From 6aee09b49d8eaaf726249ff97b0107e5d7c8e87f Mon Sep 17 00:00:00 2001 From: Sdrkun Date: Mon, 25 Jan 2021 22:13:52 +0800 Subject: [PATCH 1/2] elf: Allow dlopen of filter object to work [BZ #16272] --- ...en-of-filter-object-to-work-BZ-16272.patch | 537 ++++++++++++++++++ glibc.spec | 7 +- 2 files changed, 543 insertions(+), 1 deletion(-) create mode 100644 backport-elf-Allow-dlopen-of-filter-object-to-work-BZ-16272.patch diff --git a/backport-elf-Allow-dlopen-of-filter-object-to-work-BZ-16272.patch b/backport-elf-Allow-dlopen-of-filter-object-to-work-BZ-16272.patch new file mode 100644 index 0000000..3e577a0 --- /dev/null +++ b/backport-elf-Allow-dlopen-of-filter-object-to-work-BZ-16272.patch @@ -0,0 +1,537 @@ +From eb447b7b4bd6177f876ba9420ad9e048c27bae91 Mon Sep 17 00:00:00 2001 +From: David Kilroy +Date: Wed, 12 Feb 2020 14:28:15 -0300 +Subject: [PATCH] elf: Allow dlopen of filter object to work [BZ #16272] + +There are two fixes that are needed to be able to dlopen filter +objects. First _dl_map_object_deps cannot assume that map will be at +the beginning of l_searchlist.r_list[], as filtees are inserted before +map. Secondly dl_open_worker needs to ensure that filtees get +relocated. + +In _dl_map_object_deps: + +* avoiding removing relocation dependencies of map by setting + l_reserved to 0 and otherwise processing the rest of the search + list. + +* ensure that map remains at the beginning of l_initfini - the list + of things that need initialisation (and destruction). Do this by + splitting the copy up. This may not be required, but matches the + initialization order without dlopen. + +Modify dl_open_worker to relocate the objects in new->l_inifini. +new->l_initfini is constructed in _dl_map_object_deps, and lists the +objects that need initialization and destruction. Originally the list +of objects in new->l_next are relocated. All of these objects should +also be included in new->l_initfini (both lists are populated with +dependencies in _dl_map_object_deps). We can't use new->l_prev to pick +up filtees, as during a recursive dlopen from an interposed malloc +call, l->prev can contain objects that are not ready for relocation. + +Add tests to verify that symbols resolve to the filtee implementation +when auxiliary and filter objects are used, both as a normal link and +when dlopen'd. + +Tested by running the testsuite on x86_64. +--- + elf/Makefile | 18 ++++++++++++++++-- + elf/dl-deps.c | 39 ++++++++++++++++++++++++++++---------- + elf/dl-open.c | 11 +++++++---- + elf/tst-auxobj-dlopen.c | 47 ++++++++++++++++++++++++++++++++++++++++++++++ + elf/tst-auxobj.c | 42 +++++++++++++++++++++++++++++++++++++++++ + elf/tst-filterobj-aux.c | 33 ++++++++++++++++++++++++++++++++ + elf/tst-filterobj-dlopen.c | 39 ++++++++++++++++++++++++++++++++++++++ + elf/tst-filterobj-filtee.c | 27 ++++++++++++++++++++++++++ + elf/tst-filterobj-filtee.h | 24 +++++++++++++++++++++++ + elf/tst-filterobj-flt.c | 27 ++++++++++++++++++++++++++ + elf/tst-filterobj.c | 36 +++++++++++++++++++++++++++++++++++ + 11 files changed, 327 insertions(+), 16 deletions(-) + create mode 100644 elf/tst-auxobj-dlopen.c + create mode 100644 elf/tst-auxobj.c + create mode 100644 elf/tst-filterobj-aux.c + create mode 100644 elf/tst-filterobj-dlopen.c + create mode 100644 elf/tst-filterobj-filtee.c + create mode 100644 elf/tst-filterobj-filtee.h + create mode 100644 elf/tst-filterobj-flt.c + create mode 100644 elf/tst-filterobj.c + +diff --git a/elf/Makefile b/elf/Makefile +index 27c6296..02c14e0 100644 +--- a/elf/Makefile ++++ b/elf/Makefile +@@ -195,7 +195,8 @@ tests += restest1 preloadtest loadfail multiload origtest resolvfail \ + tst-tlsalign tst-tlsalign-extern tst-nodelete-opened \ + tst-nodelete2 tst-audit11 tst-audit12 tst-dlsym-error tst-noload \ + tst-latepthread tst-tls-manydynamic tst-nodelete-dlclose \ +- tst-debug1 tst-main1 tst-absolute-sym tst-absolute-zero