23810 – dl-close: if dl-load procedure failed, dl-close doesn't delete the half-cooked objects with DF_1_NODELETE

Bug 23810 - dl-close: if dl-load procedure failed, dl-close doesn't delete the half-cooked objects with DF_1_NODELETE

Summary: dl-close: if dl-load procedure failed, dl-close doesn't delete the half-cooke...

Status:	RESOLVED DUPLICATE of bug 20839

Alias:	None

Product:	glibc
Classification:	Unclassified
Component:	dynamic-link (show other bugs)
Version:	unspecified

Importance:	P2 critical
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-10-23 14:14 UTC by Daming Yang
Modified:	2018-10-23 18:59 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:	2018-10-23 00:00:00

Flags:	fweimer: security-

Attachments
Shell script to reproduce the bug (470 bytes, application/x-shellscript) 2018-10-23 14:14 UTC, Daming Yang	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daming Yang 2018-10-23 14:14:11 UTC

Created attachment 11361 [details]
Shell script to reproduce the bug

This will happen when a program loads a plugin linked against DF_1_NODELETE shared objects (e.g. /usr/lib/libglib-2.0.so in my computer) and then failed in initialisation progress (phase?) because of, for example, missing some other shared objects. The half-cooked shared objects will be still in link_map chains.

Now, consider another normal object is being loaded, ld.so will try to resolve their symbols in the chains and crash because libglib-2.0.so had not been relocated and many fields remain uninitialised. In fact, it crashes in many ways.

In short, even a object is marked as NODELETE, if it has not been completely "loaded", it should be deleted.

(A simple reproduce script is attached, you will need a C compiler. Tested on Arch Linux, Ubuntu 18.04, AOSC OS)

I am willing to propose a patch in /elf/dl-... but I am not sure about the workflow here.

Comment 1 Florian Weimer 2018-10-23 16:00:11 UTC

Would you please review bug 20839 and check if it's the same issue?  Thanks.

Comment 2 Daming Yang 2018-10-23 18:59:04 UTC

(In reply to Florian Weimer from comment #1)
> Would you please review bug 20839 and check if it's the same issue?  Thanks.

Yes, I think they are exactly the same.

*** This bug has been marked as a duplicate of bug 20839 ***