Bug 25087 - ldconfig mishandles unusual .dynstr placement
Summary: ldconfig mishandles unusual .dynstr placement
Status: RESOLVED FIXED
Alias: None
Product: glibc
Classification: Unclassified
Component: dynamic-link (show other bugs)
Version: 2.30
: P2 normal
Target Milestone: 2.31
Assignee: Not yet assigned to anyone
URL:
Keywords:
: 23964 (view as bug list)
Depends on:
Blocks:
 
Reported: 2019-10-09 15:44 UTC by Andreas Schwab
Modified: 2020-04-07 15:54 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schwab 2019-10-09 15:44:57 UTC 
This library is mishandled by ldconfig, because .dynstr is located in a separate LOAD segment, with a load offset different from the first LOAD segment:

Elf file type is DYN (Shared object file)
Entry point 0x2280
There are 10 program headers, starting at offset 241664

Program Headers:
  Type           Offset             VirtAddr           PhysAddr
                 FileSiz            MemSiz              Flags  Align
  LOAD           0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000001a68 0x0000000000001a68  R      0x1000
  GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000000000 0x0000000000000000  RW     0x10
  NOTE           0x0000000000000238 0x0000000000000238 0x0000000000000238
                 0x0000000000000024 0x0000000000000024  R      0x4
  LOAD           0x0000000000002000 0x0000000000002000 0x0000000000002000
                 0x0000000000001201 0x0000000000001201  R E    0x1000
  LOAD           0x0000000000004000 0x0000000000004000 0x0000000000004000
                 0x0000000000000eb8 0x0000000000000eb8  R      0x1000
  GNU_EH_FRAME   0x00000000000048d8 0x00000000000048d8 0x00000000000048d8
                 0x0000000000000134 0x0000000000000134  R      0x4
  LOAD           0x0000000000005c68 0x0000000000006c68 0x0000000000006c68
                 0x00000000000003e8 0x0000000000000408  RW     0x1000
  GNU_RELRO      0x0000000000005c68 0x0000000000006c68 0x0000000000006c68
                 0x0000000000000398 0x0000000000000398  R      0x1
  LOAD           0x000000000003b000 0x0000000000008000 0x0000000000008000
                 0x0000000000000e80 0x0000000000000e80  RW     0x1000
  DYNAMIC        0x000000000003b230 0x0000000000008230 0x0000000000008230
                 0x0000000000000220 0x0000000000000220  RW     0x8

 Section to Segment mapping:
  Segment Sections...
   00     .note.gnu.build-id .hash .gnu.hash .dynsym .gnu.version .gnu.version_r .rela.dyn .rela.plt 
   01     
   02     .note.gnu.build-id 
   03     .init .plt .plt.got .text .fini 
   04     .rodata .eh_frame_hdr .eh_frame 
   05     .eh_frame_hdr 
   06     .init_array .fini_array .got .data .bss 
   07     .init_array .fini_array .got 
   08     .dynamic .dynstr 
   09     .dynamic
Comment 1 Sourceware Commits 2019-10-16 14:35:52 UTC 
The master branch has been updated by Andreas Schwab <schwab@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=58e8f5fd2ba47b6dc47fd4d0a35e4175c7c87aaa

commit 58e8f5fd2ba47b6dc47fd4d0a35e4175c7c87aaa
Author: Andreas Schwab <schwab@suse.de>
Date:   Wed Oct 9 17:46:47 2019 +0200

    ldconfig: handle .dynstr located in separate segment (bug 25087)
    
    To determine the load offset of the DT_STRTAB section search for the
    segment containing it, instead of using the load offset of the first
    segment.
Comment 2 Andreas Schwab 2019-10-16 14:36:31 UTC 
Fixed in 2.31.
Comment 3 Florian Weimer 2020-04-07 15:54:20 UTC 
*** Bug 23964 has been marked as a duplicate of this bug. ***