Bug 1395758
Summary: | glibc: incomplete rollback of dynamic linker state on linking failure | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Stephan Bergmann <sbergman> |
Component: | glibc | Assignee: | Florian Weimer <fweimer> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | arjun.is, cassiomolusco, codonell, dj, edoubrayrie, fweimer, jakub, law, mfabian, pfrankli, siddhesh |
Target Milestone: | --- | Keywords: | Patch |
Target Release: | --- | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | |||
Fixed In Version: | glibc-2.30.9000-30.fc32 glibc-2.30-10.fc31 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-01-20 13:27:20 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1778344, 1778366 | ||
Bug Blocks: | 1410154 |
Description
Stephan Bergmann
2016-11-16 15:36:56 UTC
The crash happens while relocating a reference to the __ctype_toupper_loc symbol in /lib64/libglib-2.0.so, after a dlopen of /opt/openoffice4/program/../program/libfwk.so. The crash does not happen if this DSO is opened by itself. We end up here in elf/do-rel.h: 114 #ifdef RTLD_BOOTSTRAP 115 /* The dynamic linker always uses versioning. */ 116 assert (map->l_info[VERSYMIDX (DT_VERSYM)] != NULL); 117 #else 118 if (map->l_info[VERSYMIDX (DT_VERSYM)]) 119 #endif 120 { 121 const ElfW(Half) *const version = 122 (const void *) D_PTR (map, l_info[VERSYMIDX (DT_VERSYM)]); 123 124 for (; r < end; ++r) 125 { 126 #if defined ELF_MACHINE_IRELATIVE && !defined RTLD_BOOTSTRAP 127 if (ELFW(R_TYPE) (r->r_info) == ELF_MACHINE_IRELATIVE) 128 { 129 if (r2 == NULL) 130 r2 = r; 131 end2 = r; 132 continue; 133 } 134 #endif 135 136 ElfW(Half) ndx = version[ELFW(R_SYM) (r->r_info)] & 0x7fff 136 ; 137 elf_machine_rel (map, r, &symtab[ELFW(R_SYM) (r->r_info)], 138 &map->l_versions[ndx], 139 (void *) (l_addr + r->r_offset), skip_ifu 139 nc); 140 } At line 137, map->l_versions is NULL: (gdb) print map->l_versions $7 = (struct r_found_version *) 0x0 But this is clearly wrong because glib has symbol versioning information (both on disk and as indicated by map->l_info[VERSYMIDX (DT_VERSYM)], otherwise we would not have entered that conditional. I'm not sure if _dl_check_map_versions has run at this point. It's not a recent glibc change which causes this. I went back to glibc 2.18, and it exhibits the same problem (still with the Fedora 24 system DSOs). (In reply to Florian Weimer from comment #1) > But this is clearly wrong because glib has symbol versioning information > (both on disk and as indicated by map->l_info[VERSYMIDX (DT_VERSYM)], > otherwise we would not have entered that conditional. I'm not sure if > _dl_check_map_versions has run at this point. Debugging this code is exceedingly difficult because of the relocation restrictions in the early startup and in general -O2. My expectation is that gdb is simply wrong and that map->l_versions is not NULL. The interesting part is the SIGSEGV. Any chance you can get a trimmed down reproducer? I'm looking at extending our tracer into dlopen to be able to take a bunch of DSOs and simulate a startup load sequence, just to debug these kinds of issues (cycles, constructor orders etc.). (In reply to Carlos O'Donell from comment #3) > The interesting part is the SIGSEGV. Any chance you can get a trimmed down > reproducer? Unfortunately not. And I have no idea what toolchain was used to produce it and what the platforms are where it is actually supposed to work. I just assumed that it was build in a way generic enough to let it work on any contemporary distro. Seeing it crash I just wanted to inform you about it, in case it was something obvious. (In reply to Carlos O'Donell from comment #3) > (In reply to Florian Weimer from comment #1) > > But this is clearly wrong because glib has symbol versioning information > > (both on disk and as indicated by map->l_info[VERSYMIDX (DT_VERSYM)], > > otherwise we would not have entered that conditional. I'm not sure if > > _dl_check_map_versions has run at this point. > > Debugging this code is exceedingly difficult because of the relocation > restrictions in the early startup and in general -O2. My expectation is that > gdb is simply wrong and that map->l_versions is not NULL. No, I set a conditional breakpoint