tst-big-note ++ tst-debug1 tst-main1 tst-absolute-sym tst-absolute-zero tst-big-note \ ++ tst-filterobj tst-filterobj-dlopen tst-auxobj tst-auxobj-dlopen + # reldep9 + tests-internal += loadtest unload unload2 circleload1 \ + neededtest neededtest2 neededtest3 neededtest4 \ +@@ -282,7 +283,8 @@ modules-names = testobj1 testobj2 testobj3 testobj4 testobj5 testobj6 \ + tst-latepthreadmod $(tst-tls-many-dynamic-modules) \ + tst-nodelete-dlclose-dso tst-nodelete-dlclose-plugin \ + tst-main1mod tst-libc_dlvsym-dso tst-absolute-sym-lib \ +- tst-absolute-zero-lib tst-big-note-lib ++ tst-absolute-zero-lib tst-big-note-lib \ ++ tst-filterobj-flt tst-filterobj-aux tst-filterobj-filtee + + ifeq (yes,$(have-mtls-dialect-gnu2)) + tests += tst-gnu2-tls1 +@@ -1499,3 +1501,15 @@ tst-libc_dlvsym-static-ENV = \ + $(objpfx)tst-libc_dlvsym-static.out: $(objpfx)tst-libc_dlvsym-dso.so + + $(objpfx)tst-big-note: $(objpfx)tst-big-note-lib.so ++ ++LDFLAGS-tst-filterobj-flt.so = -Wl,--filter=$(objpfx)tst-filterobj-filtee.so ++$(objpfx)tst-filterobj: $(objpfx)tst-filterobj-flt.so ++$(objpfx)tst-filterobj-dlopen: $(libdl) ++$(objpfx)tst-filterobj.out: $(objpfx)tst-filterobj-filtee.so ++$(objpfx)tst-filterobj-dlopen.out: $(objpfx)tst-filterobj-filtee.so ++ ++LDFLAGS-tst-filterobj-aux.so = -Wl,--auxiliary=$(objpfx)tst-filterobj-filtee.so ++$(objpfx)tst-auxobj: $(objpfx)tst-filterobj-aux.so ++$(objpfx)tst-auxobj-dlopen: $(libdl) ++$(objpfx)tst-auxobj.out: $(objpfx)tst-filterobj-filtee.so ++$(objpfx)tst-auxobj-dlopen.out: $(objpfx)tst-filterobj-filtee.so +diff --git a/elf/dl-deps.c b/elf/dl-deps.c +index 5103a8a..0730ea9 100644 +--- a/elf/dl-deps.c ++++ b/elf/dl-deps.c +@@ -485,14 +485,18 @@ _dl_map_object_deps (struct link_map *map, + + map->l_searchlist.r_list = &l_initfini[nlist + 1]; + map->l_searchlist.r_nlist = nlist; ++ unsigned int map_index = UINT_MAX; + + for (nlist = 0, runp = known; runp; runp = runp->next) + { + if (__builtin_expect (trace_mode, 0) && runp->map->l_faked) + /* This can happen when we trace the loading. */ + --map->l_searchlist.r_nlist; +- else ++ else { ++ if (runp->map == map) ++ map_index = nlist; + map->l_searchlist.r_list[nlist++] = runp->map; ++ } + + /* Now clear all the mark bits we set in the objects on the search list + to avoid duplicates, so the next call starts fresh. */ +@@ -550,13 +554,14 @@ Filters not supported with LD_TRACE_PRELINKING")); + } + + /* Maybe we can remove some relocation dependencies now. */ +- assert (map->l_searchlist.r_list[0] == map); + struct link_map_reldeps *l_reldeps = NULL; + if (map->l_reldeps != NULL) + { +- for (i = 1; i < nlist; ++i) ++ for (i = 0; i < nlist; ++i) + map->l_searchlist.r_list[i]->l_reserved = 1; + ++ /* Avoid removing relocation dependencies of the main binary. */ ++ map->l_reserved = 0; + struct link_map **list = &map->l_reldeps->list[0]; + for (i = 0; i < map->l_reldeps->act; ++i) + if (list[i]->l_reserved) +@@ -581,16 +586,30 @@ Filters not supported with LD_TRACE_PRELINKING")); + } + } + +- for (i = 1; i < nlist; ++i) ++ for (i = 0; i < nlist; ++i) + map->l_searchlist.r_list[i]->l_reserved = 0; + } + +- /* Sort the initializer list to take dependencies into account. The binary +- itself will always be initialize last. */ +- memcpy (l_initfini, map->l_searchlist.r_list, +- nlist * sizeof (struct link_map *)); +- /* We can skip looking for the binary itself which is at the front of +- the search list. */ ++ /* Sort the initializer list to take dependencies into account. Always ++ initialize the binary itself last. */ ++ assert (map_index < nlist); ++ if (map_index > 0) ++ { ++ /* Copy the binary into position 0. */ ++ l_initfini[0] = map->l_searchlist.r_list[map_index]; ++ ++ /* Copy the filtees. */ ++ for (i = 0; i < map_index; ++i) ++ l_initfini[i+1] = map->l_searchlist.r_list[i]; ++ ++ /* Copy the remainder. */ ++ for (i = map_index + 1; i < nlist; ++i) ++ l_initfini[i] = map->l_searchlist.r_list[i]; ++ } ++ else ++ memcpy (l_initfini, map->l_searchlist.r_list, ++ nlist * sizeof (struct link_map *)); ++ + _dl_sort_maps (&l_initfini[1], nlist - 1, NULL, false); + + /* Terminate the list of dependencies. */ +diff --git a/elf/dl-open.c b/elf/dl-open.c +index 623c975..ecb2ba9 100644 +--- a/elf/dl-open.c ++++ b/elf/dl-open.c +@@ -621,22 +621,25 @@ dl_open_worker (void *a) + allows IFUNC relocations to work and it also means copy + relocation of dependencies are if necessary overwritten. */ + unsigned int nmaps = 0; +- struct link_map *l = new; ++ unsigned int j = 0; ++ struct link_map *l = new->l_initfini[0]; + do + { + if (! l->l_real->l_relocated) + ++nmaps; +- l = l->l_next; ++ l = new->l_initfini[++j]; + } + while (l != NULL); ++ /* Stack allocation is limited by the number of loaded objects. */ + struct link_map *maps[nmaps]; + nmaps = 0; +- l = new; ++ j = 0; ++ l = new->l_initfini[0]; + do + { + if (! l->l_real->l_relocated) + maps[nmaps++] = l; +- l = l->l_next; ++ l = new->l_initfini[++j]; + } + while (l != NULL); + _dl_sort_maps (maps, nmaps, NULL, false); +diff --git a/elf/tst-auxobj-dlopen.c b/elf/tst-auxobj-dlopen.c +new file mode 100644 +index 0000000..cb54aba +--- /dev/null ++++ b/elf/tst-auxobj-dlopen.c +@@ -0,0 +1,47 @@ ++/* Test for BZ#16272, dlopen'ing an auxiliary filter object. ++ Ensure that symbols from the resolve correctly. ++ ++ Copyright (C) 2020 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++ ++static int do_test (void) ++{ ++ void *lib = xdlopen ("tst-filterobj-aux.so", RTLD_LAZY); ++ char *(*fn)(void) = xdlsym (lib, "get_text"); ++ const char* text = fn (); ++ ++ printf ("%s\n", text); ++ ++ /* Verify the text matches what we expect from the filtee */ ++ TEST_COMPARE_STRING (text, "Hello from filtee (PASS)"); ++ ++ fn = xdlsym (lib, "get_text2"); ++ text = fn (); ++ ++ printf ("%s\n", text); ++ ++ /* Verify the text matches what we expect from the auxiliary object */ ++ TEST_COMPARE_STRING (text, "Hello from auxiliary filter object (PASS)"); ++ ++ return 0; ++} ++ ++#include +diff --git a/elf/tst-auxobj.c b/elf/tst-auxobj.c +new file mode 100644 +index 0000000..bdc7713 +--- /dev/null ++++ b/elf/tst-auxobj.c +@@ -0,0 +1,42 @@ ++/* Test that symbols from auxiliary filter objects are resolved to the ++ filtee. ++ ++ Copyright (C) 2020 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include "tst-filterobj-filtee.h" ++ ++static int do_test (void) ++{ ++ const char* text = get_text (); ++ printf ("%s\n", text); ++ ++ /* Verify the text matches what we expect from the filtee */ ++ TEST_COMPARE_STRING (text, "Hello from filtee (PASS)"); ++ ++ text = get_text2 (); ++ printf ("%s\n", text); ++ ++ /* Verify the text matches what we expect from the auxiliary object */ ++ TEST_COMPARE_STRING (text, "Hello from auxiliary filter object (PASS)"); ++ ++ return 0; ++} ++ ++#include +diff --git a/elf/tst-filterobj-aux.c b/elf/tst-filterobj-aux.c +new file mode 100644 +index 0000000..0b732f2 +--- /dev/null ++++ b/elf/tst-filterobj-aux.c +@@ -0,0 +1,33 @@ ++/* Auxiliary filter object. ++ Contains symbols to be resolved in filtee, and one which doesn't. ++ ++ Copyright (C) 2020 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include "tst-filterobj-filtee.h" ++ ++/* We never want to see the output of the auxiliary object. */ ++const char *get_text (void) ++{ ++ return "Hello from auxiliary filter object (FAIL)"; ++} ++ ++/* The filtee doesn't implement this symbol, so this should resolve. */ ++const char *get_text2 (void) ++{ ++ return "Hello from auxiliary filter object (PASS)"; ++} +diff --git a/elf/tst-filterobj-dlopen.c b/elf/tst-filterobj-dlopen.c +new file mode 100644 +index 0000000..c5b5072 +--- /dev/null ++++ b/elf/tst-filterobj-dlopen.c +@@ -0,0 +1,39 @@ ++/* Test for BZ#16272, dlopen'ing a filter object. ++ Ensure that symbols from the filter object resolve to the filtee. ++ ++ Copyright (C) 2020 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++ ++static int do_test (void) ++{ ++ void *lib = xdlopen ("tst-filterobj-flt.so", RTLD_LAZY); ++ char *(*fn)(void) = xdlsym (lib, "get_text"); ++ const char* text = fn (); ++ ++ printf ("%s\n", text); ++ ++ /* Verify the text matches what we expect from the filtee */ ++ TEST_COMPARE_STRING (text, "Hello from filtee (PASS)"); ++ ++ return 0; ++} ++ ++#include +diff --git a/elf/tst-filterobj-filtee.c b/elf/tst-filterobj-filtee.c +new file mode 100644 +index 0000000..8fa557c +--- /dev/null ++++ b/elf/tst-filterobj-filtee.c +@@ -0,0 +1,27 @@ ++/* Filtee for BZ#16272 test. ++ Contains desired symbol implementations. ++ ++ Copyright (C) 2020 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include "tst-filterobj-filtee.h" ++ ++/* This is the real implementation that wants to be called */ ++const char *get_text (void) ++{ ++ return "Hello from filtee (PASS)"; ++} +diff --git a/elf/tst-filterobj-filtee.h b/elf/tst-filterobj-filtee.h +new file mode 100644 +index 0000000..46aee28 +--- /dev/null ++++ b/elf/tst-filterobj-filtee.h +@@ -0,0 +1,24 @@ ++/* Filtee header for BZ#16272 test. ++ Contains prototypes for symbols implemented in the filtee. ++ ++ Copyright (C) 2020 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++const char *get_text (void); ++ ++/* For testing auxiliary filter object. */ ++const char *get_text2 (void); +diff --git a/elf/tst-filterobj-flt.c b/elf/tst-filterobj-flt.c +new file mode 100644 +index 0000000..5062654 +--- /dev/null ++++ b/elf/tst-filterobj-flt.c +@@ -0,0 +1,27 @@ ++/* Filter object for BZ#16272 test. ++ Contains symbols to be resolved in filtee. ++ ++ Copyright (C) 2020 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include "tst-filterobj-filtee.h" ++ ++/* We never want to see the output of the filter object */ ++const char *get_text (void) ++{ ++ return "Hello from filter object (FAIL)"; ++} +diff --git a/elf/tst-filterobj.c b/elf/tst-filterobj.c +new file mode 100644 +index 0000000..96bfae0 +--- /dev/null ++++ b/elf/tst-filterobj.c +@@ -0,0 +1,36 @@ ++/* Test that symbols from filter objects are resolved to the filtee. ++ ++ Copyright (C) 2020 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include "tst-filterobj-filtee.h" ++ ++static int do_test (void) ++{ ++ const char* text = get_text (); ++ ++ printf ("%s\n", text); ++ ++ /* Verify the text matches what we expect from the filtee */ ++ TEST_COMPARE_STRING (text, "Hello from filtee (PASS)"); ++ ++ return 0; ++} ++ ++#include +-- +1.8.3.1 + diff --git a/glibc.spec b/glibc.spec index cc2c2bd..1eeaaed 100644 --- a/glibc.spec +++ b/glibc.spec @@ -59,7 +59,7 @@ ############################################################################## Name: glibc Version: 2.28 -Release: 48 +Release: 49 Summary: The GNU libc libraries License: %{all_license} URL: http://www.gnu.org/software/glibc/ @@ -97,6 +97,7 @@ Patch20: backport-0001-Fix-handling-of-collating-symbols-in-fnmatch-bug-266.patc Patch21: backport-sysvipc-Fix-SEM_STAT_ANY-kernel-argument-pass-BZ-26637.patch Patch22: backport-i686-tst-strftime3-fix-printf-warning.patch Patch23: Fix-CVE-2020-27618-iconv-Accept-redundant-shift-sequences.patch +Patch24: backport-elf-Allow-dlopen-of-filter-object-to-work-BZ-16272.patch Provides: ldconfig rtld(GNU_HASH) bundled(gnulib) @@ -1092,6 +1093,10 @@ fi %doc hesiod/README.hesiod %changelog +* Mon Jan 25 2021 shanzhikun - 2.28-49 +- elf: Allow dlopen of filter object to work [BZ #16272] + https://sourceware.org/bugzilla/show_bug.cgi?id=16272 + * Fri Jan 8 2021 Wang Shuo - 2.28-48 - Replace "openEuler" by %{_vendor} for versatility -- Gitee From c7f8a66273efafa7cd2b2113129d0ddc7177dd03 Mon Sep 17 00:00:00 2001 From: Sdrkun Date: Tue, 26 Jan 2021 14:40:13 +0800 Subject: [PATCH 2/2] elf: Fix pldd (BZ#18035) --- backport-elf-Fix-pldd-BZ-18035.patch | 479 +++++++++++++++++++++++++++ glibc.spec | 7 +- 2 files changed, 485 insertions(+), 1 deletion(-) create mode 100644 backport-elf-Fix-pldd-BZ-18035.patch diff --git a/backport-elf-Fix-pldd-BZ-18035.patch b/backport-elf-Fix-pldd-BZ-18035.patch new file mode 100644 index 0000000..70ebc4c --- /dev/null +++ b/backport-elf-Fix-pldd-BZ-18035.patch @@ -0,0 +1,479 @@ +From 5cbb73004b635e762e20b447c2d93c307cb40f41 Mon Sep 17 00:00:00 2001 +From: Adhemerval Zanella +Date: Fri, 26 Apr 2019 14:08:20 +0200 +Subject: [PATCH] elf: Fix pldd (BZ#18035) + +Since 9182aa67994 (Fix vDSO l_name for GDB's, BZ#387) the initial link_map +for executable itself and loader will have both l_name and l_libname->name +holding the same value due: + + elf/dl-object.c + + 95 new->l_name = *realname ? realname : (char *) newname->name + libname_len - 1; + +Since newname->name points to new->l_libname->name. + +This leads to pldd to an infinite call at: + + elf/pldd-xx.c + +203 again: +204 while (1) +205 { +206 ssize_t n = pread64 (memfd, tmpbuf.data, tmpbuf.length, name_offset); + +228 /* Try the l_libname element. */ +229 struct E(libname_list) ln; +230 if (pread64 (memfd, &ln, sizeof (ln), m.l_libname) == sizeof (ln)) +231 { +232 name_offset = ln.name; +233 goto again; +234 } + +Since the value at ln.name (l_libname->name) will be the same as previously +read. The straightforward fix is just avoid the check and read the new list +entry. + +I checked also against binaries issues with old loaders with fix for BZ#387, +and pldd could dump the shared objects. + +Checked on x86_64-linux-gnu, i686-linux-gnu, aarch64-linux-gnu, and +powerpc64le-linux-gnu. + + [BZ #18035] + * elf/Makefile (tests-container): Add tst-pldd. + * elf/pldd-xx.c: Use _Static_assert in of pldd_assert. + (E(find_maps)): Avoid use alloca, use default read file operations + instead of explicit LFS names, and fix infinite loop. + * elf/pldd.c: Explicit set _FILE_OFFSET_BITS, cleanup headers. + (get_process_info): Use _Static_assert instead of assert, use default + directory operations instead of explicit LFS names, and free some + leadek pointers. + * elf/tst-pldd.c: New file. + +(cherry picked from commit 1a4c27355e146b6d8cc6487b998462c7fdd1048f) +(Backported without the test case due to lack of test-in-container +support.) +--- + ChangeLog | 11 ++++++ + NEWS | 1 + + elf/pldd-xx.c | 114 +++++++++++++++++++++------------------------------------- + elf/pldd.c | 64 ++++++++++++++++----------------- + 4 files changed, 82 insertions(+), 108 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index 08b42bd..24a9709 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,14 @@ ++2019-04-23 Adhemerval Zanella ++ ++ [BZ #18035] ++ * elf/pldd-xx.c: Use _Static_assert in of pldd_assert. ++ (E(find_maps)): Avoid use alloca, use default read file operations ++ instead of explicit LFS names, and fix infinite loop. ++ * elf/pldd.c: Explicit set _FILE_OFFSET_BITS, cleanup headers. ++ (get_process_info): Use _Static_assert instead of assert, use default ++ directory operations instead of explicit LFS names, and free some ++ leadek pointers. ++ + 2018-08-01 Carlos O'Donel + + * version.h (RELEASE): Set to "stable". +diff --git a/NEWS b/NEWS +index eb31aca..f00f53f 100644 +--- a/NEWS ++++ b/NEWS +@@ -252,6 +252,7 @@ Security related changes: + + The following bugs are resolved with this release: + ++ [18035] Fix pldd hang + [1190] stdio: fgetc()/fread() behaviour is not POSIX compliant + [6889] manual: 'PWD' mentioned but not specified + [13575] libc: SSIZE_MAX defined as LONG_MAX is inconsistent with ssize_t, +diff --git a/elf/pldd-xx.c b/elf/pldd-xx.c +index 2823dea..f818d98 100644 +--- a/elf/pldd-xx.c ++++ b/elf/pldd-xx.c +@@ -23,10 +23,6 @@ + #define EW_(e, w, t) EW__(e, w, _##t) + #define EW__(e, w, t) e##w##t + +-#define pldd_assert(name, exp) \ +- typedef int __assert_##name[((exp) != 0) - 1] +- +- + struct E(link_map) + { + EW(Addr) l_addr; +@@ -39,12 +35,12 @@ struct E(link_map) + EW(Addr) l_libname; + }; + #if CLASS == __ELF_NATIVE_CLASS +-pldd_assert (l_addr, (offsetof (struct link_map, l_addr) +- == offsetof (struct E(link_map), l_addr))); +-pldd_assert (l_name, (offsetof (struct link_map, l_name) +- == offsetof (struct E(link_map), l_name))); +-pldd_assert (l_next, (offsetof (struct link_map, l_next) +- == offsetof (struct E(link_map), l_next))); ++_Static_assert (offsetof (struct link_map, l_addr) ++ == offsetof (struct E(link_map), l_addr), "l_addr"); ++_Static_assert (offsetof (struct link_map, l_name) ++ == offsetof (struct E(link_map), l_name), "l_name"); ++_Static_assert (offsetof (struct link_map, l_next) ++ == offsetof (struct E(link_map), l_next), "l_next"); + #endif + + +@@ -54,10 +50,10 @@ struct E(libname_list) + EW(Addr) next; + }; + #if CLASS == __ELF_NATIVE_CLASS +-pldd_assert (name, (offsetof (struct libname_list, name) +- == offsetof (struct E(libname_list), name))); +-pldd_assert (next, (offsetof (struct libname_list, next) +- == offsetof (struct E(libname_list), next))); ++_Static_assert (offsetof (struct libname_list, name) ++ == offsetof (struct E(libname_list), name), "name"); ++_Static_assert (offsetof (struct libname_list, next) ++ == offsetof (struct E(libname_list), next), "next"); + #endif + + struct E(r_debug) +@@ -69,16 +65,17 @@ struct E(r_debug) + EW(Addr) r_map; + }; + #if CLASS == __ELF_NATIVE_CLASS +-pldd_assert (r_version, (offsetof (struct r_debug, r_version) +- == offsetof (struct E(r_debug), r_version))); +-pldd_assert (r_map, (offsetof (struct r_debug, r_map) +- == offsetof (struct E(r_debug), r_map))); ++_Static_assert (offsetof (struct r_debug, r_version) ++ == offsetof (struct E(r_debug), r_version), "r_version"); ++_Static_assert (offsetof (struct r_debug, r_map) ++ == offsetof (struct E(r_debug), r_map), "r_map"); + #endif + + + static int + +-E(find_maps) (pid_t pid, void *auxv, size_t auxv_size) ++E(find_maps) (const char *exe, int memfd, pid_t pid, void *auxv, ++ size_t auxv_size) + { + EW(Addr) phdr = 0; + unsigned int phnum = 0; +@@ -104,12 +101,9 @@ E(find_maps) (pid_t pid, void *auxv, size_t auxv_size) + if (phdr == 0 || phnum == 0 || phent == 0) + error (EXIT_FAILURE, 0, gettext ("cannot find program header of process")); + +- EW(Phdr) *p = alloca (phnum * phent); +- if (pread64 (memfd, p, phnum * phent, phdr) != phnum * phent) +- { +- error (0, 0, gettext ("cannot read program header")); +- return EXIT_FAILURE; +- } ++ EW(Phdr) *p = xmalloc (phnum * phent); ++ if (pread (memfd, p, phnum * phent, phdr) != phnum * phent) ++ error (EXIT_FAILURE, 0, gettext ("cannot read program header")); + + /* Determine the load offset. We need this for interpreting the + other program header entries so we do this in a separate loop. +@@ -129,24 +123,18 @@ E(find_maps) (pid_t pid, void *auxv, size_t auxv_size) + if (p[i].p_type == PT_DYNAMIC) + { + EW(Dyn) *dyn = xmalloc (p[i].p_filesz); +- if (pread64 (memfd, dyn, p[i].p_filesz, offset + p[i].p_vaddr) ++ if (pread (memfd, dyn, p[i].p_filesz, offset + p[i].p_vaddr) + != p[i].p_filesz) +- { +- error (0, 0, gettext ("cannot read dynamic section")); +- return EXIT_FAILURE; +- } ++ error (EXIT_FAILURE, 0, gettext ("cannot read dynamic section")); + + /* Search for the DT_DEBUG entry. */ + for (unsigned int j = 0; j < p[i].p_filesz / sizeof (EW(Dyn)); ++j) + if (dyn[j].d_tag == DT_DEBUG && dyn[j].d_un.d_ptr != 0) + { + struct E(r_debug) r; +- if (pread64 (memfd, &r, sizeof (r), dyn[j].d_un.d_ptr) ++ if (pread (memfd, &r, sizeof (r), dyn[j].d_un.d_ptr) + != sizeof (r)) +- { +- error (0, 0, gettext ("cannot read r_debug")); +- return EXIT_FAILURE; +- } ++ error (EXIT_FAILURE, 0, gettext ("cannot read r_debug")); + + if (r.r_map != 0) + { +@@ -160,13 +148,10 @@ E(find_maps) (pid_t pid, void *auxv, size_t auxv_size) + } + else if (p[i].p_type == PT_INTERP) + { +- interp = alloca (p[i].p_filesz); +- if (pread64 (memfd, interp, p[i].p_filesz, offset + p[i].p_vaddr) ++ interp = xmalloc (p[i].p_filesz); ++ if (pread (memfd, interp, p[i].p_filesz, offset + p[i].p_vaddr) + != p[i].p_filesz) +- { +- error (0, 0, gettext ("cannot read program interpreter")); +- return EXIT_FAILURE; +- } ++ error (EXIT_FAILURE, 0, gettext ("cannot read program interpreter")); + } + + if (list == 0) +@@ -174,14 +159,16 @@ E(find_maps) (pid_t pid, void *auxv, size_t auxv_size) + if (interp == NULL) + { + // XXX check whether the executable itself is the loader +- return EXIT_FAILURE; ++ exit (EXIT_FAILURE); + } + + // XXX perhaps try finding ld.so and _r_debug in it +- +- return EXIT_FAILURE; ++ exit (EXIT_FAILURE); + } + ++ free (p); ++ free (interp); ++ + /* Print the PID and program name first. */ + printf ("%lu:\t%s\n", (unsigned long int) pid, exe); + +@@ -192,47 +179,27 @@ E(find_maps) (pid_t pid, void *auxv, size_t auxv_size) + do + { + struct E(link_map) m; +- if (pread64 (memfd, &m, sizeof (m), list) != sizeof (m)) +- { +- error (0, 0, gettext ("cannot read link map")); +- status = EXIT_FAILURE; +- goto out; +- } ++ if (pread (memfd, &m, sizeof (m), list) != sizeof (m)) ++ error (EXIT_FAILURE, 0, gettext ("cannot read link map")); + + EW(Addr) name_offset = m.l_name; +- again: + while (1) + { +- ssize_t n = pread64 (memfd, tmpbuf.data, tmpbuf.length, name_offset); ++ ssize_t n = pread (memfd, tmpbuf.data, tmpbuf.length, name_offset); + if (n == -1) +- { +- error (0, 0, gettext ("cannot read object name")); +- status = EXIT_FAILURE; +- goto out; +- } ++ error (EXIT_FAILURE, 0, gettext ("cannot read object name")); + + if (memchr (tmpbuf.data, '\0', n) != NULL) + break; + + if (!scratch_buffer_grow (&tmpbuf)) +- { +- error (0, 0, gettext ("cannot allocate buffer for object name")); +- status = EXIT_FAILURE; +- goto out; +- } ++ error (EXIT_FAILURE, 0, ++ gettext ("cannot allocate buffer for object name")); + } + +- if (((char *)tmpbuf.data)[0] == '\0' && name_offset == m.l_name +- && m.l_libname != 0) +- { +- /* Try the l_libname element. */ +- struct E(libname_list) ln; +- if (pread64 (memfd, &ln, sizeof (ln), m.l_libname) == sizeof (ln)) +- { +- name_offset = ln.name; +- goto again; +- } +- } ++ /* The m.l_name and m.l_libname.name for loader linkmap points to same ++ values (since BZ#387 fix). Trying to use l_libname name as the ++ shared object name might lead to an infinite loop (BZ#18035). */ + + /* Skip over the executable. */ + if (((char *)tmpbuf.data)[0] != '\0') +@@ -242,7 +209,6 @@ E(find_maps) (pid_t pid, void *auxv, size_t auxv_size) + } + while (list != 0); + +- out: + scratch_buffer_free (&tmpbuf); + return status; + } +diff --git a/elf/pldd.c b/elf/pldd.c +index b8106fd..0bdfff4 100644 +--- a/elf/pldd.c ++++ b/elf/pldd.c +@@ -17,23 +17,17 @@ + License along with the GNU C Library; if not, see + . */ + +-#include ++#define _FILE_OFFSET_BITS 64 ++ + #include +-#include + #include +-#include +-#include + #include + #include + #include +-#include +-#include + #include + #include +-#include + #include + #include +-#include + #include + #include + +@@ -76,14 +70,9 @@ static struct argp argp = + options, parse_opt, args_doc, doc, NULL, more_help, NULL + }; + +-// File descriptor of /proc/*/mem file. +-static int memfd; +- +-/* Name of the executable */ +-static char *exe; + + /* Local functions. */ +-static int get_process_info (int dfd, long int pid); ++static int get_process_info (const char *exe, int dfd, long int pid); + static void wait_for_ptrace_stop (long int pid); + + +@@ -102,8 +91,10 @@ main (int argc, char *argv[]) + return 1; + } + +- assert (sizeof (pid_t) == sizeof (int) +- || sizeof (pid_t) == sizeof (long int)); ++ _Static_assert (sizeof (pid_t) == sizeof (int) ++ || sizeof (pid_t) == sizeof (long int), ++ "sizeof (pid_t) != sizeof (int) or sizeof (long int)"); ++ + char *endp; + errno = 0; + long int pid = strtol (argv[remaining], &endp, 