dlfcn: Failures after dlmopen should not terminate process [BZ #24772]

Message ID 874l40a3dw.fsf@oldenburg2.str.redhat.com
State New
Headers show
Series
  • dlfcn: Failures after dlmopen should not terminate process [BZ #24772]
Related show

Commit Message

Florian Weimer July 5, 2019, 3:48 p.m.
Commit 9e78f6f6e7134a5f299cc8de77370218f8019237 ("Implement
_dl_catch_error, _dl_signal_error in libc.so [BZ #16628]") has the
side effect that distinct namespaces, as created by dlmopen, now have
separate implementations of the rtld exception mechanism.  This means
that the call to _dl_catch_error from libdl in a secondary namespace
does not actually install an exception handler because the
thread-local variable catch_hook in the libc.so copy in the secondary
namespace is distinct from that of the base namepace.  As a result, a
dlsym/dlopen/… failure in a secondary namespace terminates the process
with a dynamic linker error because it looks to the exception handler
mechanism as if no handler has been installed.

This commit restores GLRO (dl_catch_error) and uses it to set the
handler in the base namespace.

(Sorry for the limited test case, otherwise it will run into *another*
bug.)

2019-07-05  Florian Weimer  <fweimer@redhat.com>

	[BZ #24772]
	* dlfcn/dlerror.c (_dlerror_run): Call _dl_catch_error from the
	base namespace, via GLRO (dl_catch_error).
	* elf/Makefile [$(build-shared)] (tests): Add tst-dlmopen-dlerror.
	(modules-names): Add tst-dlmopen-dlerror-mod.
	(tst-dlmopen-dlerror): Link with -ldl.
	(tst-dlmopen-dlerror-mod.so): Link with -ldl and libsupport.a.
	(tst-dlmopen-dlerror.out): Depend on tst-dlmopen-dlerror-mod.so.
	* elf/dl-error-skeleton.c [DL_ERROR_BOOTSTRAP]
	(_rtld_catch_error): Define.
	* elf/rtld.c (_rtld_global_ro): Initialize _dl_catch_error.
	* elf/tst-dlmopen-dlerror-mod.c: New file.
	* elf/tst-dlmopen-dlerror.c: Likewise.
	* sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Add
	_dl_catch_error member.
	(_rtld_catch_error): Declare.

Comments

Florian Weimer July 5, 2019, 6:40 p.m. | #1
Sorry, there was a C&P issue in the test case.

The follow-up fix I will post hopefully shortly should include a more
comprehensive test case, also including dlerror calls.

Thanks,
Florian

dlfcn: Failures after dlmopen should not terminate process [BZ #24772]

Commit 9e78f6f6e7134a5f299cc8de77370218f8019237 ("Implement
_dl_catch_error, _dl_signal_error in libc.so [BZ #16628]") has the
side effect that distinct namespaces, as created by dlmopen, now have
separate implementations of the rtld exception mechanism.  This means
that the call to _dl_catch_error from libdl in a secondary namespace
does not actually install an exception handler because the
thread-local variable catch_hook in the libc.so copy in the secondary
namespace is distinct from that of the base namepace.  As a result, a
dlsym/dlopen/… failure in a secondary namespace terminates the process
with a dynamic linker error because it looks to the exception handler
mechanism as if no handler has been installed.

This commit restores GLRO (dl_catch_error) and uses it to set the
handler in the base namespace.

2019-07-05  Florian Weimer  <fweimer@redhat.com>

	[BZ #24772]
	* dlfcn/dlerror.c (_dlerror_run): Call _dl_catch_error from the
	base namespace, via GLRO (dl_catch_error).
	* elf/Makefile [$(build-shared)] (tests): Add tst-dlmopen-dlerror.
	(modules-names): Add tst-dlmopen-dlerror-mod.
	(tst-dlmopen-dlerror): Link with -ldl.
	(tst-dlmopen-dlerror-mod.so): Link with -ldl and libsupport.a.
	(tst-dlmopen-dlerror.out): Depend on tst-dlmopen-dlerror-mod.so.
	* elf/dl-error-skeleton.c [DL_ERROR_BOOTSTRAP]
	(_rtld_catch_error): Define.
	* elf/rtld.c (_rtld_global_ro): Initialize _dl_catch_error.
	* elf/tst-dlmopen-dlerror-mod.c: New file.
	* elf/tst-dlmopen-dlerror.c: Likewise.
	* sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Add
	_dl_catch_error member.
	(_rtld_catch_error): Declare.

