When dlopening a shared object, _dl_open_check will throw an exception if CET shadow stack is enabled and the shared object has no shadow stack support. dl_open_worker must call _dl_open_check after relocation is finished. Otherwise, the dependency shared objects may be mmapped without relocation. This will lead to run-time failure later when they are needed by another dlopened shared object which is shadow stack enabled. https://sourceware.org/ml/libc-alpha/2019-02/msg00579.html https://sourceware.org/bugzilla/show_bug.cgi?id=24259
Note: My understanding is that this bug is visible even on non-CET hardware because the CET markup is checked for consistency even in non-CET mode, which makes this bug visible on current x86 hardware.
Commit: commit d0093c5cefb7f7a4143f3bb03743633823229cc6 Author: H.J. Lu <hjl.tools> Date: Mon Jul 1 12:23:10 2019 -0700 Call _dl_open_check after relocation [BZ #24259] This is a workaround for [BZ #20839] which doesn't remove the NODELETE object when _dl_open_check throws an exception. Move it after relocation in dl_open_worker to avoid leaving the NODELETE object mapped without relocation. Please also verify upstream branch backports: release/2.30/master - May be required. Please check. release/2.29/master - May be required. Please check. release/2.28/master - May be required. Please check.
Backported to upstream 2.29 and 2.28
Verified with elf/tst-cet-legacy-5a, elf/tst-cet-legacy-6a
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:1828