|Summary:||executable code in .data in ld.so renders system unusable for PaX users|
|Product:||[Retired] Red Hat Linux||Reporter:||PaX Team <pageexec>|
|Component:||glibc||Assignee:||Jakub Jelinek <jakub>|
|Status:||CLOSED ERRATA||QA Contact:||Brian Brock <bbrock>|
|Fixed In Version:||2.3.2-27.9.7||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2003-11-13 21:51:43 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description PaX Team 2003-11-12 23:05:17 UTC
From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Description of problem: Due to an error somewhere in the toolchain or glibc itself, the dl_sysinfo_int80() function ends up in the .data section of ld- linux.so instead of its usual place .text. On systems that use a PaX kernel this will make all dynamically linked applications die and render the system unusable. Version-Release number of selected component (if applicable): glibc-2.3.2-27.9.6.i686 How reproducible: Always Steps to Reproduce: 1. install a PaX kernel (http://pageexec.virtualave.net) 2. enable the SEGMEXEC and MPROTECT options, recompile/reboot 3. watch syslog/console as dynamically linked applications run and get killed Actual Results: PaX will kill dynamically linked applications and report messages like: Nov 12 21:45:50 goliath kernel: PAX: terminating task: /bin/ls (ls):2323, uid/euid: 0/0, PC: 268a8440, SP: 5f908958 Nov 12 21:45:50 goliath kernel: PAX: bytes at PC: cd 80 c3 00 0e 00 00 00 b0 02 00 00 04 00 00 00 94 30 89 26 Note that addresses are randomized but based on the reported byte sequence you can quickly find and identify dl_sysinfo_int80 as the culprit. Expected Results: No errors, apps should have worked as before. Additional info: After having looked in the corresponding .src.rpm it's not clear where the error was introduced, the source code properly puts the code in question into .text, so it might be a problem with binutils/ld instead.
Comment 1 Jakub Jelinek 2003-11-13 01:09:32 UTC
Comment 2 Roy W. Reter 2003-11-13 01:13:13 UTC
Work around that I found if you have a custom kernel. Boot into a Red Hat standard kernel and force install glibc-2.3.2-27.9.6.i386.rpm and then reboot into your custom kernel.
Comment 3 PAX USER 2003-11-13 07:42:21 UTC
The version 2.3.2-27.9.7 is working except for /usr/sbin/iconvconfig (glibc-2.3.2-27.9.7.i686.rpm) Nov 13 08:29:24 goliath kernel: PAX: terminating task: /usr/sbin/iconvconfig(iconvconfig):3078, uid/euid: 0/0, PC: 5eed1030, SP: 5eed0f3c Nov 13 08:29:24 goliath kernel: PAX: bytes at PC: b9 90 10 ed 5e e9 36 8a 17 a9 ed 5e 7f 98 04 08 f8 d8 07 08 look like it break the install of the rpm in the %post section error: %post(glibc-2.3.2-27.9.7) scriptlet failed, exit status 115
Comment 4 Jakub Jelinek 2003-11-13 08:41:06 UTC
If PaX doesn't handle programs using nested functions whose address is taken, then it is broken IMHO. See Exec-Shield in Fedora Core 1 for a (better) alternative.
Comment 5 PaX Team 2003-11-13 11:47:57 UTC
PaX handles nested function trampolines by emulating them however this requires that users explicitly enable this feature (both in the kernel .config and on affected binaries). Work is in progress to do this automatically based on the PT_GNU_STACK marking (note that this particular series of glibc releases does not carry such markings so they would still require user intervention). The suggested alternative is not acceptable to PaX users because of its lesser security features, also it is an apples to oranges comparison as iconvconfig in Fedora has been explicitly modified to not use nested functions (see the move of iconv/iconvconfig.c:name_insert() in glibc-redhat.patch), obviously that will work with a non-executable stack, be that provided by Exec- Shield or PaX.
Comment 6 Jakub Jelinek 2003-11-13 21:51:43 UTC
iconvconfig in Fedora doesn't use trampolines simply because I needed that patch when Exec-Shield did not honor PT_GNU_STACK yet. But as iconvconfig is single threaded, it really doesn't have to use the trampolines, so I kept the patch. It would work just fine even without it though in FC1.