Cosmic did not receive the fix, but I've prepared the fix and will upload it in the next days. The release will still take more than a week due to the aging requirement and due to waiting for the test results.
** Description changed: + [Impact] + + * Dlopen() may crash. + + [Test Case] + + $ sudo apt install make gcc + $ wget https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1821677/+attachment/5252188/+files/dl-big-note.tar.xz + $ tar -xf dl-big-note.tar.xz + $ cd dl-big-note/ + $ make + $ ./dl-big-note dl-big-note-lib.so + + all ok + + + [Where problems could occur] + + * The fix is correcting a patch that was not updated to the new upstream + code that was backported. There is little change in the code, but in + case of an error it can crash again, let dlopen load an invalid ELF file + due to the false positive verification or reject a valid ELF file due to + erroneoudly failing verification (least likely). + + + [Original Bug Text] With following testcase: ~/work/glibc$ cat foo.c #include <dlfcn.h> #include <stdio.h> - + int main(int argc, char **argv) { - if (argc < 1) return 1; - printf("Trying to open %s\n", argv[1]); - void *liball = dlopen(argv[1], RTLD_NOW); - if(liball == NULL) { - printf("\nERROR: %s", dlerror()); - return -1; - } - if(dlclose(liball)==0) {printf("\n all ok\n");} - return 0; + if (argc < 1) return 1; + printf("Trying to open %s\n", argv[1]); + void *liball = dlopen(argv[1], RTLD_NOW); + if(liball == NULL) { + printf("\nERROR: %s", dlerror()); + return -1; + } + if(dlclose(liball)==0) {printf("\n all ok\n");} + return 0; } - compile with + compile with ~/work/glibc$ gcc -O0 -g foo.c -ldl then get segment fault: - ~/work/glibc$ ./a.out intel64_lin/libsvml.so + ~/work/glibc$ ./a.out intel64_lin/libsvml.so Trying to open intel64_lin/libsvml.so Segmentation fault (core dumped) coredump as: (gdb) bt #0 __GI___libc_free (mem=0x7ffff7d49010) at malloc.c:3085 #1 0x00007ffff7fdb6b6 in open_verify ( - name=0x555555559670 "/home/lilicui/intel64_lin/libsvml.so", - fbp=fbp@entry=0x7fffffffd530, loader=<optimized out>, - mode=mode@entry=-1879048190, - found_other_class=found_other_class@entry=0x7fffffffd51f, free_name=true, - whatcode=0, fd=3) at dl-load.c:1977 - #2 0x00007ffff7fdc926 in _dl_map_object (loader=loader@entry=0x7ffff7ffe190, - name=name@entry=0x7fffffffe1b7 "/home/lilicui/intel64_lin/libsvml.so", - type=type@entry=2, trace_mode=trace_mode@entry=0, - mode=mode@entry=-1879048190, nsid=<optimized out>) at dl-load.c:2401 + name=0x555555559670 "/home/lilicui/intel64_lin/libsvml.so", + fbp=fbp@entry=0x7fffffffd530, loader=<optimized out>, + mode=mode@entry=-1879048190, + found_other_class=found_other_class@entry=0x7fffffffd51f, free_name=true, + whatcode=0, fd=3) at dl-load.c:1977 + #2 0x00007ffff7fdc926 in _dl_map_object (loader=loader@entry=0x7ffff7ffe190, + name=name@entry=0x7fffffffe1b7 "/home/lilicui/intel64_lin/libsvml.so", + type=type@entry=2, trace_mode=trace_mode@entry=0, + mode=mode@entry=-1879048190, nsid=<optimized out>) at dl-load.c:2401 #3 0x00007ffff7fe79c4 in dl_open_worker (a=a@entry=0x7fffffffdaa0) - at dl-open.c:228 - #4 0x00007ffff7f1b48f in __GI__dl_catch_exception (exception=<optimized out>, - operate=<optimized out>, args=<optimized out>) at dl-error-skeleton.c:196 + at dl-open.c:228 + #4 0x00007ffff7f1b48f in __GI__dl_catch_exception (exception=<optimized out>, + operate=<optimized out>, args=<optimized out>) at dl-error-skeleton.c:196 #5 0x00007ffff7fe72c6 in _dl_open ( - file=0x7fffffffe1b7 "/home/lilicui/intel64_lin/libsvml.so", - mode=-2147483646, caller_dlopen=0x5555555551cb <main+86>, - nsid=<optimized out>, argc=2, argv=0x7fffffffde08, env=0x7fffffffde20) - at dl-open.c:599 + file=0x7fffffffe1b7 "/home/lilicui/intel64_lin/libsvml.so", + mode=-2147483646, caller_dlopen=0x5555555551cb <main+86>, + nsid=<optimized out>, argc=2, argv=0x7fffffffde08, env=0x7fffffffde20) + at dl-open.c:599 #6 0x00007ffff7faa256 in dlopen_doit (a=a@entry=0x7fffffffdcc0) at dlopen.c:66 #7 0x00007ffff7f1b48f in __GI__dl_catch_exception ( - exception=exception@entry=0x7fffffffdc60, operate=<optimized out>, + exception=exception@entry=0x7fffffffdc60, operate=<optimized out>, --Type <RET> for more, q to quit, c to continue without paging-- - args=<optimized out>) at dl-error-skeleton.c:196 + args=<optimized out>) at dl-error-skeleton.c:196 #8 0x00007ffff7f1b51f in __GI__dl_catch_error ( - objname=0x7ffff7fae0f0 <last_result+16>, - errstring=0x7ffff7fae0f8 <last_result+24>, - mallocedp=0x7ffff7fae0e8 <last_result+8>, operate=<optimized out>, - args=<optimized out>) at dl-error-skeleton.c:215 + objname=0x7ffff7fae0f0 <last_result+16>, + errstring=0x7ffff7fae0f8 <last_result+24>, + mallocedp=0x7ffff7fae0e8 <last_result+8>, operate=<optimized out>, + args=<optimized out>) at dl-error-skeleton.c:215 #9 0x00007ffff7faaa25 in _dlerror_run ( - operate=operate@entry=0x7ffff7faa200 <dlopen_doit>, - args=args@entry=0x7fffffffdcc0) at dlerror.c:163 + operate=operate@entry=0x7ffff7faa200 <dlopen_doit>, + args=args@entry=0x7fffffffdcc0) at dlerror.c:163 #10 0x00007ffff7faa2e6 in __dlopen (file=<optimized out>, mode=<optimized out>) - at dlopen.c:87 + at dlopen.c:87 #11 0x00005555555551cb in main (argc=2, argv=0x7fffffffde08) at foo.c:7 - - intel64_lin/libsvml.so is icc19.0(aleady released) runtime library, refer to attachment. + intel64_lin/libsvml.so is icc19.0(aleady released) runtime library, + refer to attachment. Ubuntu version: ~/work/glibc$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 18.10 Release: 18.10 Codename: cosmic Glibc version: ~/work/glibc$ ldd --version ldd (Ubuntu GLIBC 2.28-0ubuntu1) 2.28 Copyright (C) 2018 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Written by Roland McGrath and Ulrich Drepper. It works fine with Glibc_2.28 upstream, and Glibc_2.28 on Fedora 29, but failed with Glibc 2.28 in Ubuntu 18.10 I found ubuntu18.10 was backporting its own patches, would that affect such testcase? ** Changed in: glibc (Ubuntu Cosmic) Status: Fix Released => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1821677 Title: dl_open segment fault in ubuntu18.10 glibc2.28 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1821677/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
