Bug 9733 - Multiple dynamic linker (RTLD) audit libraries fails
Summary: Multiple dynamic linker (RTLD) audit libraries fails
Alias: None
Product: glibc
Classification: Unclassified
Component: libc (show other bugs)
Version: 2.8
: P2 normal
Target Milestone: ---
Assignee: Ulrich Drepper
Depends on:
Reported: 2009-01-12 04:52 UTC by Michael Kerrisk
Modified: 2017-06-06 08:07 UTC (History)
2 users (show)

See Also:
Last reconfirmed:
fweimer: security-

test program (1.02 KB, text/plain)
2009-01-12 04:58 UTC, Michael Kerrisk

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Kerrisk 2009-01-12 04:52:54 UTC
Although the glibc source code suggests that it is possible to (and the Solaris
implementation permits) have multiple dynamic linker auditing libraries, this
feature does not appear to work correctly as currently implemented.  My attempts
to do this yield a SIGSEGV.
Comment 1 Michael Kerrisk 2009-01-12 04:58:35 UTC
Created attachment 3657 [details]
test program

Below, two uses of an auditing library created from the attached source file. 
In the first run, the .so is assigned just once to LD_AUDIT.  In the second
run, the .so is assigned twice to LD_AUDIT, as a colon-separated list (leading
to a SIGSEGV).

$ cc -g -shared -fPIC -o audit.so audit.c
$ LD_AUDIT=./audit.so  /bin/true
la_version(): 1
la_objopen(): loading ""; lmid = LM_ID_BASE; cookie=b7f5f8d0
la_objopen(): loading "/lib/ld-linux.so.2"; lmid = LM_ID_BASE; cookie=b7f5f4f0
la_activity(): cookie = b7f5f8d0; flag = LA_ACT_ADD
la_objsearch(): name = libc.so.6; cookie = b7f5f8d0; flag = LA_SER_ORIG
la_objsearch(): name = /lib/libc.so.6; cookie = b7f5f8d0; flag = LA_SER_CONFIG
la_objopen(): loading "/lib/libc.so.6"; lmid = LM_ID_BASE; cookie=b7f41ad8
la_activity(): cookie = b7f5f8d0; flag = LA_ACT_CONSISTENT
la_symbind32(): symname = __libc_start_main; sym->st_value = 0xb7c96510
	ndx = 2149; flags = 0x0; refcook = b7f5f8d0; defcook = b7f41ad8

$ LD_AUDIT=./audit.so:./audit.so  /bin/true
la_version(): 1
la_objsearch(): name = ./audit.so; cookie = 250; flag = LA_SER_ORIG
Segmentation fault (core dumped)
Comment 2 Michael Kerrisk 2009-01-12 05:02:50 UTC
By contrast, using a version of my audit.c library twice in a colon-separated
library on Solaris 8 does what I would expect (i.e., the audit functions are
called twice, once for each item listed in LD_AUDIT):

$ gcc -g -shared -fPIC -o audit.so audit.c
$ LD_AUDIT=./audit.so:./audit.so /bin/date
la_version(): 2
la_objopen(): loading "/bin/date"; cookie=ff3712f0
la_objopen(): loading "/bin/date"; cookie=ff3712fc
la_activity(): LA_ACT_ADD; cookie = ff3712f0
la_activity(): LA_ACT_ADD; cookie = ff3712f0
la_objsearch(): libc.so.1; ff3712f0; 1
la_objsearch(): libc.so.1; ff3712f0; 1
la_objsearch(): /usr/lib/libc.so.1; ff3712f0; 40
la_objsearch(): /usr/lib/libc.so.1; ff3712f0; 40
la_objopen(): loading "/usr/lib/libc.so.1"; cookie=ff3716d4
la_objopen(): loading "/usr/lib/libc.so.1"; cookie=ff3716e0
la_objsearch(): libdl.so.1; ff3716d4; 1
la_objsearch(): libdl.so.1; ff3716d4; 1
la_objsearch(): /usr/lib/libdl.so.1; ff3716d4; 40
la_objsearch(): /usr/lib/libdl.so.1; ff3716d4; 40
la_objopen(): loading "/usr/lib/libdl.so.1"; cookie=ff371a1c
la_objopen(): loading "/usr/lib/libdl.so.1"; cookie=ff371a28
Comment 3 Ulrich Drepper 2009-03-16 02:16:36 UTC
Fixed in cvs.
Comment 4 Florian Weimer 2017-06-06 08:07:13 UTC
Fixed with:

commit 2ca285b098890abde89fc79bbaf69432b14f18d1
Author: Ulrich Drepper <drepper@redhat.com>
Date:   Mon Mar 16 02:16:30 2009 +0000