Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 31 Jan 2020 15:47:48 +0100
From: Markus Wichmann <>
Subject: Re: Static linking is broken after creation of DT_TEXTREL

On Thu, Jan 30, 2020 at 11:24:31PM -0500, Rich Felker wrote:
> > Also, there is at least one place in the dynlinker where, as I recall,
> > mmap() is being called directly, but rather than check for errors in the
> > return value, the value is just used, because all error returns cause
> > segfaults.
> I believe this was fixed in 77846800722914eeba170505c2e7f89e12a6beff.

No, that wasn't what I meant. I looked it up: I meant the one in
static_init_tls(). Note that this was no criticism, I fully agree that
crashing is acceptable in case of a rare failure. As long as it happens
repeatably and only during early startup.

> > And then there was the case of PowerPC's original ABI, now called the
> > BSS-PLT ABI, which expects the dynlinker to fill out the PLT at runtime,
> > which musl doesn't do. Trying to run a BSS-PLT binary with musl will
> > therefore also very quickly segfault.
> I thought it would produce an error for unsupported relocation type,
> but maybe not if the same relocation numbers were reused. This should
> probably be improved.

Honestly, I went on memory on this. I thought I remembered an FAQ or
wiki entry that said that without secure PLT, you would get crashes. I
never tried it myself.

OK, so the ABI says that the PLT relocations are of type R_PPC_JMP_SLOT.
Which arch/powerpc/reloc.h defines as REL_PLT. Therefore the dynlinker
will see these relocations and perform a generic PLT relocation when the
esoteric BSS-PLT relocation would be called for.

I am using this ABI document here:

It appears the type R_PPC_JMP_SLOT did get reused for the secure PLT
option. Therefore our only way to detect BSS-PLT binaries and quit with
a nice error message is to detect the absence of the secure PLT option
in the dynamic section.

Coincidentally, we might give the OP a nice error message as well if we
checked the application's dynamic section and found a DT_TEXTREL tag.

> Assuming this is at startup, that's not a possibility; no application
> code has run yet.

Unfortunately, signal mask and ignore dispositions are inherited across
execve(). A tool that ignores or blocks specific signals before execing
the rest of its command line is therefore possible. I seem to remember
such a tool, but cannot remember its name. A cursory search on the
Internet failed to turn up anything.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.