Description of problem: Currently ALL .so files are executable even those without a valid entry point address. Version-Release number of selected component (if applicable): Tested on rhel 8.4, rhel 7.9 and fedora 34. How reproducible: very Steps to Reproduce: $ touch zero.S $ gcc -shared -Wl,-e,0 zero.S $ readelf -hW a.out ELF Header: Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 Class: ELF64 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: DYN (Shared object file) Machine: Advanced Micro Devices X86-64 Version: 0x1 Entry point address: 0x0 Start of program headers: 64 (bytes into file) Start of section headers: 14288 (bytes into file) Flags: 0x0 Size of this header: 64 (bytes) Size of program headers: 56 (bytes) Number of program headers: 8 Size of section headers: 64 (bytes) Number of section headers: 26 Section header string table index: 25 $ ./a.out Segmentation fault (core dumped) Actual results: SIGSEGV/core file is produced. Expected results: no SIGSEGV/core file Additional info: There will be a separate binutils defect created to set the e_entry to 0 for DSOs that don't have _start. This is because currently "Entry point address:" is non-zero on all DSO's even those without a _start which also leads to segfaults.
of interest: https://bugzilla.redhat.com/show_bug.cgi?id=2004952
Some more context on this: the ELF spec states that the e_entry ELF header member, when 0, signifies that the object does not have an entry point: https://refspecs.linuxbase.org/elf/gabi4+/ch4.eheader.html What's happening currently is that the kernel relocates the entry point and then attempts to start executing at e_entry. At the moment this means the start of .text (since that's what binutils sets e_entry as if there's no _start), which ends up executing arbitrary code and crashing. However even if the object is well formed as per the spec, i.e. with "-e 0" (as in comment 0) linker option to set e_entry to 0, the kernel still relocates it and ends up trying to execute at the top of the first LOAD segment. In the general case this typically is a non-executable segment and the program crashes right away. For some DSOs (such as vdso64.so for example) however, the first LOAD segment may be executable, resulting in execution of some code before crashing. The request here is to make this case more predictable by treating e_entry == 0 as a special case like it is in the ELF spec and terminate the program right away, perhaps with a Segmentation Fault or another appropriate error.
(In reply to Siddhesh Poyarekar from comment #2) > The request here is to make this case more predictable by treating e_entry > == 0 as a special case like it is in the ELF spec and terminate the program > right away, perhaps with a Segmentation Fault or another appropriate error. We have the fault today, so that wouldn't be much of an improvement. We actually have a precise error code for this defined, ELIBEXEC.
(In reply to Florian Weimer from comment #4) > (In reply to Siddhesh Poyarekar from comment #2) > > The request here is to make this case more predictable by treating e_entry > > == 0 as a special case like it is in the ELF spec and terminate the program > > right away, perhaps with a Segmentation Fault or another appropriate error. > > We have the fault today, so that wouldn't be much of an improvement. We > actually have a precise error code for this defined, ELIBEXEC. Yeah, I agree a failed execve might be better.
This message is a reminder that Fedora Linux 34 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 34 on 2022-06-07. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '34'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 34 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
Fedora Linux 34 entered end-of-life (EOL) status on 2022-06-07. Fedora Linux 34 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. Thank you for reporting this bug and we are sorry it could not be fixed.