sysdeps/x86/dl-cet.c we have several error cases:

117   if (ibt_enabled || shstk_enabled)
118     {
119       struct link_map *l = NULL;

260       if (enable_ibt != ibt_enabled || enable_shstk != shstk_enabled)
261         {
262           if (!program
263               && enable_shstk_type != CET_PERMISSIVE)
264             {
265               /* When SHSTK is enabled, we can't dlopening a shared
266                  object without SHSTK.  */
267               if (enable_shstk != shstk_enabled)
268                 _dl_signal_error (EINVAL, l->l_name, "dlopen",
269                                   N_("shadow stack isn't enabled"));
270               return;
271             }

284           if (res != 0)
285             {
286               if (program)
287                 _dl_fatal_printf ("%s: can't disable CET\n", program);
288               else
289                 _dl_signal_error (-res, l->l_name, "dlopen",
290                                   N_("can't disable CET"));
291             }

It is entirely possible that the dsos don't have CET enabled, but ld.so does have CET enabled, and so it looks like it's possible to reach both _dl_disgnal_error cases where a NULL l is dereferenced and we crash.

Comment 1 H.J. Lu 2019-01-24 22:38:41 UTC

A testcase?

Comment 2 Carlos O'Donell 2019-01-25 00:51:29 UTC

(In reply to H.J. Lu from comment #1)
> A testcase?

I don't have one yet, this was just by inspection and I didn't want to forget it so I filed a bug.

Comment 3 H.J. Lu 2019-01-25 23:02:08 UTC

sysdeps/x86/tst-cet-legacy-4c.c should cover it:

[hjl@gnu-cet-1 build-x86_64-linux]$ readelf -n elf/tst-cet-legacy-4c

Displaying notes found in: .note.gnu.property
  Owner                 Data size	Description
  GNU                  0x00000030	NT_GNU_PROPERTY_TYPE_0
      Properties: x86 feature: IBT, SHSTK
	x86 ISA used: CMOV, SSE, SSE2
	x86 feature used: x86, XMM
...
[hjl@gnu-cet-1 build-x86_64-linux]$ readelf -n elf/tst-cet-legacy-mod-4.so

Displaying notes found in: .note.gnu.property
  Owner                 Data size	Description
  GNU                  0x00000020	NT_GNU_PROPERTY_TYPE_0
      Properties: x86 ISA used: <None>
	x86 feature used: x86
...
Breakpoint 1, __GI__dl_signal_error (errcode=22, 
    objname=0x407260 "/export/build/gnu/tools-build/glibc-cet/build-x86_64-linux/elf/tst-cet-legacy-mod-4.so", occation=0x7ffff77f48e2 "dlopen", 
    errstring=0x7ffff77f4d60 "shadow stack isn't enabled")
    at dl-error-skeleton.c:109
109	{
(gdb) f 1
#1  0x00007ffff77eaea4 in dl_cet_check (m=m@entry=0x4072c0, 
    program=program@entry=0x0) at ../sysdeps/x86/dl-cet.c:291
291			_dl_signal_error (EINVAL, l->l_name, "dlopen",
(gdb) 

It works for me.