load_audit_module attempts to initialize the GL (dl_rtld_map).l_audit array, but uses the unrelated audit function index cnt for that, not the slot index for the audit module. /* Store the pointer. */ if (err_str == NULL && largs.result != NULL) { newp->fptr[cnt] = largs.result; /* The dynamic linker link map is statically allocated, initialize the data now. */ GL(dl_rtld_map).l_audit[cnt].cookie = (intptr_t) &GL(dl_rtld_map); } else newp->fptr[cnt] = NULL; ++cnt; Found while trying to fix bug 25097, but not actually related to the l_audit zero-length array. I think this is a bug present in the original implementation. It was not introduced in the load_audit_module refactoring.
The master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c7bf5ceab6ec776ac7350d3b0190776bf532ac54 commit c7bf5ceab6ec776ac7350d3b0190776bf532ac54 Author: Florian Weimer <fweimer@redhat.com> Date: Sat Nov 2 21:55:35 2019 +0100 Properly initialize audit cookie for the dynamic loader [BZ #25157] The l_audit array is indexed by audit module, not audit function. Change-Id: I180eb3573dc1c57433750f5d8cb18271460ba5f2
Fixed in glibc 2.31.