diff --git a/dlfcn/dlerror.c b/dlfcn/dlerror.c
index ca42c126c1..c2b08c7fc4 100644
--- a/dlfcn/dlerror.c
+++ b/dlfcn/dlerror.c
@@ -167,8 +167,10 @@ _dlerror_run (void (*operate) (void *), void *args)
       result->errstring = NULL;
     }
 
-  result->errcode = _dl_catch_error (&result->objname, &result->errstring,
-				     &result->malloced, operate, args);
+  result->errcode = GLRO (dl_catch_error) (&result->objname,
+					   &result->errstring,
+					   &result->malloced,
+					   operate, args);
 
   /* If no error we mark that no error string is available.  */
   result->returned = result->errstring == NULL;
diff --git a/elf/Makefile b/elf/Makefile
index a3eefd1b1f..b8dd5b30db 100644
--- a/elf/Makefile
+++ b/elf/Makefile
@@ -192,7 +192,7 @@ tests += restest1 preloadtest loadfail multiload origtest resolvfail \
 	 tst-latepthread tst-tls-manydynamic tst-nodelete-dlclose \
 	 tst-debug1 tst-main1 tst-absolute-sym tst-absolute-zero tst-big-note \
 	 tst-unwind-ctor tst-unwind-main tst-audit13 \
-	 tst-sonamemove-link tst-sonamemove-dlopen
+	 tst-sonamemove-link tst-sonamemove-dlopen tst-dlmopen-dlerror
 #	 reldep9
 tests-internal += loadtest unload unload2 circleload1 \
 	 neededtest neededtest2 neededtest3 neededtest4 \
@@ -283,7 +283,8 @@ modules-names = testobj1 testobj2 testobj3 testobj4 testobj5 testobj6 \
 		tst-main1mod tst-libc_dlvsym-dso tst-absolute-sym-lib \
 		tst-absolute-zero-lib tst-big-note-lib tst-unwind-ctor-lib \
 		tst-audit13mod1 tst-sonamemove-linkmod1 \
-		tst-sonamemove-runmod1 tst-sonamemove-runmod2
+		tst-sonamemove-runmod1 tst-sonamemove-runmod2 \
+		tst-dlmopen-dlerror-mod
 # Most modules build with _ISOMAC defined, but those filtered out
 # depend on internal headers.
 modules-names-tests = $(filter-out ifuncmod% tst-libc_dlvsym-dso tst-tlsmod%,\
@@ -1434,6 +1435,10 @@ $(objpfx)tst-sonamemove-dlopen.out: \
   $(objpfx)tst-sonamemove-runmod1.so \
   $(objpfx)tst-sonamemove-runmod2.so
 
