Re: lib/57792: SIGSEGV in ld.elf_so / _rtld_call_ifunc

To: lib-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,prlw1%cam.ac.uk@localhost
Subject: Re: lib/57792: SIGSEGV in ld.elf_so / _rtld_call_ifunc
From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Date: Mon, 15 Jul 2024 16:10:01 +0000 (UTC)

The following reply was made to PR lib/57792; it has been noted by GNATS.

From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
To: Patrick Welche <prlw1%cam.ac.uk@localhost>, RVP <rvp%SDF.ORG@localhost>
Cc: gnats-bugs%NetBSD.org@localhost, netbsd-bugs%NetBSD.org@localhost, joerg%NetBSD.org@localhost,
	skrll%NetBSD.org@localhost, mrg%NetBSD.org@localhost
Subject: Re: lib/57792: SIGSEGV in ld.elf_so / _rtld_call_ifunc
Date: Mon, 15 Jul 2024 16:08:56 +0000

 The following test cases now exhibit the difference:
 
 /usr/tests/libexec/ld.elf_so/t_ifunc (relro, bind lazily)
 /usr/tests/libexec/ld.elf_so/t_ifunc_now (relro, bind now)
 
 t_ifunc works; t_ifunc_now crashes.
 
 Setting a breakpoint on
 
 https://nxr.netbsd.org/xref/src/libexec/ld.elf_so/reloc.c?r=3D1.118#311
 
 where t_ifunc_now crashes reveals:
 
 [t_ifunc]     where =3D  0x55c03018 <*ABS*@got.plt>
 [t_ifunc_now] where =3D 0x1b5e02f10 <*ABS*@got.plt>
 
 The high-order parts of the addresses -- 0x55c0...., 0x1b5e0.... --
 are ASLR red herrings; it's the low-order parts that are relevant.
 
 Examining /proc/<pid>/maps reveals:
 
 0000000055c02000-0000000055c03000 r--p 0000000000002000 2bd:13ede 679572   =
                           /home/riastradh/netbsd/10/obj.amd64/destdir.amd64=
 /usr/tests/libexec/ld.elf_so/t_ifunc
 0000000055c03000-0000000055c04000 rw-p 0000000000000000 00:00 0
 
 00000001b5e02000-00000001b5e03000 r--p 0000000000002000 2bd:13ede 679575   =
                           /home/riastradh/netbsd/10/obj.amd64/destdir.amd64=
 /usr/tests/libexec/ld.elf_so/t_ifunc_now
 00000001b5e03000-00000001b5e04000 rw-p 0000000000000000 00:00 0
 
 In both cases, relative to the base address (0x55c00000, 0x1b5e00000),
 page 0x2000 is mapped read-only and page 0x3000 is mapped read/write.
 
 - In the working case (t_ifunc), the ifunc relocation is in the
   read/write page at 0x3018.
 
 - In the broken case (t_ifunc_now), the ifunc relocation is in the
   read-only page at 0x2f10.
 
 readelf shows the following headers and segments:
 
 $ readelf -a t_ifunc
 ...
  0x0000000000000003 (PLTGOT)             0x3fe8
 ...
 Program Headers:
   Type           Offset             VirtAddr           PhysAddr
                  FileSiz            MemSiz              Flags  Align
   PHDR           0x0000000000000040 0x0000000000000040 0x0000000000000040
                  0x0000000000000230 0x0000000000000230  R      0x8
   INTERP         0x0000000000000270 0x0000000000000270 0x0000000000000270
                  0x0000000000000017 0x0000000000000017  R      0x1
       [Requesting program interpreter: /usr/libexec/ld.elf_so]
   LOAD           0x0000000000000000 0x0000000000000000 0x0000000000000000
                  0x0000000000000c90 0x0000000000000c90  R      0x1000
   LOAD           0x0000000000001000 0x0000000000001000 0x0000000000001000
                  0x0000000000000c6e 0x0000000000000c6e  R E    0x1000
   LOAD           0x0000000000002000 0x0000000000002000 0x0000000000002000
                  0x000000000000052c 0x000000000000052c  R      0x1000
   LOAD           0x0000000000002d38 0x0000000000003d38 0x0000000000003d38
                  0x00000000000003e2 0x0000000000000450  RW     0x1000
 ...
    04     .rodata .eh_frame_hdr .eh_frame=20
    05     .ctors .dtors .jcr .data.rel.ro .dynamic .got .got.plt .data .bss=
 =20
 ...
 
 $ readelf -a t_ifunc_now
 ...
  0x0000000000000003 (PLTGOT)             0x3ef8
 ...
 Program Headers:
   Type           Offset             VirtAddr           PhysAddr
                  FileSiz            MemSiz              Flags  Align
   PHDR           0x0000000000000040 0x0000000000000040 0x0000000000000040
                  0x0000000000000230 0x0000000000000230  R      0x8
   INTERP         0x0000000000000270 0x0000000000000270 0x0000000000000270
                  0x0000000000000017 0x0000000000000017  R      0x1
       [Requesting program interpreter: /usr/libexec/ld.elf_so]
   LOAD           0x0000000000000000 0x0000000000000000 0x0000000000000000
                  0x0000000000000c90 0x0000000000000c90  R      0x1000
   LOAD           0x0000000000001000 0x0000000000001000 0x0000000000001000
                  0x0000000000000c6e 0x0000000000000c6e  R E    0x1000
   LOAD           0x0000000000002000 0x0000000000002000 0x0000000000002000
                  0x000000000000052c 0x000000000000052c  R      0x1000
   LOAD           0x0000000000002c78 0x0000000000003c78 0x0000000000003c78
                  0x00000000000003da 0x0000000000000450  RW     0x1000
 ...
    04     .rodata .eh_frame_hdr .eh_frame=20
    05     .ctors .dtors .jcr .data.rel.ro .dynamic .got .data .bss=20
 ...
 
 Someone who has more details of linkers and gots and plts may be able
 to pursue this thread more efficiently than I can at this point.

Prev by Date: Re: lib/57792: SIGSEGV in ld.elf_so / _rtld_call_ifunc
Next by Date: Re: kern/57199: Pure PVH i386 guests hang on disk activity
Previous by Thread: Re: lib/57792: SIGSEGV in ld.elf_so / _rtld_call_ifunc
Next by Thread: PR/57767 CVS commit: src/external/bsd/blocklist/bin
Indexes:

Home | Main Index | Thread Index | Old Index