Bug 3924 - LD_AUDIT implementation causing process segfaulting
Summary: LD_AUDIT implementation causing process segfaulting
Status: RESOLVED FIXED
Alias: None
Product: glibc
Classification: Unclassified
Component: libc (show other bugs)
Version: 2.4
: P1 normal
Target Milestone: ---
Assignee: Ulrich Drepper
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-01-25 21:49 UTC by Jiri Olsa
Modified: 2018-04-20 14:03 UTC (History)
1 user (show)

See Also:
Host:
Target: x86
Build:
Last reconfirmed:
fweimer: security-


Attachments
example code (391 bytes, text/plain)
2007-04-17 22:05 UTC, Jiri Olsa
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jiri Olsa 2007-01-25 21:49:04 UTC
There's a bug in the sysdeps/i386/dl-trampoline.S _dl_runtime_profile function
making process segfaulting. Under some conditions the 'edi' and 'esi' registers
are restored to wrong values. IMHO this could be fixed like this:

Index: sysdeps/i386/dl-trampoline.S
===================================================================
RCS file: /cvs/glibc/libc/sysdeps/i386/dl-trampoline.S,v
retrieving revision 1.2
diff -r1.2 dl-trampoline.S
116d115
<       andl $0xfffffff0, %edi  # Align stack

edi and esi registers are pushed on stack before it is alligned. In case it is
really aligned those register wont be restored properly. I tried the fix and it
is working for me. I dont know the reason for alligning the stack here, so
hopefully I'm not missing something... :)

I'm running the 2.4 version, but seems it is an issue in current sources as well.

regards
Jiri Olsa
Comment 1 Ulrich Drepper 2007-02-17 07:18:23 UTC
Provide example code.  As I wrote on the list already, I don't see anything
wrong.  The alignment is needed and is correctly expressed for the unwinder.
Comment 2 Jiri Olsa 2007-04-17 22:05:01 UTC
Created attachment 1726 [details]
example code

create an shared library 'libaudit.so' from the source and run:

LD_AUDIT=<PATH>/libaudit.so /bin/ls

this segfaults for me most of the time
Comment 3 Ulrich Drepper 2007-08-24 02:58:32 UTC
Fixed in cvs.  Your patch is not correct.
Comment 4 Jiri Olsa 2007-08-27 20:20:06 UTC
The example code is still not working with the fixed libc code.

Regarding the framesizep output agrument of la_i86_gnu_pltenter function:

If there's a framesizep set to any value but zero, the ls binary will segfault.
If there's a framesizep set to zero value, the ls binary will run without errors.

Does the example code work ok for you?
Comment 5 Ulrich Drepper 2007-10-07 05:32:18 UTC
There was another little bug in the code which I fixed.  But an equally bad bug
is that you test module is requesting too large stack frames.  Unless I reduced
the size to something more reasonable the copy operation will sometimes/often
segfault.  Current cvs has all the changes.