+$(objpfx)tst-dlmopen-dlerror: $(libdl)
+$(objpfx)tst-dlmopen-dlerror-mod.so: $(libdl) $(libsupport)
+$(objpfx)tst-dlmopen-dlerror.out: $(objpfx)tst-dlmopen-dlerror-mod.so
+
 # Override -z defs, so that we can reference an undefined symbol.
 # Force lazy binding for the same reason.
 LDFLAGS-tst-latepthreadmod.so = \
diff --git a/elf/dl-error-skeleton.c b/elf/dl-error-skeleton.c
index 248c185a74..5c2b1d4fb7 100644
--- a/elf/dl-error-skeleton.c
+++ b/elf/dl-error-skeleton.c
@@ -236,4 +236,16 @@ _dl_receive_error (receiver_fct fct, void (*operate) (void *), void *args)
   catch_hook = old_catch;
   receiver = old_receiver;
 }
+
+/* Forwarder used for initializing GLRO (_dl_catch_error).  */
+int
+_rtld_catch_error (const char **objname, const char **errstring,
+		   bool *mallocedp, void (*operate) (void *),
+		   void *args)
+{
+  /* The reference to _dl_catch_error will eventually be relocated to
+     point to the implementation in libc.so.  */
+  return _dl_catch_error (objname, errstring, mallocedp, operate, args);
+}
+
 #endif /* DL_ERROR_BOOTSTRAP */
diff --git a/elf/rtld.c b/elf/rtld.c
index c9490ff694..ba2323baa1 100644
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -325,6 +325,7 @@ struct rtld_global_ro _rtld_global_ro attribute_relro =
     ._dl_lookup_symbol_x = _dl_lookup_symbol_x,
     ._dl_open = _dl_open,
     ._dl_close = _dl_close,
+    ._dl_catch_error = _rtld_catch_error,
     ._dl_tls_get_addr_soft = _dl_tls_get_addr_soft,
 #ifdef HAVE_DL_DISCOVER_OSVERSION
     ._dl_discover_osversion = _dl_discover_osversion
diff --git a/elf/tst-dlmopen-dlerror-mod.c b/elf/tst-dlmopen-dlerror-mod.c
new file mode 100644
index 0000000000..dcb94320b4
--- /dev/null
+++ b/elf/tst-dlmopen-dlerror-mod.c
@@ -0,0 +1,41 @@
+/* Check that dlfcn errors are reported properly after dlmopen.  Test module.
+   Copyright (C) 2019 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <dlfcn.h>
+#include <stddef.h>
+#include <support/check.h>
+
+/* Note: This object is not linked into the main program, so we cannot
+   use delayed test failure reporting via TEST_VERIFY etc., and have
+   to use FAIL_EXIT1 (or something else that calls exit).  */
+
+void
+call_dlsym (void)
+{
+  void *ptr = dlsym (NULL, "does not exist");
+  if (ptr != NULL)
+    FAIL_EXIT1 ("dlsym did not fail as expected");
+}
+
+void
+call_dlopen (void)
+{
+  void *handle = dlopen ("tst-dlmopen-dlerror does not exist", RTLD_NOW);
+  if (handle != NULL)
+    FAIL_EXIT1 ("dlopen did not fail as expected");
+}
diff --git a/elf/tst-dlmopen-dlerror.c b/elf/tst-dlmopen-dlerror.c
new file mode 100644
index 0000000000..65638f7f38
--- /dev/null
+++ b/elf/tst-dlmopen-dlerror.c
@@ -0,0 +1,37 @@
+/* Check that dlfcn errors are reported properly after dlmopen.
+   Copyright (C) 2019 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <stddef.h>
+#include <support/check.h>
+#include <support/xdlfcn.h>
+
+static int
+do_test (void)
+{
+  void *handle = xdlmopen (LM_ID_NEWLM, "tst-dlmopen-dlerror-mod.so",
+                           RTLD_NOW);
+  void (*call_dlsym) (void) = xdlsym (handle, "call_dlsym");
+  void (*call_dlopen) (void) = xdlsym (handle, "call_dlopen");
+
+  call_dlsym ();
+  call_dlopen ();
+
+  return 0;
+}
+
+#include <support/test-driver.c>
diff --git a/sysdeps/generic/ldsodefs.h b/sysdeps/generic/ldsodefs.h
index b1fc5c31f9..c8894e9518 100644
--- a/sysdeps/generic/ldsodefs.h
+++ b/sysdeps/generic/ldsodefs.h
@@ -604,6 +604,12 @@ struct rtld_global_ro
   void *(*_dl_open) (const char *file, int mode, const void *caller_dlopen,
 		     Lmid_t nsid, int argc, char *argv[], char *env[]);
   void (*_dl_close) (void *map);
+  /* libdl in a secondary namespace (after dlopen) must use
+     _dl_catch_error from the main namespace, so it has to be
+     exported in some way.  */
+  int (*_dl_catch_error) (const char **objname, const char **errstring,
+			  bool *mallocedp, void (*operate) (void *),
+			  void *args);
   void *(*_dl_tls_get_addr_soft) (struct link_map *);
 #ifdef HAVE_DL_DISCOVER_OSVERSION
   int (*_dl_discover_osversion) (void);
@@ -841,6 +847,9 @@ extern int _dl_catch_error (const char **objname, const char **errstring,
 			    void *args);
 libc_hidden_proto (_dl_catch_error)
 
+/* Used for initializing GLRO (_dl_catch_error).  */
+extern __typeof__ (_dl_catch_error) _rtld_catch_error attribute_hidden;
+
 /* Call OPERATE (ARGS).  If no error occurs, set *EXCEPTION to zero.
    Otherwise, store a copy of the raised exception in *EXCEPTION,
    which has to be freed by _dl_exception_free.  */

