Bug 3924

Summary: LD_AUDIT implementation causing process segfaulting
Product: glibc Reporter: Jiri Olsa <olsajiri>
Component: libcAssignee: Ulrich Drepper <drepper.fsp>
Status: RESOLVED FIXED    
Severity: normal CC: glibc-bugs
Priority: P1 Flags: fweimer: security-
Version: 2.4   
Target Milestone: ---   
Host: Target: x86
Build: Last reconfirmed:
Attachments: example code

Description Jiri Olsa 2007-01-25 21:49:04 UTC
There's a bug in the sysdeps/i386/dl-trampoline.S _dl_runtime_profile function
making process segfaulting. Under some conditions the 'edi' and 'esi' registers
are restored to wrong values. IMHO this could be fixed like this:

Index: sysdeps/i386/dl-trampoline.S
===================================================================
RCS file: /cvs/glibc/libc/sysdeps/i386/dl-trampoline.S,v
retrieving revision 1.2
diff -r1.2 dl-trampoline.S
116d115
<       andl $0xfffffff0, %edi  # Align stack

edi and esi registers are pushed on stack before it is alligned. In case it is
really aligned those register wont be restored properly. I tried the fix and it
is working for me. I dont know the reason for alligning the stack here, so
hopefully I'm not missing something... :)

I'm running the 2.4 version, but seems it is an issue in current sources as well.

regards
Jiri Olsa
Comment 1 Ulrich Drepper 2007-02-17 07:18:23 UTC
Provide example code.  As I wrote on the list already, I don't see anything
wrong.  The alignment is needed and is correctly expressed for the unwinder.
Comment 2 Jiri Olsa 2007-04-17 22:05:01 UTC
Created attachment 1726 [details]
example code

create an shared library 'libaudit.so' from the source and run:

LD_AUDIT=<PATH>/libaudit.so /bin/ls

this segfaults for me most of the time
Comment 3 Ulrich Drepper 2007-08-24 02:58:32 UTC
Fixed in cvs.  Your patch is not correct.
Comment 4 Jiri Olsa 2007-08-27 20:20:06 UTC
The example code is still not working with the fixed libc code.

Regarding the framesizep output agrument of la_i86_gnu_pltenter function:

If there's a framesizep set to any value but zero, the ls binary will segfault.
If there's a framesizep set to zero value, the ls binary will run without errors.

Does the example code work ok for you?
Comment 5 Ulrich Drepper 2007-10-07 05:32:18 UTC
There was another little bug in the code which I fixed.  But an equally bad bug
is that you test module is requesting too large stack frames.  Unless I reduced
the size to something more reasonable the copy operation will sometimes/often
segfault.  Current cvs has all the changes.