This is the mail archive of the mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug dynamic-link/13823] New: Bogus LD_AUDIT can cause target binary to segfault

             Bug #: 13823
           Summary: Bogus LD_AUDIT can cause target binary to segfault
           Product: glibc
           Version: 2.15
            Status: NEW
          Severity: normal
          Priority: P2
         Component: dynamic-link
    Classification: Unclassified

Specifying an invalid LD_AUDIT file can cause the target application to

First, you want the target program you're using to do something like setlocale
right after it starts.  /bin/true and /bin/false are good for this purpose.

Second, prelinking is necessary; I don't know why yet, but it was definitely
necessary to run a prelink -a after updating to trigger the behaviour.

Third, the auditing bits must be bogus, preferably a non-existent file.

So, something like

LD_AUDIT=/blah /bin/true

Where /blah does not exist turns out to be a good reproducer.

>From what I've been able to put together, when LD_AUDIT is specified we call
init_tls earlier than normal:

 /* If we have auditing DSOs to load, do it now.  */
  if (__builtin_expect (audit_list != NULL, 0))
      /* Iterate over all entries in the list.  The order is important.  */
      struct audit_ifaces *last_audit = NULL;
      struct audit_list *al = audit_list->next;

      /* Since we start using the auditing DSOs right away we need to
         initialize the data structures now.  */
      tcbp = init_tls ();

 /* Load all the libraries specified by DT_NEEDED entries.  If LD_PRELOAD
     specified some libraries to load, these are inserted before the actual
     dependencies in the executable's searchlist for symbol resolution.  */
  HP_TIMING_NOW (start);
  _dl_map_object_deps (main_map, preloads, npreloads, mode == trace, 0);
  HP_TIMING_NOW (stop);
  HP_TIMING_DIFF (diff, start, stop);
  HP_TIMING_ACCUM_NT (load_time, diff);

 /* We do not initialize any of the TLS functionality unless any of the
     initial modules uses TLS.  This makes dynamic loading of modules with
     TLS impossible, but to support it requires either eagerly doing setup
     now or lazily doing it later.  Doing it now makes us incompatible with
     an old kernel that can't perform TLS_INIT_TP, even if no TLS is ever
     used.  Trying to do it lazily is too hairy to try when there could be
     multiple threads (from a non-TLS-using libpthread).  */
  bool was_tls_init_tp_called = tls_init_tp_called;
  if (tcbp == NULL)
    tcbp = init_tls ();

At the earlier init_tls call we haven't seen a DSO with TLS bits.  As a result
init_tls & eventually dl_allocate_tls_init have nothing interesting to do.  The
result being the TLS bits in aren't initialized and all hell breaks
loose in the locale bits as the thread local variables aren't properly

Ideally if the auditing module is bogus we should just ignore it and the
application should run normally.  Segfaulting is, umm, bad.

I pondered delaying the first init_tls call until we know the auditing module
is loadable, but I'm concerned that's simply too late.

Configure bugmail:
------- You are receiving this mail because: -------
You are on the CC list for the bug.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]