Patch

diff --git a/dlfcn/dlerror.c b/dlfcn/dlerror.c
index ca42c126c1..c2b08c7fc4 100644
--- a/dlfcn/dlerror.c
+++ b/dlfcn/dlerror.c
@@ -167,8 +167,10 @@  _dlerror_run (void (*operate) (void *), void *args)
       result->errstring = NULL;
     }
 
-  result->errcode = _dl_catch_error (&result->objname, &result->errstring,
-				     &result->malloced, operate, args);
+  result->errcode = GLRO (dl_catch_error) (&result->objname,
+					   &result->errstring,
+					   &result->malloced,
+					   operate, args);
 
   /* If no error we mark that no error string is available.  */
   result->returned = result->errstring == NULL;
diff --git a/elf/Makefile b/elf/Makefile
index a3eefd1b1f..b8dd5b30db 100644
--- a/elf/Makefile
+++ b/elf/Makefile
@@ -192,7 +192,7 @@  tests += restest1 preloadtest loadfail multiload origtest resolvfail \
 	 tst-latepthread tst-tls-manydynamic tst-nodelete-dlclose \
 	 tst-debug1 tst-main1 tst-absolute-sym tst-absolute-zero tst-big-note \
 	 tst-unwind-ctor tst-unwind-main tst-audit13 \
-	 tst-sonamemove-link tst-sonamemove-dlopen
+	 tst-sonamemove-link tst-sonamemove-dlopen tst-dlmopen-dlerror
 #	 reldep9
 tests-internal += loadtest unload unload2 circleload1 \
 	 neededtest neededtest2 neededtest3 neededtest4 \
@@ -283,7 +283,8 @@  modules-names = testobj1 testobj2 testobj3 testobj4 testobj5 testobj6 \
 		tst-main1mod tst-libc_dlvsym-dso tst-absolute-sym-lib \
 		tst-absolute-zero-lib tst-big-note-lib tst-unwind-ctor-lib \
 		tst-audit13mod1 tst-sonamemove-linkmod1 \
-		tst-sonamemove-runmod1 tst-sonamemove-runmod2
+		tst-sonamemove-runmod1 tst-sonamemove-runmod2 \
+		tst-dlmopen-dlerror-mod
 # Most modules build with _ISOMAC defined, but those filtered out
 # depend on internal headers.
 modules-names-tests = $(filter-out ifuncmod% tst-libc_dlvsym-dso tst-tlsmod%,\
@@ -1434,6 +1435,10 @@  $(objpfx)tst-sonamemove-dlopen.out: \
   $(objpfx)tst-sonamemove-runmod1.so \
   $(objpfx)tst-sonamemove-runmod2.so
 