well before the SIGSEGV, and a _dl_printf reports: elf_dynamic_do_Rela: NULL l_versions for: /lib64/libglib-2.0.so.0 Note that the crash happens after dlopen, not during the initial link, which means that GDB should be fairly reliable (if it works at all, but due to aggressive inlining, this is often not the case). LD_DEBUG=files with some additional _dl_printf calls gives this output: __dlopen: /opt/openoffice4/program/libvclplug_gtk.so _dl_map_object: /opt/openoffice4/program/libvclplug_gtk.so 8466: 8466: file=/opt/openoffice4/program/libvclplug_gtk.so [0]; dynamically loaded by /opt/openoffice4/program/libuno_sal.so.3 [0] 8466: file=/opt/openoffice4/program/libvclplug_gtk.so [0]; generating link map 8466: dynamic: 0x00007fffeb5bb488 base: 0x00007fffeb367000 size: 0x0000000000256870 8466: entry: 0x00007fffeb37c7a0 phdr: 0x00007fffeb367040 phnum: 5 8466: dl_open_worker: loading dependencies for: /opt/openoffice4/program/libvclplug_gtk.so _dl_map_object: libvclplug_gen.so 8466: 8466: file=libvclplug_gen.so [0]; needed by /opt/openoffice4/program/libvclplug_gtk.so [0] 8466: file=libvclplug_gen.so [0]; generating link map 8466: dynamic: 0x00007fffeb3617a8 base: 0x00007fffeb091000 size: 0x00000000002d5830 8466: entry: 0x00007fffeb0c3a80 phdr: 0x00007fffeb091040 phnum: 5 8466: _dl_map_object: libSM.so.6 8466: 8466: file=libSM.so.6 [0]; needed by /opt/openoffice4/program/libvclplug_gtk.so [0] 8466: file=libSM.so.6 [0]; generating link map 8466: dynamic: 0x00007fffeb08fc68 base: 0x00007fffeae89000 size: 0x0000000000207030 8466: entry: 0x00007fffeae8aad0 phdr: 0x00007fffeae89040 phnum: 7 8466: _dl_map_object: libICE.so.6 8466: 8466: file=libICE.so.6 [0]; needed by /opt/openoffice4/program/libvclplug_gtk.so [0] 8466: file=libICE.so.6 [0]; generating link map 8466: dynamic: 0x00007fffeae84910 base: 0x00007fffeac6d000 size: 0x000000000021bca0 8466: entry: 0x00007fffeac71b10 phdr: 0x00007fffeac6d040 phnum: 7 8466: _dl_map_object: libdbus-glib-1.so.2 8466: 8466: file=libdbus-glib-1.so.2 [0]; needed by /opt/openoffice4/program/libvclplug_gtk.so [0] 8466: file=libdbus-glib-1.so.2 [0]; generating link map 8466: dynamic: 0x00007fffeac6b0f0 base: 0x00007fffeaa40000 size: 0x000000000022c178 8466: entry: 0x00007fffeaa4a1a0 phdr: 0x00007fffeaa40040 phnum: 7 8466: _dl_map_object: libdbus-1.so.3 8466: 8466: file=libdbus-1.so.3 [0]; needed by /opt/openoffice4/program/libvclplug_gtk.so [0] 8466: file=libdbus-1.so.3 [0]; generating link map 8466: dynamic: 0x00007fffeaa3df08 base: 0x00007fffea7f0000 size: 0x000000000024f2d0 8466: entry: 0x00007fffea7fd740 phdr: 0x00007fffea7f0040 phnum: 7 8466: _dl_map_object: libgobject-2.0.so.0 8466: 8466: file=libgobject-2.0.so.0 [0]; needed by /opt/openoffice4/program/libvclplug_gtk.so [0] 8466: file=libgobject-2.0.so.0 [0]; generating link map 8466: dynamic: 0x00007fffea7ee800 base: 0x00007fffea59e000 size: 0x0000000000251b88 8466: entry: 0x00007fffea5a8340 phdr: 0x00007fffea59e040 phnum: 7 8466: _dl_map_object: libglib-2.0.so.0 8466: 8466: file=libglib-2.0.so.0 [0]; needed by /opt/openoffice4/program/libvclplug_gtk.so [0] 8466: file=libglib-2.0.so.0 [0]; generating link map 8466: dynamic: 0x00007fffea59c700 base: 0x00007fffea290000 size: 0x000000000030df18 8466: entry: 0x00007fffea2aa2b0 phdr: 0x00007fffea290040 phnum: 7 8466: _dl_map_object: libgtk-x11-2.0.so.0 8466: 8466: file=libgtk-x11-2.0.so.0 [0]; needed by /opt/openoffice4/program/libvclplug_gtk.so [0] 8466: file=libgtk-x11-2.0.so.0 [0]; generating link map 8466: dynamic: 0x00007fffea289598 base: 0x00007fffe9c0a000 size: 0x0000000000685d38 8466: entry: 0x00007fffe9c70030 phdr: 0x00007fffe9c0a040 phnum: 7 8466: _dl_map_object: libgdk-x11-2.0.so.0 8466: 8466: file=libgdk-x11-2.0.so.0 [0]; needed by /opt/openoffice4/program/libvclplug_gtk.so [0] 8466: file=libgdk-x11-2.0.so.0 [0]; generating link map 8466: dynamic: 0x00007fffe9c07900 base: 0x00007fffe9949000 size: 0x00000000002c0758 8466: entry: 0x00007fffe99662c0 phdr: 0x00007fffe9949040 phnum: 7 8466: _dl_map_object: libatk-1.0.so.0 8466: 8466: file=libatk-1.0.so.0 [0]; needed by /opt/openoffice4/program/libvclplug_gtk.so [0] 8466: file=libatk-1.0.so.0 [0]; generating link map 8466: dynamic: 0x00007fffe9947710 base: 0x00007fffe9723000 