This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug dynamic-link/13818] New: Bogus LD_PROFILE will cause application to segfault

From: "law at redhat dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sources dot redhat dot com
Date: Wed, 07 Mar 2012 19:06:06 +0000
Subject: [Bug dynamic-link/13818] New: Bogus LD_PROFILE will cause application to segfault
Auto-submitted: auto-generated

http://sourceware.org/bugzilla/show_bug.cgi?id=13818

             Bug #: 13818
           Summary: Bogus LD_PROFILE will cause application to segfault
           Product: glibc
           Version: 2.15
            Status: NEW
          Severity: normal
          Priority: P2
         Component: dynamic-link
        AssignedTo: unassigned@sourceware.org
        ReportedBy: law@redhat.com
    Classification: Unclassified


Created attachment 6265
  --> http://sourceware.org/bugzilla/attachment.cgi?id=6265
Potential fix

LD_PROFILE=BLAH /usr/bin/gdb

Results in a segfault in the dynamic linker on my Fedora 16 system.


172       /* This is the address in the array where we store the result of
previous
173          relocations.  */
174       struct reloc_result *reloc_result = &l->l_reloc_result[reloc_index];
175       DL_FIXUP_VALUE_TYPE *resultp = &reloc_result->addr;
176
177       DL_FIXUP_VALUE_TYPE value = *resultp;

The l_reloc_result field is NULL, which causes resultp to point to a near-NULL
address and segfault at line 177.

We are processing an R_X86_64_IRELATIVE relocation for libm.

Looking at dl-reloc.c we have:
264     #include "dynamic-link.h"
265
266         ELF_DYNAMIC_RELOCATE (l, lazy, consider_profiling, skip_ifunc);
267
268     #ifndef PROF
269         if (__builtin_expect (consider_profiling, 0))
270           {
(gdb)
271             /* Allocate the array which will contain the already found
272                relocations.  If the shared object lacks a PLT (for example
273                if it only contains lead function) the l_info[DT_PLTRELSZ]
274                will be NULL.  */
275             if (l->l_info[DT_PLTRELSZ] == NULL)
276               {
277                 errstring = N_("%s: no PLTREL found in object %s\n");
278               fatal:
279                 _dl_fatal_printf (errstring,
280                                   rtld_progname ?: "<program name
unknown>",
(gdb)
281                                   l->l_name);
282               }
283
284             l->l_reloc_result = calloc (sizeof (l->l_reloc_result[0]),
285 l->l_info[DT_PLTRELSZ]->d_un.d_val);

Note that we call ELF_DYNAMIC_RELOCATE on line 266 prior to setting up
l_reloc_result on line 284.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

Follow-Ups:
- [Bug dynamic-link/13818] Bogus LD_PROFILE will cause application to segfault
  - From: carlos_odonell at mentor dot com
- [Bug dynamic-link/13818] Bogus LD_PROFILE will cause application to segfault
  - From: ppluzhnikov at google dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]