+$(objpfx)tst-dlmopen-dlerror: $(libdl)
+$(objpfx)tst-dlmopen-dlerror-mod.so: $(libdl) $(libsupport)
+$(objpfx)tst-dlmopen-dlerror.out: $(objpfx)tst-dlmopen-dlerror-mod.so
+
 # Override -z defs, so that we can reference an undefined symbol.
 # Force lazy binding for the same reason.
 LDFLAGS-tst-latepthreadmod.so = \
diff --git a/elf/dl-error-skeleton.c b/elf/dl-error-skeleton.c
index 248c185a74..5c2b1d4fb7 100644
--- a/elf/dl-error-skeleton.c
+++ b/elf/dl-error-skeleton.c
@@ -236,4 +236,16 @@  _dl_receive_error (receiver_fct fct, void (*operate) (void *), void *args)
   catch_hook = old_catch;
   receiver = old_receiver;
 }
+
+/* Forwarder used for initializing GLRO (_dl_catch_error).  */
+int
+_rtld_catch_error (const char **objname, const char **errstring,
+		   bool *mallocedp, void (*operate) (void *),
+		   void *args)
+{
+  /* The reference to _dl_catch_error will eventually be relocated to
+     point to the implementation in libc.so.  */
+  return _dl_catch_error (objname, errstring, mallocedp, operate, args);
+}
+
 #endif /* DL_ERROR_BOOTSTRAP */
diff --git a/elf/rtld.c b/elf/rtld.c
index c9490ff694..ba2323baa1 100644
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -325,6 +325,7 @@  struct rtld_global_ro _rtld_global_ro attribute_relro =
     ._dl_lookup_symbol_x = _dl_lookup_symbol_x,
     ._dl_open = _dl_open,
     ._dl_close = _dl_close,
+    ._dl_catch_error = _rtld_catch_error,
     ._dl_tls_get_addr_soft = _dl_tls_get_addr_soft,
 #ifdef HAVE_DL_DISCOVER_OSVERSION
     ._dl_discover_osversion = _dl_discover_osversion
diff --git a/elf/tst-dlmopen-dlerror-mod.c b/elf/tst-dlmopen-dlerror-mod.c
new file mode 100644
index 0000000000..dcb94320b4
--- /dev/null
+++ b/elf/tst-dlmopen-dlerror-mod.c
@@ -0,0 +1,41 @@ 
+/* Check that dlfcn errors are reported properly after dlmopen.  Test module.
+   Copyright (C) 2019 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <dlfcn.h>
+#include <stddef.h>
+#include <support/check.h>
+
+/* Note: This object is not linked into the main program, so we cannot
+   use delayed test failure reporting via TEST_VERIFY etc., and have
+   to use FAIL_EXIT1 (or something else that calls exit).  */
+
+void
+call_dlsym (void)
+{
+  void *ptr = dlsym (NULL, "does not exist");
+  if (ptr != NULL)
+    FAIL_EXIT1 ("dlsym did not fail as expected");
+}
+
+void
+call_dlopen (void)
+{
+  void *handle = dlopen ("tst-dlmopen-dlerror does not exist", RTLD_NOW);
+  if (handle != NULL)
+    FAIL_EXIT1 ("dlopen did not fail as expected");
+}
diff --git a/elf/tst-dlmopen-dlerror.c b/elf/tst-dlmopen-dlerror.c
new file mode 100644
index 0000000000..0a7c79e709
--- /dev/null
+++ b/elf/tst-dlmopen-dlerror.c
@@ -0,0 +1,40 @@ 
+/* Check that dlfcn errors are reported properly after dlmopen.
+   Copyright (C) 2019 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <stddef.h>
+#include <support/check.h>
+#include <support/xdlfcn.h>
+
+static int
+do_test (void)
+{
+  /* tst-sonamemove-runmod1.so does not define moved_function, but it
+     depends on tst-sonamemove-runmod2.so, which does.  */
+  void *handle = dlmopen (LM_ID_NEWLM, "tst-dlmopen-dlerror-mod.so", RTLD_NOW);
+  if (handle == NULL)
+    FAIL_EXIT1 ("dlmopen: %s", dlerror ());
+  void (*call_dlsym) (void) = xdlsym (handle, "call_dlsym");
+  void (*call_dlopen) (void) = xdlsym (handle, "call_dlopen");
+
+  call_dlsym ();
+  call_dlopen ();
+
+  return 0;
+}
+
+#include <support/test-driver.c>
diff --git a/sysdeps/generic/ldsodefs.h b/sysdeps/generic/ldsodefs.h
index b1fc5c31f9..c8894e9518 100644
--- a/sysdeps/generic/ldsodefs.h
+++ b/sysdeps/generic/ldsodefs.h
@@ -604,6 +604,12 @@  struct rtld_global_ro
   void *(*_dl_open) (const char *file, int mode, const void *caller_dlopen,
 		     Lmid_t nsid, int argc, char *argv[], char *env[]);
   void (*_dl_close) (void *map);
+  /* libdl in a secondary namespace (after dlopen) must use
+     _dl_catch_error from the main namespace, so it has to be
+     exported in some way.  */
+  int (*_dl_catch_error) (const char **objname, const char **errstring,
+			  bool *mallocedp, void (*operate) (void *),
+			  void *args);
   void *(*_dl_tls_get_addr_soft) (struct link_map *);
 #ifdef HAVE_DL_DISCOVER_OSVERSION
   int (*_dl_discover_osversion) (void);
@@ -841,6 +847,9 @@  extern int _dl_catch_error (const char **objname, const char **errstring,
 			    void *args);
 libc_hidden_proto (_dl_catch_error)
 
+/* Used for initializing GLRO (_dl_catch_error).  */
+extern __typeof__ (_dl_catch_error) _rtld_catch_error attribute_hidden;
+
 /* Call OPERATE (ARGS).  If no error occurs, set *EXCEPTION to zero.
    Otherwise, store a copy of the raised exception in *EXCEPTION,
    which has to be freed by _dl_exception_free.  */