63422 – incorrect relocation applied in libmcop.so.1

Bug 63422 - incorrect relocation applied in libmcop.so.1

Summary: incorrect relocation applied in libmcop.so.1

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Red Hat Public Beta
Classification:	Retired
Component:	glibc
Sub Component:
Version:	skipjack-beta2
Hardware:	i686
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Jakub Jelinek
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	61590
TreeView+	depends on / blocked

Reported:	2002-04-13 16:12 UTC by Alexandre Oliva
Modified:	2016-11-24 15:12 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2002-04-15 03:37:55 UTC
Embargoed:

Attachments	(Terms of Use)

Description Alexandre Oliva 2002-04-13 16:12:58 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020408

Description of problem:
The dynamic loader stores an unmapped address in the GOT entry of a symbol of a
dependency library of a dlopened library.

Version-Release number of selected component (if applicable):
2.2.5-32

How reproducible:
Always

Steps to Reproduce:
The following program, that worked fine on 7.2, fails on skipjack-beta2 + all
RHN updates published on and before 2002-04-12.

% cat t.c
#include <SDL/SDL.h>

int main() {
  SDL_Init(16);
}
% gcc t.c -g -lSDL -lpthread
% gdb ./a.out
[snip]
(gdb) run
Program received signal SIGSEGV, Segmentation fault.
0x400a40c7 in pthread_mutex_lock () from /lib/i686/libpthread.so.0
(gdb) disass $pc $pc+1
Dump of assembler code from 0x400a40c7 to 0x400a40c8:
0x400a40c7 <pthread_mutex_lock+23>:	mov    0xc(%edi),%eax
End of assembler dump.
(gdb) p /x $edi
$1 = 0x40025080
(gdb) p /x *(void**)($ebp+8)
$2 = 0x40025080
(gdb) up
#1  0x404283f8 in __tcf_0 () from /usr/lib/libmcop.so.1
(gdb) b __tcf_0
Breakpoint 1 at 0x40428396
(gdb) run
[...]
Breakpoint 1, 0x40428396 in __tcf_0 () from /usr/lib/libmcop.so.1
(gdb) until *0x404283e9
0x404283e9 in __tcf_0 () from /usr/lib/libmcop.so.1
(gdb) disass $pc $pc+16
Dump of assembler code from 0x404283e9 to 0x404283f9:
0x404283e9 <__tcf_0+89>:	mov    0x1338(%ebx),%eax
0x404283ef <__tcf_0+95>:	push   %eax
0x404283f0 <__tcf_0+96>:	mov    %eax,0xffffffec(%ebp)
0x404283f3 <__tcf_0+99>:	call   0x403d5d2c <_init+6216>
0x404283f8 <__tcf_0+104>:	pop    %eax
End of assembler dump.
(gdb) p /x $ebx
$3 = 0x4045ec04
(gdb) p /x $ebx+0x1338
$4 = 0x4045ff3c
(gdb) p *(void**)$
$5 = (void *) 0x40025080
(gdb) p *(void**)$
Cannot access memory at address 0x40025080
[how come the dynamic loader set up the GOT pointing at an invalid address?]
(gdb) info shar
From        To          Syms Read   Shared Object Library
0x400354c0  0x40079390  Yes         /usr/lib/libSDL-1.2.so.0
0x400a1410  0x400a93c0  Yes         /lib/i686/libpthread.so.0
0x420172d0  0x421166b0  Yes         /lib/i686/libc.so.6
0x400b4760  0x400cd1e0  Yes         /lib/i686/libm.so.6
0x400e40a0  0x4014bbb0  Yes         /usr/X11R6/lib/libX11.so.6
0x401aa8e0  0x401b3b40  Yes         /usr/X11R6/lib/libXext.so.6
0x401b5d40  0x401b6b50  Yes         /lib/libdl.so.2
0x40000a50  0x40010d20  Yes         /lib/ld-linux.so.2
0x40015310  0x40018b10  Yes         /usr/lib/libartsc.so
0x401e7a10  0x4025ce40  Yes         /usr/lib/libartsflow.so.1
0x402a9c30  0x402d0ef0  Yes         /usr/lib/libsoundserver_idl.so.1
0x402ec3d0  0x40308040  Yes         /usr/lib/libkmedia2_idl.so.1
0x40317020  0x4032aa90  Yes         /usr/lib/libaudiofile.so.0
0x40352500  0x40393d40  Yes         /usr/lib/libartsflow_idl.so.1
0x403d7580  0x40451c70  Yes         /usr/lib/libmcop.so.1
0x40478710  0x40482e40  Yes         /lib/libresolv.so.2
0x4049f5d0  0x404bdf00  Yes         /usr/lib/libstdc++-libc6.2-2.so.3
0x404cbd00  0x404d2e30  Yes         /lib/libnss_files.so.2
0x4001bcc0  0x4001eff0  Yes         /usr/lib/libesd.so.0
(gdb) b _dl_relocate_object_internal
Breakpoint 2 at 0x40008c7a
(gdb) ign 2 1
(gdb) run
[...]
Breakpoint 2, 0x40008c7a in _dl_relocate_object_internal ()
   from /lib/ld-linux.so.2
(gdb) p *(void**)$4
$6 = (void *) 0x0
(gdb) watch *(void**)$4
Hardware watchpoint 3: *(void **) $6
(gdb) dis 2
(gdb) c
Continuing.
Hardware watchpoint 3: *(void **) $6

Old value = (void *) 0x0
New value = (void *) 0x40025080
0x400099a8 in _dl_relocate_object_internal () from /lib/ld-linux.so.2
(gdb) shell objdump -h /usr/lib/libmcop.so.1 | fgrep .got
 17 .got          00001458  000bfc04  000bfc04  000bec04  2**2
(gdb) p /x 0xbfc04 + 0x1338
$7 = 0xc0f3c
(gdb) shell objdump -R /usr/lib/libmcop.so.1 | fgrep c0f3c
000c0f3c R_386_GLOB_DAT    _t24__default_alloc_template2b1i0._S_node_allocator_lock
(gdb) shell nm /usr/lib/libmcop.so.1 | fgrep
_t24__default_alloc_template2b1i0._S_node_allocator_lock
000bd620 V _t24__default_alloc_template2b1i0._S_node_allocator_lock

libargsflow, libartsflow_idl, libsoundserver_idl and libkmedia2_idl
also contain similar definitions of this symbol.

Comment 1 Jakub Jelinek 2002-04-14 19:16:52 UTC

No wonder it worked in 7.2 when libmcop.so.1 and the whole KDE3 was added in
skipjack... (your testcase works just fine on 7.2 with glibc-2.2.5-33).
The problem looks like some reference counting bug in ld.so, that address
points to libartscbackend.so which was dlclosed in between and for some reason
was unmapped eventhough its reference count should be non-zero due to this
and similar live relocations.

Comment 2 Jakub Jelinek 2002-04-14 20:26:29 UTC

http://sources.redhat.com/ml/libc-hacker/2002-04/msg00054.html

Comment 3 Jakub Jelinek 2002-04-15 15:48:36 UTC

Should be fixed in glibc-2.2.5-34.

Note You need to log in before you can comment on or make changes to this bug.