From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/13715 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: Markus Wichmann Newsgroups: gmane.linux.lib.musl.general Subject: Re: dlsym(handle) may search in unrelated libraries Date: Wed, 6 Feb 2019 17:02:48 +0100 Message-ID: <20190206160248.GB5469@voyager> References: Reply-To: musl@lists.openwall.com Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="A6N2fC+uXW/VQSAv" Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="219024"; mail-complaints-to="usenet@blaine.gmane.org" User-Agent: Mutt/1.10.1 (2018-07-13) Cc: Alexey Izbyshev To: musl@lists.openwall.com Original-X-From: musl-return-13731-gllmg-musl=m.gmane.org@lists.openwall.com Wed Feb 06 17:03:55 2019 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by blaine.gmane.org with smtp (Exim 4.89) (envelope-from ) id 1grPg2-000ult-U8 for gllmg-musl@m.gmane.org; Wed, 06 Feb 2019 17:03:55 +0100 Original-Received: (qmail 1283 invoked by uid 550); 6 Feb 2019 16:03:52 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Original-Received: (qmail 1265 invoked from network); 6 Feb 2019 16:03:52 -0000 Content-Disposition: inline In-Reply-To: X-Provags-ID: V03:K1:RwYsPWAME838fftq2mH46DgjD2xc5Ym9kdAzSPD9OhBai+xCC36 gTKChEopk1mmBD7wJ5vGDs4IChHvQz0RThT2L7vicZywGZq3zE649ibxt4JstdFRnIT4c8n VOdr71YeoZfYoqe/KJDUCMMMQbIHpH9TuFZHWU7Bnw0NkXYnE1GG6JlLicGcF9A7hCNk7V/ 8W5wJM+ET98WNIscqdBbw== X-UI-Out-Filterresults: notjunk:1;V03:K0:tItauw4J3GU=:Gv6hhol96fy+mz7QWtcSIv ErU4Iv0AAF6xjm17w4w9n0qJuFO6cjWj4b7FHGQL+XtfPq0lkx2yM3b73bPvDRABeCN6HlwKi N1SDnDNnz2CHCTSd5mr9myTUj3RqJbTDpis4EsVgklMVIADJWbpPhNJbynjk3IH4fw4b3uE76 ReaK5QYxa77DsdmF/ekZeLaF+r/EpG1iAWSe/mnQ+c+zx0S4f1e49r7vzxmueDHL02ks3DVLj lg3AhUP68s8tKvfem//2ZN+vhE2n8wRUROFB8+KVTghRqpFWTJv7GTJSlHlewLCmxPFVRQ046 rpMOT5ixEyDJ9UQdQwNKNXyja+KyQz8Hw7AGsHsYBP/HHC6GvtqygGFWZqj1NyvFL+dw2zPHY YT1mWUi18b+v1PiPWfyAyxnCmpEGev3cmTv5GKwv8Y53KRd/R1EONC1UuhnbaXzAn0/fvTveM fgEiRPOKMxm09Ue6Iezax1M5vPXoVBS+V2jDVLVBdk8tEGQ7y6KheSbqrvdfsSzn59avoCyQZ vAErpSfBk2IjyA/0JDAhgD+fpbQgIC5gNtCW602vhetAReuo6nC7pKcWGcwvy5UhGzhI6svZN 5L+NQCz8Jnd/8IXSSA5S0Z9y7RbSeIZDtkAQ6SD50XVE2KTbQVBqaO5XksVri8nOUXr1fTMnc +baGTuJQSltXwERviy2RAOQlpUtwN0bm9GMogPG/O9uoIhaWzLwd7Lc+DmhMgcNX/nAlmhhX1 3eUp4yAdmED/KgR+cZMIll2qO6/d9eZ5VNyZV2NJT5UVEEfjPQPDDnbSyesIMU5/FcZ9exzA Xref: news.gmane.org gmane.linux.lib.musl.general:13715 Archived-At: --A6N2fC+uXW/VQSAv Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Feb 06, 2019 at 12:02:39AM +0300, Alexey Izbyshev wrote: > Hello! > > I've discovered a bug in musl dynamic loader (tested on 1.1.21) which is > demonstrated by the following simple example: > > $ cat bar.c > int bar = 42; > $ musl-gcc -fPIC -shared bar.c -o libbar.so > $ cat foo.c > extern int bar; > int *foo = &bar; > $ musl-gcc -fPIC -shared foo.c -L. -lbar -Wl,-rpath='$ORIGIN' -o libfoo.so > $ cat main.c > #include > #include > > int main(void) { > if (!dlopen("libfoo.so", RTLD_NOW)) > return 1; > void *h = dlopen("libc.so.6", RTLD_NOW); > printf("%p\n", dlsym(h, "bar")); > } > $ musl-gcc main.c -Wl,-rpath='$ORIGIN' -ldl > $ ./a.out > 0x7fd7ebe96020 > In case you were wondering, your typo here doesn't change anything, since "libc.so.6" has the prefix "libc.", which is recogized as reserved in load_library(), and makes dlopen() return a handle to the libc. Thankfully the patch is simple: Explicitly make ldso and vdso have no deps. I was tempted to put this into kernel_mapped_dso(), but then I remembered that the app is also a kernel mapped dso, and it usually does have deps that need processing. At least, in nontrivial cases. The attached patch should tide you over. > > Alexey Ciao, Markus --A6N2fC+uXW/VQSAv Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="0006-Make-libc-and-vdso-explicitly-have-no-deps.patch" >From e823910d69ff56ffccecaa9b29fd4b67b901798a Mon Sep 17 00:00:00 2001 From: Markus Wichmann Date: Wed, 6 Feb 2019 16:51:53 +0100 Subject: [PATCH 6/6] Make libc and vdso explicitly have no deps. Alexey Izbyshev reported that without this, dlopen("libc.so") returns a handle that is capable of finding every symbol in libraries loaded as dependencies, since dso->deps == 0 usually means dependencies haven't been loaded. --- ldso/dynlink.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ldso/dynlink.c b/ldso/dynlink.c index ec921dfd..6ffeca85 100644 --- a/ldso/dynlink.c +++ b/ldso/dynlink.c @@ -1244,6 +1244,7 @@ static void reloc_all(struct dso *p) static void kernel_mapped_dso(struct dso *p) { size_t min_addr = -1, max_addr = 0, cnt; + static const struct dso *sentinel = 0; Phdr *ph = p->phdr; for (cnt = p->phnum; cnt--; ph = (void *)((char *)ph + p->phentsize)) { if (ph->p_type == PT_DYNAMIC) { @@ -1428,6 +1429,7 @@ hidden void __dls2(unsigned char *base, size_t *sp) ldso.phdr = laddr(&ldso, ehdr->e_phoff); ldso.phentsize = ehdr->e_phentsize; kernel_mapped_dso(&ldso); + ldso.deps = (struct dso**)&nodeps_dummy; decode_dyn(&ldso); if (DL_FDPIC) makefuncdescs(&ldso); @@ -1675,6 +1677,7 @@ _Noreturn void __dls3(size_t *sp) vdso.prev = tail; tail->next = &vdso; tail = &vdso; + vdso.deps = (struct dso**)&nodeps_dummy; } for (i=0; app.dynv[i]; i+=2) { -- 2.20.1 --A6N2fC+uXW/VQSAv--