10); +@@ -119,25 +110,24 @@ main (int argc, char *argv[]) + if (dfd == -1) + error (EXIT_FAILURE, errno, gettext ("cannot open %s"), buf); + +- struct scratch_buffer exebuf; +- scratch_buffer_init (&exebuf); ++ /* Name of the executable */ ++ struct scratch_buffer exe; ++ scratch_buffer_init (&exe); + ssize_t nexe; + while ((nexe = readlinkat (dfd, "exe", +- exebuf.data, exebuf.length)) == exebuf.length) ++ exe.data, exe.length)) == exe.length) + { +- if (!scratch_buffer_grow (&exebuf)) ++ if (!scratch_buffer_grow (&exe)) + { + nexe = -1; + break; + } + } + if (nexe == -1) +- exe = (char *) ""; ++ /* Default stack allocation is at least 1024. */ ++ snprintf (exe.data, exe.length, ""); + else +- { +- exe = exebuf.data; +- exe[nexe] = '\0'; +- } ++ ((char*)exe.data)[nexe] = '\0'; + + /* Stop all threads since otherwise the list of loaded modules might + change while we are reading it. */ +@@ -155,8 +145,8 @@ main (int argc, char *argv[]) + error (EXIT_FAILURE, errno, gettext ("cannot prepare reading %s/task"), + buf); + +- struct dirent64 *d; +- while ((d = readdir64 (dir)) != NULL) ++ struct dirent *d; ++ while ((d = readdir (dir)) != NULL) + { + if (! isdigit (d->d_name[0])) + continue; +@@ -182,7 +172,7 @@ main (int argc, char *argv[]) + + wait_for_ptrace_stop (tid); + +- struct thread_list *newp = alloca (sizeof (*newp)); ++ struct thread_list *newp = xmalloc (sizeof (*newp)); + newp->tid = tid; + newp->next = thread_list; + thread_list = newp; +@@ -190,17 +180,22 @@ main (int argc, char *argv[]) + + closedir (dir); + +- int status = get_process_info (dfd, pid); ++ if (thread_list == NULL) ++ error (EXIT_FAILURE, 0, gettext ("no valid %s/task entries"), buf); ++ ++ int status = get_process_info (exe.data, dfd, pid); + +- assert (thread_list != NULL); + do + { + ptrace (PTRACE_DETACH, thread_list->tid, NULL, NULL); ++ struct thread_list *prev = thread_list; + thread_list = thread_list->next; ++ free (prev); + } + while (thread_list != NULL); + + close (dfd); ++ scratch_buffer_free (&exe); + + return status; + } +@@ -281,9 +276,10 @@ warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n\ + + + static int +-get_process_info (int dfd, long int pid) ++get_process_info (const char *exe, int dfd, long int pid) + { +- memfd = openat (dfd, "mem", O_RDONLY); ++ /* File descriptor of /proc//mem file. */ ++ int memfd = openat (dfd, "mem", O_RDONLY); + if (memfd == -1) + goto no_info; + +@@ -333,9 +329,9 @@ get_process_info (int dfd, long int pid) + + int retval; + if (e_ident[EI_CLASS] == ELFCLASS32) +- retval = find_maps32 (pid, auxv, auxv_size); ++ retval = find_maps32 (exe, memfd, pid, auxv, auxv_size); + else +- retval = find_maps64 (pid, auxv, auxv_size); ++ retval = find_maps64 (exe, memfd, pid, auxv, auxv_size); + + free (auxv); + close (memfd); +-- +1.8.3.1 + diff --git a/glibc.spec b/glibc.spec index 1eeaaed..877df81 100644 --- a/glibc.spec +++ b/glibc.spec @@ -59,7 +59,7 @@ ############################################################################## Name: glibc Version: 2.28 -Release: 49 +Release: 50 Summary: The GNU libc libraries License: %{all_license} URL: http://www.gnu.org/software/glibc/ @@ -98,6 +98,7 @@ Patch21: backport-sysvipc-Fix-SEM_STAT_ANY-kernel-argument-pass-BZ-26637.patch Patch22: backport-i686-tst-strftime3-fix-printf-warning.patch Patch23: Fix-CVE-2020-27618-iconv-Accept-redundant-shift-sequences.patch Patch24: backport-elf-Allow-dlopen-of-filter-object-to-work-BZ-16272.patch +Patch25: backport-elf-Fix-pldd-BZ-18035.patch Provides: ldconfig rtld(GNU_HASH) bundled(gnulib) @@ -1093,6 +1094,10 @@ fi %doc hesiod/README.hesiod %changelog +* Tue Jan 26 2021 shanzhikun - 2.28-50 +- elf: Fix pldd (BZ#18035) + https://sourceware.org/bugzilla/show_bug.cgi?id=18035 + * Mon Jan 25 2021 shanzhikun - 2.28-49 - elf: Allow dlopen of filter object to work [BZ #16272] https://sourceware.org/bugzilla/show_bug.cgi?id=16272 -- Gitee