27499 – segfault on static ldconfig with LD_LIBRARY_PATH='$LIB' or '$PLATFORM' 'or '$ORIGIN' since 2.18

Bug 27499 - segfault on static ldconfig with LD_LIBRARY_PATH='$LIB' or '$PLATFORM' 'or '$ORIGIN' since 2.18

Summary: segfault on static ldconfig with LD_LIBRARY_PATH='$LIB' or '$PLATFORM' 'or '$...

Status:	RESOLVED DUPLICATE of bug 23462

Alias:	None

Product:	glibc
Classification:	Unclassified
Component:	libc (show other bugs)
Version:	2.34

Importance:	P2 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-03-02 18:11 UTC by Adrien Mahieux
Modified:	2021-03-03 03:34 UTC (History)
CC List:	2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Flags:	fweimer: security-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Adrien Mahieux 2021-03-02 18:11:10 UTC

We have a segfault when setting LD_LIBRARY_PATH to a special value $LIB $ORIGIN or $PLATFORM. Any other value is ignored.

This was working fine on RHEL7 (glibc 2.17) but is starting to fail starting 2.18 or 2.19 up to current version.

Issue is reproducible on all tested distribution (debian, rhel, fedora..) and can be triggered with:

  LD_LIBRARY_PATH='$LIB' ldconfig



# Build latest version using:
git clone git://sourceware.org/git/glibc.git
mkdir glibc-build && cd glibc-build
../glibc/configure --disable-sanity-checks
make -j
LD_LIBRARY_PATH='$LIB' ./elf/ldconfig -p



Stacktrace:

(gdb) info stack 
#0  0x000000000049032b in expand_dynamic_string_token (l=0x0, input=0x7ffe35525c60 "$LIB") at dl-load.c:400
#1  0x0000000000490442 in fillin_rpath (rpath=<optimized out>, rpath@entry=0x7ffe35525c60 "$LIB", result=0x14c65e0, sep=sep@entry=0x4c5f10 ":;", what=what@entry=0x4b1ac9 "LD_LIBRARY_PATH", 
    where=where@entry=0x0, l=l@entry=0x0) at dl-load.c:465
#2  0x000000000049094f in _dl_init_paths (llp=<optimized out>, source=0x4b1ac9 "LD_LIBRARY_PATH", glibc_hwcaps_prepend=<optimized out>, glibc_hwcaps_mask=<optimized out>) at dl-load.c:825
#3  0x00000000004648e2 in _dl_non_dynamic_init () at dl-support.c:344
#4  0x0000000000465b96 in __libc_init_first (argc=2, argv=0x7ffe35525f58, envp=0x7ffe35525f70) at init-first.c:68
#5  0x00000000004094b4 in __libc_start_main_impl (main=0x4016f0 <main>, argc=2, argv=0x7ffe35525f58, init=<optimized out>, fini=<optimized out>, rtld_fini=0x0, stack_end=0x7ffe35525f48)
    at ../csu/libc-start.c:362
#6  0x0000000000401cb1 in _start () at ../sysdeps/x86_64/start.S:116


Issue seems to be in elf/dl-load.c::_dl_init_paths, where 'llp="$LIB" and *l=NULL. then null pointer is propagated.

Comment 1 Adrien Mahieux 2021-03-02 19:00:15 UTC

Looks like this was reported in:
- Fedora 28 (https://bugzilla.redhat.com/show_bug.cgi?id=1609351)
- Fedora 33 (https://bugzilla.redhat.com/show_bug.cgi?id=1715110) 

it was said to be reported upstream, but I can't find any related ticket here.

Comment 2 Florian Weimer 2021-03-03 03:34:04 UTC

There's a reference to the upstream bug in the Links section of the first (glibc) bug.

*** This bug has been marked as a duplicate of bug 23462 ***