Bug 528631 - statically linked binary + libc secure mode = segfault
Summary: statically linked binary + libc secure mode = segfault
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: glibc
Version: 12
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Andreas Schwab
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-10-13 07:18 UTC by Michal Schmidt
Modified: 2010-01-12 23:43 UTC (History)
3 users (show)

Fixed In Version: 2.11.1-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-01-12 23:43:15 UTC
Type: ---


Attachments (Terms of Use)
patch for F-12 (2.67 KB, patch)
2009-11-25 07:27 UTC, Michal Schmidt
no flags Details | Diff

Description Michal Schmidt 2009-10-13 07:18:27 UTC
Description of problem:
When a statically linked executable is run with glibc secure mode, it segfaults before reaching main().
glibc secure mode is enabled for SUID/SGID programs, or when the SELinux policy for the program does not allow the "noatsecure" permission.
I found this bug while using the distributed compiler icecream, whose icecc-create-env scripts runs confined by SELinux and calls ldconfig (statically linked).

Version-Release number of selected component (if applicable):
glibc-2.10.90-24.x86_64

How reproducible:
always

Steps to Reproduce:
1. Get a statically linked binary (Just copy /sbin/ldconfig somewhere.)
2. Set the SUID bit for the binary. (chmod u+s the_binary)
3. Run the binary as a different user.
  
Actual results:
The binary crashes with Segmentation fault (SIGSEGV).

Expected results:
The binary should not crash.

Additional info:
Using gdb on the crashing ldconfig showed me there is a problem in elf/dl-support.c:_dl_non_dynamic_init() here:

      const char *cp = unsecure_envvars;

      while (cp < unsecure_envvars + sizeof (unsecure_envvars))
        {   
          __unsetenv (cp);
          cp = (const char *) __rawmemchr (cp, '\0') + 1;
        }

The __rawmemchr function is not really called. Instead the calls leads to address 0x04002f8 which is just before _start (0x400300):

(gdb) x/8i 0x00000000004002f8
0x4002f8:	add    %al,(%rax)
0x4002fa:	add    %al,(%rax)
0x4002fc:	add    %al,(%rax)
0x4002fe:	add    %al,(%rax)
0x400300 <_start>:	xor    %ebp,%ebp
0x400302 <_start+2>:	mov    %rdx,%r9
0x400305 <_start+5>:	pop    %rsi
0x400306 <_start+6>:	mov    %rsp,%rdx

Comment 1 Andreas Schwab 2009-10-13 10:05:58 UTC
The IPLT relocations are applied too late, __libc_csu_init is called after __libc_init_first.

Comment 2 Bug Zapper 2009-11-16 13:35:17 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 3 Ulrich Drepper 2009-11-24 19:18:41 UTC
Fixed upstream.  Can easily be backported but all statically linked code affected by this must be relinked.

Comment 4 Michal Schmidt 2009-11-25 07:27:56 UTC
Created attachment 373677 [details]
patch for F-12

Thank you Ulrich. I tested the patch on F-12's glibc and it works. ldconfig segfaults no more. I'm attaching it.

Andreas, would you apply it into F-12? Personally I'd just like ldconfig fixed and ldconfig is a part of the glibc package itself.

Comment 5 Fedora Update System 2009-11-30 16:35:53 UTC
glibc-2.11-4 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/glibc-2.11-4

Comment 6 Fedora Update System 2009-12-02 04:26:07 UTC
glibc-2.11-4 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update glibc'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12470

Comment 7 Fedora Update System 2010-01-05 22:45:29 UTC
glibc-2.11.1-1 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update glibc'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12470

Comment 8 Fedora Update System 2010-01-12 23:42:53 UTC
glibc-2.11.1-1 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.