NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: lib/57792: SIGSEGV in ld.elf_so / _rtld_call_ifunc
The following test cases now exhibit the difference:
/usr/tests/libexec/ld.elf_so/t_ifunc (relro, bind lazily)
/usr/tests/libexec/ld.elf_so/t_ifunc_now (relro, bind now)
t_ifunc works; t_ifunc_now crashes.
Setting a breakpoint on
https://nxr.netbsd.org/xref/src/libexec/ld.elf_so/reloc.c?r=1.118#311
where t_ifunc_now crashes reveals:
[t_ifunc] where = 0x55c03018 <*ABS*@got.plt>
[t_ifunc_now] where = 0x1b5e02f10 <*ABS*@got.plt>
The high-order parts of the addresses -- 0x55c0...., 0x1b5e0.... --
are ASLR red herrings; it's the low-order parts that are relevant.
Examining /proc/<pid>/maps reveals:
0000000055c02000-0000000055c03000 r--p 0000000000002000 2bd:13ede 679572 /home/riastradh/netbsd/10/obj.amd64/destdir.amd64/usr/tests/libexec/ld.elf_so/t_ifunc
0000000055c03000-0000000055c04000 rw-p 0000000000000000 00:00 0
00000001b5e02000-00000001b5e03000 r--p 0000000000002000 2bd:13ede 679575 /home/riastradh/netbsd/10/obj.amd64/destdir.amd64/usr/tests/libexec/ld.elf_so/t_ifunc_now
00000001b5e03000-00000001b5e04000 rw-p 0000000000000000 00:00 0
In both cases, relative to the base address (0x55c00000, 0x1b5e00000),
page 0x2000 is mapped read-only and page 0x3000 is mapped read/write.
- In the working case (t_ifunc), the ifunc relocation is in the
read/write page at 0x3018.
- In the broken case (t_ifunc_now), the ifunc relocation is in the
read-only page at 0x2f10.
readelf shows the following headers and segments:
$ readelf -a t_ifunc
...
0x0000000000000003 (PLTGOT) 0x3fe8
...
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
PHDR 0x0000000000000040 0x0000000000000040 0x0000000000000040
0x0000000000000230 0x0000000000000230 R 0x8
INTERP 0x0000000000000270 0x0000000000000270 0x0000000000000270
0x0000000000000017 0x0000000000000017 R 0x1
[Requesting program interpreter: /usr/libexec/ld.elf_so]
LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000c90 0x0000000000000c90 R 0x1000
LOAD 0x0000000000001000 0x0000000000001000 0x0000000000001000
0x0000000000000c6e 0x0000000000000c6e R E 0x1000
LOAD 0x0000000000002000 0x0000000000002000 0x0000000000002000
0x000000000000052c 0x000000000000052c R 0x1000
LOAD 0x0000000000002d38 0x0000000000003d38 0x0000000000003d38
0x00000000000003e2 0x0000000000000450 RW 0x1000
...
04 .rodata .eh_frame_hdr .eh_frame
05 .ctors .dtors .jcr .data.rel.ro .dynamic .got .got.plt .data .bss
...
$ readelf -a t_ifunc_now
...
0x0000000000000003 (PLTGOT) 0x3ef8
...
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
PHDR 0x0000000000000040 0x0000000000000040 0x0000000000000040
0x0000000000000230 0x0000000000000230 R 0x8
INTERP 0x0000000000000270 0x0000000000000270 0x0000000000000270
0x0000000000000017 0x0000000000000017 R 0x1
[Requesting program interpreter: /usr/libexec/ld.elf_so]
LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000c90 0x0000000000000c90 R 0x1000
LOAD 0x0000000000001000 0x0000000000001000 0x0000000000001000
0x0000000000000c6e 0x0000000000000c6e R E 0x1000
LOAD 0x0000000000002000 0x0000000000002000 0x0000000000002000
0x000000000000052c 0x000000000000052c R 0x1000
LOAD 0x0000000000002c78 0x0000000000003c78 0x0000000000003c78
0x00000000000003da 0x0000000000000450 RW 0x1000
...
04 .rodata .eh_frame_hdr .eh_frame
05 .ctors .dtors .jcr .data.rel.ro .dynamic .got .data .bss
...
Someone who has more details of linkers and gots and plts may be able
to pursue this thread more efficiently than I can at this point.
Home |
Main Index |
Thread Index |
Old Index