From patchwork Mon Aug 12 19:15:51 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Weimer X-Patchwork-Id: 34064 Received: (qmail 65373 invoked by alias); 12 Aug 2019 19:16:00 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 65364 invoked by uid 89); 12 Aug 2019 19:15:59 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-18.4 required=5.0 tests=AWL, BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, SPF_HELO_PASS autolearn=ham version=3.3.1 spammy= X-HELO: mx1.redhat.com From: Florian Weimer To: libc-alpha@sourceware.org Cc: Carlos O'Donell , Paul Pluzhnikov Subject: [PATCH] elf: Self-dlopen failure with explict loader invocation [BZ #24900] Date: Mon, 12 Aug 2019 21:15:51 +0200 Message-ID: <87ftm6mbyw.fsf@oldenburg2.str.redhat.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux) MIME-Version: 1.0 In case of an explicit loader invocation, ld.so essentially performs a dlopen call to load the main executable. Since the pathname of the executable is known at this point, it gets stored in the link map. In regular mode, the pathname is not known and "" is used instead. As a result, if a program calls dlopen on the pathname of the main program, the dlopen call succeeds and returns a handle for the main map. This results in an unnecessary difference between glibc testing (without --enable-hardcoded-path-in-tests) and production usage. This commit discards the names when building the link map in _dl_new_object for the main executable, but it still determines the origin at this point in case of an explict loader invocation. The reason is that the specified pathname has to be used; the kernel has a different notion of the main executable. Tested on x86-64 with and without --enable-hardcoded-path-in-tests. 2019-08-12 Florian Weimer [BZ #24900] * elf/dl-object.c (_dl_new_object): Do not store pathnames in the new object in __RTLD_OPENEXEC mode (except for the origin). * elf/tst-dlopen-aout.c (check_dlopen_failure): New function with check for the error message. (do_test): Call it. Add check using relative path. diff --git a/elf/dl-object.c b/elf/dl-object.c index c3f5455ab4..e9520583cf 100644 --- a/elf/dl-object.c +++ b/elf/dl-object.c @@ -57,14 +57,30 @@ struct link_map * _dl_new_object (char *realname, const char *libname, int type, struct link_map *loader, int mode, Lmid_t nsid) { +#ifdef SHARED + unsigned int naudit; + if (__glibc_unlikely ((mode & __RTLD_OPENEXEC) != 0)) + { + assert (type == lt_executable); + assert (nsid == LM_ID_BASE); + + /* Ignore the specified libname for the main executable. It is + only known with an explicit loader invocation. */ + libname = ""; + + /* We create the map for the executable before we know whether + we have auditing libraries and if yes, how many. Assume the + worst. */ + naudit = DL_NNS; + } + else + naudit = GLRO (dl_naudit); +#endif + size_t libname_len = strlen (libname) + 1; struct link_map *new; struct libname_list *newname; #ifdef SHARED - /* We create the map for the executable before we know whether we have - auditing libraries and if yes, how many. Assume the worst. */ - unsigned int naudit = GLRO(dl_naudit) ?: ((mode & __RTLD_OPENEXEC) - ? DL_NNS : 0); size_t audit_space = naudit * sizeof (new->l_audit[0]); #else # define audit_space 0 @@ -91,8 +107,20 @@ _dl_new_object (char *realname, const char *libname, int type, and won't get dumped during core file generation. Therefore to assist gdb and to create more self-contained core files we adjust l_name to point at the newly allocated copy (which will get dumped) instead of - the ld.so rodata copy. */ - new->l_name = *realname ? realname : (char *) newname->name + libname_len - 1; + the ld.so rodata copy. + + Furthermore, in case of explicit loader invocation, discard the + name of the main executable, to match the regular behavior, where + name of the executable is not known. */ +#ifdef SHARED + if (*realname != '\0' && (mode & __RTLD_OPENEXEC) == 0) +#else + if (*realname != '\0') +#endif + new->l_name = realname; + else + new->l_name = (char *) newname->name + libname_len - 1; + new->l_type = type; /* If we set the bit now since we know it is never used we avoid dirtying the cache line later. */ @@ -149,7 +177,14 @@ _dl_new_object (char *realname, const char *libname, int type, new->l_local_scope[0] = &new->l_searchlist; - /* Don't try to find the origin for the main map which has the name "". */ + /* Determine the origin. If allocating the link map for the main + executable, the realname is not known and "". In this case, the + origin needs to be determined by other means. However, in case + of an explicit loader invocation, the pathname of the main + executable is known and needs to be processed here: From the + point of view of the kernel, the main executable is the + dynamic loader, and this would lead to a computation of the wrong + origin. */ if (realname[0] != '\0') { size_t realname_len = strlen (realname) + 1; diff --git a/elf/tst-dlopen-aout.c b/elf/tst-dlopen-aout.c index 25cfe2f740..a799fbc2cc 100644 --- a/elf/tst-dlopen-aout.c +++ b/elf/tst-dlopen-aout.c @@ -1,7 +1,8 @@ -/* Test case for BZ #16634. +/* Test case for BZ #16634 and BZ#24899. Verify that incorrectly dlopen()ing an executable without - __RTLD_OPENEXEC does not cause assertion in ld.so. + __RTLD_OPENEXEC does not cause assertion in ld.so, and that it + actually results in an error. Copyright (C) 2014-2019 Free Software Foundation, Inc. This file is part of the GNU C Library. @@ -24,6 +25,8 @@ #include #include #include +#include +#include #include #include @@ -35,28 +38,35 @@ fn (void *p) return p; } +/* Call dlopen on PATH and check that fails with an error message + indicating an attempt to open an ET_EXEC or PIE object. */ +static void +check_dlopen_failure (const char *path) +{ + void *handle = dlopen (path, RTLD_LAZY); + if (handle != NULL) + FAIL_EXIT1 ("dlopen succeeded unexpectedly: %s", path); + + const char *message = dlerror (); + TEST_VERIFY_EXIT (message != NULL); + if ((strstr (message, + "cannot dynamically load position-independent executable") + == NULL) + && strstr (message, "cannot dynamically load executable") == NULL) + FAIL_EXIT1 ("invalid dlopen error message: \"%s\"", message); +} + static int do_test (int argc, char *argv[]) { int j; - /* Use the full path so that the dynamic loader does not recognize - the main program as already loaded (even with an explicit ld.so - invocation). */ - char *path = xasprintf ("%s/%s", support_objdir_root, "tst-dlopen-aout"); - printf ("info: dlopen object: %s\n", path); - for (j = 0; j < 100; ++j) { pthread_t thr; - void *p; - p = dlopen (path, RTLD_LAZY); - if (p != NULL) - { - puts ("error: dlopen succeeded unexpectedly"); - return 1; - } + check_dlopen_failure (argv[0]); + /* We create threads to force TLS allocation, which triggers the original bug i.e. running out of surplus slotinfo entries for TLS. */ @@ -64,7 +74,9 @@ do_test (int argc, char *argv[]) xpthread_join (thr); } - free (path); + /* The elf subdirectory is on the library search path. */ + check_dlopen_failure ("tst-dlopen-aout"); + return 0; }