Bug 1682954

Summary: glibc: Call _dl_open_check (CET related) after relocation is finished
Product: Red Hat Enterprise Linux 8 Reporter: Carlos O'Donell <codonell>
Component: glibcAssignee: DJ Delorie <dj>
Status: CLOSED ERRATA QA Contact: qe-baseos-tools-bugs
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: ashankar, codonell, dj, fweimer, mcermak, mnewsome, pfrankli, skolosov, tgummels, woodard
Target Milestone: rcKeywords: Patch, Triaged
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: glibc-2.28-82.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 16:50:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1682593    
Bug Blocks: 1755139, 1746913    

Description Carlos O'Donell 2019-02-25 22:35:15 UTC
When dlopening a shared object, _dl_open_check will throw an exception
if CET shadow stack is enabled and the shared object has no shadow stack
support.  dl_open_worker must call _dl_open_check after relocation is
finished.  Otherwise, the dependency shared objects may be mmapped
without relocation.  This will lead to run-time failure later when they
are needed by another dlopened shared object which is shadow stack
enabled.

https://sourceware.org/ml/libc-alpha/2019-02/msg00579.html

https://sourceware.org/bugzilla/show_bug.cgi?id=24259

Comment 8 Florian Weimer 2019-08-30 11:18:12 UTC
Note: My understanding is that this bug is visible even on non-CET hardware because the CET markup is checked for consistency even in non-CET mode, which makes this bug visible on current x86 hardware.

Comment 10 Carlos O'Donell 2019-10-22 13:54:21 UTC
Commit:

commit d0093c5cefb7f7a4143f3bb03743633823229cc6
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Mon Jul 1 12:23:10 2019 -0700

    Call _dl_open_check after relocation [BZ #24259]
    
    This is a workaround for [BZ #20839] which doesn't remove the NODELETE
    object when _dl_open_check throws an exception.  Move it after relocation
    in dl_open_worker to avoid leaving the NODELETE object mapped without
    relocation.

Please also verify upstream branch backports:

release/2.30/master - May be required. Please check.
release/2.29/master - May be required. Please check.
release/2.28/master - May be required. Please check.

Comment 11 DJ Delorie 2019-11-01 19:30:28 UTC
Backported to upstream 2.29 and 2.28

Comment 14 Sergey Kolosov 2020-03-17 18:31:07 UTC
Verified with elf/tst-cet-legacy-5a, elf/tst-cet-legacy-6a

Comment 16 errata-xmlrpc 2020-04-28 16:50:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1828