size: 0x0000000000225498 8466: entry: 0x00007fffe972db30 phdr: 0x00007fffe9723040 phnum: 7 8466: _dl_map_object: libpangocairo-1.0.so.0 8466: 8466: file=libpangocairo-1.0.so.0 [0]; needed by /opt/openoffice4/program/libvclplug_gtk.so [0] 8466: file=libpangocairo-1.0.so.0 [0]; generating link map 8466: dynamic: 0x00007fffe97217e8 base: 0x00007fffe9516000 size: 0x000000000020c098 8466: entry: 0x00007fffe951a3c0 phdr: 0x00007fffe9516040 phnum: 7 8466: _dl_map_object: libpango-1.0.so.0 8466: 8466: file=libpango-1.0.so.0 [0]; needed by /opt/openoffice4/program/libvclplug_gtk.so [0] 8466: file=libpango-1.0.so.0 [0]; generating link map 8466: dynamic: 0x00007fffe95148a8 base: 0x00007fffe92cb000 size: 0x000000000024a288 8466: entry: 0x00007fffe92d78f0 phdr: 0x00007fffe92cb040 phnum: 7 8466: _dl_map_object: libcairo.so.2 8466: 8466: file=libcairo.so.2 [0]; needed by /opt/openoffice4/program/libvclplug_gtk.so [0] 8466: file=libcairo.so.2 [0]; generating link map 8466: dynamic: 0x00007fffe92c7030 base: 0x00007fffe8fa2000 size: 0x00000000003281d0 8466: entry: 0x00007fffe8fb4d20 phdr: 0x00007fffe8fa2040 phnum: 7 8466: _dl_map_object: libgdk_pixbuf_xlib-2.0.so.0 8466: 8466: file=libgdk_pixbuf_xlib-2.0.so.0 [0]; needed by /opt/openoffice4/program/libvclplug_gtk.so [0] _dl_signal_error: reporting link error in libgdk_pixbuf_xlib-2.0.so.0: cannot open shared object file _dl_signal_error: reporting link error in libgdk_pixbuf_xlib-2.0.so.0: cannot open shared object file 8466: 8466: file=/opt/openoffice4/program/libvclplug_gtk.so [0]; destroying link map 8466: 8466: file=/opt/openoffice4/program/libvclplug_gen.so [0]; destroying link map 8466: 8466: file=/lib64/libSM.so.6 [0]; destroying link map 8466: 8466: file=/lib64/libICE.so.6 [0]; destroying link map 8466: 8466: file=/lib64/libdbus-glib-1.so.2 [0]; destroying link map 8466: 8466: file=/lib64/libdbus-1.so.3 [0]; destroying link map 8466: 8466: file=/lib64/libgtk-x11-2.0.so.0 [0]; destroying link map 8466: 8466: file=/lib64/libgdk-x11-2.0.so.0 [0]; destroying link map 8466: 8466: file=/lib64/libatk-1.0.so.0 [0]; destroying link map 8466: 8466: file=/lib64/libpangocairo-1.0.so.0 [0]; destroying link map 8466: 8466: file=/lib64/libpango-1.0.so.0 [0]; destroying link map 8466: 8466: file=/lib64/libcairo.so.2 [0]; destroying link map _dl_signal_error: reporting link error in libgdk_pixbuf_xlib-2.0.so.0: cannot open shared object file __dlopen: /opt/openoffice4/program/libvclplug_gtk.so RETURNED WITH ERROR Note how a link map for libglib-2.0.so.0 is set up, but never destroyed. This is clearly a dynamic linker bug. Stephan, the crash is triggered by a missing dependency in the OpenOffice RPMs. You can install the gdk-pixbuf2-xlib package manually, and the crash will be gone. I didn't test things further, but I could get to the “Welcome to OpenOffice 4.1.3” screen. Note that /usr/lib64/libglib-2.0.so.0 has NODELETE set, which could be the reason why it is not subject to cleanup. This message is a reminder that Fedora 24 is nearing its end of life. Approximately 2 (two) weeks from now Fedora will stop maintaining and issuing updates for Fedora 24. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '24'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 24 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. We are tracking this upstream. *** Bug 1755176 has been marked as a duplicate of this bug. *** *** Bug 1624941 has been marked as a duplicate of this bug. *** The upstream fix has landed. Next step is to get this into rawhide. This is now in Rawhide, but we need to work through some reported regressions e.g. 1778344 and 1778366 glibc-2.30.9000-24.fc32 has a fix for the calibre build failure (bug 1778344) and a workaround for the firefox sandbox issue (bug 1778366). We want to backport this into release branches, too, because the dlopen bug affected many users. The rawhide fix had to be updated with additional upstream backports. The Fedora 31 build is still running. FEDORA-2020-1a3bdfde17 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-1a3bdfde17 glibc-2.30-10.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-1a3bdfde17 glibc-2.30-10.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report. |