Bug 1682954 - glibc: Call _dl_open_check (CET related) after relocation is finished
Summary: glibc: Call _dl_open_check (CET related) after relocation is finished
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: glibc
Version: 8.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: DJ Delorie
QA Contact: qe-baseos-tools-bugs
URL:
Whiteboard:
Depends On: 1682593
Blocks: 1755139 1746913
TreeView+ depends on / blocked
 
Reported: 2019-02-25 22:35 UTC by Carlos O'Donell
Modified: 2020-09-20 13:23 UTC (History)
10 users (show)

Fixed In Version: glibc-2.28-82.el8
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-28 16:50:14 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1828 None None None 2020-04-28 16:50:50 UTC
Sourceware 24259 P2 NEW Call _dl_open_check after relocation is finished, to deal with CET failures 2020-05-21 14:06:14 UTC

Description Carlos O'Donell 2019-02-25 22:35:15 UTC
When dlopening a shared object, _dl_open_check will throw an exception
if CET shadow stack is enabled and the shared object has no shadow stack
support.  dl_open_worker must call _dl_open_check after relocation is
finished.  Otherwise, the dependency shared objects may be mmapped
without relocation.  This will lead to run-time failure later when they
are needed by another dlopened shared object which is shadow stack
enabled.

https://sourceware.org/ml/libc-alpha/2019-02/msg00579.html

https://sourceware.org/bugzilla/show_bug.cgi?id=24259

Comment 8 Florian Weimer 2019-08-30 11:18:12 UTC
Note: My understanding is that this bug is visible even on non-CET hardware because the CET markup is checked for consistency even in non-CET mode, which makes this bug visible on current x86 hardware.

Comment 10 Carlos O'Donell 2019-10-22 13:54:21 UTC
Commit:

commit d0093c5cefb7f7a4143f3bb03743633823229cc6
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Mon Jul 1 12:23:10 2019 -0700

    Call _dl_open_check after relocation [BZ #24259]
    
    This is a workaround for [BZ #20839] which doesn't remove the NODELETE
    object when _dl_open_check throws an exception.  Move it after relocation
    in dl_open_worker to avoid leaving the NODELETE object mapped without
    relocation.

Please also verify upstream branch backports:

release/2.30/master - May be required. Please check.
release/2.29/master - May be required. Please check.
release/2.28/master - May be required. Please check.

Comment 11 DJ Delorie 2019-11-01 19:30:28 UTC
Backported to upstream 2.29 and 2.28

Comment 14 Sergey Kolosov 2020-03-17 18:31:07 UTC
Verified with elf/tst-cet-legacy-5a, elf/tst-cet-legacy-6a

Comment 16 errata-xmlrpc 2020-04-28 16:50:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1828


Note You need to log in before you can comment on or make changes to this bug.