From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/9335 Path: news.gmane.org!not-for-mail From: Hugues Bruant Newsgroups: gmane.linux.lib.musl.general Subject: dynlink.c: bug in reclaim_gaps leading to segfault in __libc_exit_fini Date: Tue, 16 Feb 2016 16:30:42 -0500 Message-ID: Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/alternative; boundary=001a1130ce1c77cb80052be9d8cd X-Trace: ger.gmane.org 1455658270 29008 80.91.229.3 (16 Feb 2016 21:31:10 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 16 Feb 2016 21:31:10 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-9348-gllmg-musl=m.gmane.org@lists.openwall.com Tue Feb 16 22:31:04 2016 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1aVnD4-0003WO-7C for gllmg-musl@m.gmane.org; Tue, 16 Feb 2016 22:31:02 +0100 Original-Received: (qmail 26224 invoked by uid 550); 16 Feb 2016 21:30:59 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Original-Received: (qmail 26167 invoked from network); 16 Feb 2016 21:30:53 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aerofs-com.20150623.gappssmtp.com; s=20150623; h=mime-version:date:message-id:subject:from:to:content-type; bh=1d5B7/COeLfB9n1KEFFuHvwCeI8FWCdxxjHOADcGWbg=; b=NG32gO3SwYc+DT3u6N2bcoE1GII4JAH2gwHlaYah2jpHzhW/9sWaM90KG+y+xOnMVa PlAk2tSYH92QlvkK212Yx+SPKBqayR5bG9j2z+jY4SREpFOELq47vewzxDpheq2oDjwC bIsASg0LHaz9QqLo5+xkGeu4hKEe3Tq/UcEGgc15fA+Z2oAPTyBIZoLbApq8oXi99xgx rIHkvXaepXZpIjoLdGjuJ9Sa5NXbwl0QLEgivUZM4DwhOvF3uTmrKNm314kgO2tY6B9B JGDgeTwjwrEwSOTJH0JVei5A3cFA5bJ2f1fb7XM4yn4UYZCMtprUJaVcJ5u/W0phLm50 7U2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=1d5B7/COeLfB9n1KEFFuHvwCeI8FWCdxxjHOADcGWbg=; b=Rhe5FyD9G6iUFzAVCUrjlzsWDKuj6iJ9W2EU6dcP03BrCevLnp/Ku0NHd3om14Nyo0 AXR8ojRGp0DJMM7kUntqBdEgWaZlbsp9Hu+E0PDfGALvg8jiA+aqzNTL8yjoNUDmDMyy kCq+eLyOrRA3xSgGMB6WFlJ1QNE8MYOzbLqJEpgHizfL8Ey0XHqUJ/j+Jj0p5qiv6YDD YlsuujeaGUK9Fv/CAqmqjXmVzwzOySB+ka4kpLxFS+xSI/CNx4tN1S3uS/tK0G1hn20m 2nH32q1HIzktxJ/+1/qUiIOoIqMOQQDGkJihYDxTNF5GzWJLfI/rkOyC9SNNVdRZqmOi Diqg== X-Gm-Message-State: AG10YOTMyjaU3vBmzvAU7d8Q6IQ6UrLbrEVPFTdxuJVEpwrGoA55xOFkzI2rcmrgPzOnRTIEmbBszlv4kyUr3Ie3 X-Received: by 10.194.113.38 with SMTP id iv6mr1715844wjb.126.1455658242648; Tue, 16 Feb 2016 13:30:42 -0800 (PST) Xref: news.gmane.org gmane.linux.lib.musl.general:9335 Archived-At: --001a1130ce1c77cb80052be9d8cd Content-Type: text/plain; charset=UTF-8 Affects both 1.1.12 and 1.1.13 Tracked down with valgrind in Alpine Linux 3.3. The dmg tool build from https://github.com/aerofs/libdmg-hfsplus links to a handful shared libs. The following message is seen immediately at start: ==59== Invalid free() / delete / delete[] / realloc() ==59== at 0x4C92B0E: free (vg_replace_malloc.c:530) ==59== by 0x4056F68: reclaim_gaps (dynlink.c:488) ==59== by 0x405743D: map_library (dynlink.c:708) ==59== by 0x4057EF3: load_library (dynlink.c:1014) ==59== by 0x4058CA8: load_preload (dynlink.c:1112) ==59== by 0x4058CA8: __dls3 (dynlink.c:1581) ==59== by 0x405856A: __dls2 (dynlink.c:1383) ==59== by 0x405655E: ??? (in /lib/ld-musl-x86_64.so.1) ==59== by 0x3: ??? ==59== by 0xFFF000E3A: ??? ==59== by 0xFFF000E3E: ??? ==59== by 0xFFF000E44: ??? ==59== by 0xFFF000E86: ??? Afterwards, the program proceeds with no issue, until it exists, at which point a segfault is triggered when cleaning up shared libraries: ==38== Invalid read of size 8 ==38== at 0x4057551: decode_vec.constprop.5 (dynlink.c:171) ==38== by 0x405825C: __libc_exit_fini (dynlink.c:1197) ==38== by 0x4016233: exit (exit.c:31) ==38== by 0x401D635: (below main) (__libc_start_main.c:74) ==38== Address 0x636f8f53ebff9f53 is not stack'd, malloc'd or (recently) free'd ==38== ==38== ==38== Process terminating with default action of signal 11 (SIGSEGV) ==38== General Protection Fault ==38== at 0x4057551: decode_vec.constprop.5 (dynlink.c:171) ==38== by 0x405825C: __libc_exit_fini (dynlink.c:1197) ==38== by 0x4016233: exit (exit.c:31) ==38== by 0x401D635: (below main) (__libc_start_main.c:74) ==38== The first 32 bytes of one of the dso struct are manifestly corrupted. Patching reclaim_gap as follows fixes the segfault: diff --git a/ldso/dynlink.c b/ldso/dynlink.c index 87f3b7f..f897dbd 100644 --- a/ldso/dynlink.c +++ b/ldso/dynlink.c @@ -484,9 +484,9 @@ static void reclaim_gaps(struct dso *dso) for (; phcnt--; ph=(void *)((char *)ph+dso->phentsize)) { if (ph->p_type!=PT_LOAD) continue; if ((ph->p_flags&(PF_R|PF_W))!=(PF_R|PF_W)) continue; - reclaim(dso, ph->p_vaddr & -PAGE_SIZE, ph->p_vaddr); - reclaim(dso, ph->p_vaddr+ph->p_memsz, - ph->p_vaddr+ph->p_memsz+PAGE_SIZE-1 & -PAGE_SIZE); + //reclaim(dso, ph->p_vaddr & -PAGE_SIZE, ph->p_vaddr); + //reclaim(dso, ph->p_vaddr+ph->p_memsz, + // ph->p_vaddr+ph->p_memsz+PAGE_SIZE-1 & -PAGE_SIZE); } } For more details: https://bugs.alpinelinux.org/issues/5123 Regards, Hugues --001a1130ce1c77cb80052be9d8cd Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Affects both 1.1.12 and 1.1.13

