Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20240723225340.GU10433@brightrain.aerifal.cx>
Date: Tue, 23 Jul 2024 18:53:41 -0400
From: Rich Felker <dalias@...c.org>
To: Markus Mayer <mmayer@...adcom.com>,
	Musl Mailing List <musl@...ts.openwall.com>,
	Colin Cross <ccross@...roid.com>, Colin Cross <ccross@...gle.com>
Subject: Re: [PATCH 1/1] Ignore incorrect elf architecture libraries

On Tue, Jul 23, 2024 at 11:08:49PM +0200, Szabolcs Nagy wrote:
> * Markus Mayer <mmayer@...adcom.com> [2024-07-05 14:12:28 -0700]:
> > From: Colin Cross <ccross@...roid.com>
> > 
> > In multilib systems LD_LIBRARY_PATH is sometimes set to a list that
> > contains both the lib32 and lib64 directories, for example when
> > running code that may execute 32-bit or 64-bit subprocesses or both.
> > Musl's dynamic loader aborts searching a path list when it finds any
> > library that is not loadable, preventing searching the other multilib
> > directory.
> > 
> > Modify the loader to continue searching when a file is found that is
> > a valid elf file but for the an elf machine or class that differs from
> > that of the loader itself.
> 
> fwiw i think the proposed feature is reasonable, i added review
> comments that may help inclusion into musl.
> 
> 
> i'd note that skipping wrong e_machine and e_ident[EI_CLASS] is
> required by the elf spec:
> 
>  When the dynamic linker is searching for shared objects, it is
>  not a fatal error if an ELF file with the wrong attributes is
>  encountered in the search. Instead, the dynamic linker shall
>  exhaust the search of all paths before determining that a
>  matching object could not be found. For this determination, the
>  relevant attributes are contained in the following ELF header
>  fields: e_ident[EI_DATA], e_ident[EI_CLASS], e_ident[EI_OSABI],
>  e_ident[EI_ABIVERSION], e_machine, e_type, e_flags and e_version.
> 
> if we do this change i think e_ident[EI_DATA] should be checked
> too for le/be and e_flags for abi variants like arm hf.
> 
> e_type, e_version, EI_OSABI and EI_ABIVERSION are unlikely to be
> useful (the latter may be used in the future to bump musl abi)
> i don't have a strong opinion about these.
> 
> https://www.sco.com/developers/gabi/latest/ch5.dynamic.html#shobj_dependencies

FWIW we don't necessarily follow everything in this spec (it's not one
of the ones we claim conformance to), but yes it can be a good model
for how to do things.

> > ---
> >  ldso/dynlink.c | 77 +++++++++++++++++++++++++++++++++++++++-----------
> >  1 file changed, 61 insertions(+), 16 deletions(-)
> > 
> > diff --git a/ldso/dynlink.c b/ldso/dynlink.c
> > index 324aa85919f0..2f1ac7e9d089 100644
> > --- a/ldso/dynlink.c
> > +++ b/ldso/dynlink.c
> > @@ -68,6 +68,8 @@ struct dso {
> >  	size_t *dynv;
> >  	struct dso *next, *prev;
> >  
> > +	int elfmachine;
> > +	int elfclass;
> 
> i don't think we need this in every dso. i'd make them global
> 
> e.g. ldso_ehdr (or just the ldso_e_machine and ldso_e_class)

Yes, let's avoid size creep for struct dso.

> >  	phsize = eh->e_phentsize * eh->e_phnum;
> >  	if (phsize > sizeof buf - sizeof *eh) {
> >  		allocated_buf = malloc(phsize);
> > @@ -870,29 +889,53 @@ error:
> >  	return 0;
> >  }
> >  
> > -static int path_open(const char *name, const char *s, char *buf, size_t buf_size)
> > +static int path_open_library(const char *name, const char *s, char *buf, size_t buf_size)
> 
> no need to rename.

IIRC at one point it was my proposal to rename it *and* change the
signature to make it load the start of the file into a caller-provided
buffer that map_library would then reuse...

> >  		if (l-1 >= INT_MAX) return -1;
> > -		if (snprintf(buf, buf_size, "%.*s/%s", (int)l, s, name) < buf_size) {
> > -			if ((fd = open(buf, O_RDONLY|O_CLOEXEC))>=0) return fd;
> > -			switch (errno) {
> > -			case ENOENT:
> > -			case ENOTDIR:
> > -			case EACCES:
> > -			case ENAMETOOLONG:
> > -				break;
> > -			default:
> > -				/* Any negative value but -1 will inhibit
> > -				 * futher path search. */
> > +		s += l;
> > +		if (snprintf(buf, buf_size, "%.*s/%s", (int)l, p, name) < buf_size) {
> > +			fd = open(buf, O_RDONLY|O_CLOEXEC);
> > +			if (fd < 0) {
> > +				switch (errno) {
> > +				case ENOENT:
> > +				case ENOTDIR:
> > +				case EACCES:
> > +				case ENAMETOOLONG:
> > +					/* Keep searching in path list. */
> > +					continue;
> > +				default:
> > +					/* Any negative value but -1 will
> > +					 * inhibit further path search in
> > +					 * load_library. */
> > +					return -2;
> > +				}
> > +			}
> > +			Ehdr eh;
> > +			ssize_t n = pread(fd, &eh, sizeof(eh), 0);
> 
> i'd use read instead of pread
> 
> this adds an extra syscall per dso that uses path lookup.
> this is the main cost of the patch, so i'd note this in
> the commit msg.

...so that there is not an extra syscall per DSO loaded.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.