Tracked down with valgrind in Alpine Linux 3.3.

The dmg tool build from=C2=A0https://github.com/aerofs/libdmg-hfsplus links to a handful sha= red libs. The following message is seen immediately at start:
=3D=3D59=3D=3D Invalid free() / delete / delete[] / realloc() =3D=3D59=3D=3D at 0x4C92B0E: free (vg_replace_malloc.c:530) =3D=3D59=3D=3D by 0x4056F68: reclaim_gaps (dynlink.c:488) =3D=3D59=3D=3D by 0x405743D: map_library (dynlink.c:708) =3D=3D59=3D=3D by 0x4057EF3: load_library (dynlink.c:1014) =3D=3D59=3D=3D by 0x4058CA8: load_preload (dynlink.c:1112) =3D=3D59=3D=3D by 0x4058CA8: __dls3 (dynlink.c:1581) =3D=3D59=3D=3D by 0x405856A: __dls2 (dynlink.c:1383) =3D=3D59=3D=3D by 0x405655E: ??? (in /lib/ld-musl-x86_64.so.1) =3D=3D59=3D=3D by 0x3: ??? =3D=3D59=3D=3D by 0xFFF000E3A: ??? =3D=3D59=3D=3D by 0xFFF000E3E: ??? =3D=3D59=3D=3D by 0xFFF000E44: ??? =3D=3D59=3D=3D by 0xFFF000E86: ???
Afterwards, the progr= am proceeds with no issue, until it exists, at which point a segfault is tr= iggered when cleaning up shared libraries:
=3D=3D38=3D=
=3D Invalid read of size 8
=3D=3D38=3D=3D    at 0x4057551: decode_vec.constprop.5 (dynlink.c:171)
=3D=3D38=3D=3D    by 0x405825C: __libc_exit_fini (dynlink.c:1197)
=3D=3D38=3D=3D    by 0x4016233: exit (exit.c:31)
=3D=3D38=3D=3D    by 0x401D635: (below main) (__libc_start_main.c:74)
=3D=3D38=3D=3D  Address 0x636f8f53ebff9f53 is not stack'd, malloc'd=
 or (recently) free'd
=3D=3D38=3D=3D
=3D=3D38=3D=3D
=3D=3D38=3D=3D Process terminating with default action of signal 11 (SIGSEG=
V)
=3D=3D38=3D=3D  General Protection Fault
=3D=3D38=3D=3D    at 0x4057551: decode_vec.constprop.5 (dynlink.c:171)
=3D=3D38=3D=3D    by 0x405825C: __libc_exit_fini (dynlink.c:1197)
=3D=3D38=3D=3D    by 0x4016233: exit (exit.c:31)
=3D=3D38=3D=3D    by 0x401D635: (below main) (__libc_start_main.c:74)
=3D=3D38=3D=3D

The first 32 bytes of one of the ds= o struct are manifestly corrupted.

Patching reclai= m_gap as follows fixes the segfault:
diff --git a=
/ldso/dynlink.c b/ldso/dynlink.c
index 87f3b7f..f897dbd 100644
--- a/ldso/dynlink.c
+++ b/ldso/dynlink.c
@@ -484,9 +484,9 @@ static void reclaim_gaps(struct dso *dso)
        for (; phcnt--; ph=3D(void *)((char *)ph+dso->phentsize)) {
                if (ph->p_type!=3DPT_LOAD) continue;
                if ((ph->p_flags&(PF_R|PF_W))!=3D(PF_R|PF_W)) contin=
ue;
-               reclaim(dso, ph->p_vaddr & -PAGE_SIZE, ph->p_vadd=
r);
-               reclaim(dso, ph->p_vaddr+ph->p_memsz,
-                       ph->p_vaddr+ph->p_memsz+PAGE_SIZE-1 & -PA=
GE_SIZE);
+               //reclaim(dso, ph->p_vaddr & -PAGE_SIZE, ph->p_va=
ddr);
+               //reclaim(dso, ph->p_vaddr+ph->p_memsz,
+               //      ph->p_vaddr+ph->p_memsz+PAGE_SIZE-1 & -PA=
GE_SIZE);
        }
 }

For more details: https://bugs.alpinelinux.org/issues/5123<= /div>

Regards,
Hugues
--001a1130ce1c77cb80052be9d8cd--