[Bug libc/10411] New: Segfault with non-existent directory in LD_LIBRARY_PATH

By mistake I put a non-existent path in my LD_LIBRARY_PATH. To my surprise
display (ImageMagick program) crashed with segmentation fault after the change.
Debugging with valgrind and gdb leads to elf/dl-load.c:1943 in open_path() which
contains the following line:

sps->dirs = (void *) -1;

Can sps->dirs be changed when it comes from the environment? For the segfault
the open_path() is invoked as follows:

fd = open_path (name, namelen, preloaded, &env_path_list,
                &realname, &fb,
                loader ?: GL(dl_ns)[LM_ID_BASE]._ns_loaded,
                LA_SER_LIBPATH, &found_other_class);

Backtrace:

==24674==  Bad permissions for mapped region at address 0x421CDF0
==24674==    at 0x4005E52: open_path (dl-load.c:1943)
==24674==    by 0x4007B00: _dl_map_object (dl-load.c:2079)
==24674==    by 0x4011950: dl_open_worker (dl-open.c:289)
==24674==    by 0x400D3D5: _dl_catch_error (dl-error.c:178)
==24674==    by 0x40112EA: _dl_open (dl-open.c:616)
==24674==    by 0x7A45F7A: dlopen_doit (dlopen.c:67)
==24674==    by 0x400D3D5: _dl_catch_error (dl-error.c:178)
==24674==    by 0x7A4632B: _dlerror_run (dlerror.c:164)
==24674==    by 0x7A45EE0: dlopen@@GLIBC_2.2.5 (dlopen.c:88)
==24674==    by 0x4FAF559: vm_open (dlopen.c:194)
==24674==    by 0x4FAD376: tryall_dlopen (ltdl.c:434)
==24674==    by 0x4FADE43: try_dlopen (ltdl.c:532)

--
           Summary: Segfault with non-existent directory in LD_LIBRARY_PATH
           Product: glibc
           Version: 2.10
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper at redhat dot com
        ReportedBy: azzie at astronet dot pl
                CC: glibc-bugs at sources dot redhat dot com
 GCC build triplet: x86_64-unknown-linux-gnu
  GCC host triplet: x86_64-unknown-linux-gnu
GCC target triplet: x86_64-unknown-linux-gnu


http://sourceware.org/bugzilla/show_bug.cgi?id=10411

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

------- Additional Comments From drepper at redhat dot com  2009-08-01 03:51 -------
You have to give a concrete example.  I don't see any crashes due to wrong
LD_LIBRARY_PATH is the testing I've done.  And make sure you're using the recent
version and not something ancient.

--
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |WAITING


http://sourceware.org/bugzilla/show_bug.cgi?id=10411

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

------- Additional Comments From drepper at redhat dot com  2009-10-30 05:50 -------
No reply in almost 3 months.  Closing.

--
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|WAITING                     |RESOLVED
         Resolution|                            |WORKSFORME


http://sourceware.org/bugzilla/show_bug.cgi?id=10411

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

------- Additional Comments From azzie at astronet dot pl  2009-11-02 18:12 -------
Sorry, I did not receive your previous message, just the closing one.

Concrete example:

marcin@marcade ~ $ export LD_LIBRARY_PATH="/lame"
marcin@marcade ~ $ display
Segmentation fault

I'm using:

glibc: 2.9
ImageMagick: 6.5.2.9

I don't think it's anything ancient, but I again looked at the current git tree
and I am still wondering whether the following logic is correct:

1. dl-load.c:137 defines env_path_list as the following global variable and
attribute_relro

static struct r_search_path_struct env_path_list attribute_relro;

2. dl-load.c:2082 passes env_path_list to open_path()

fd = open_path (name, namelen, preloaded, &env_path_list,
                &realname, &fb,
                loader ?: GL(dl_ns)[LM_ID_BASE]._ns_loaded,
                LA_SER_LIBPATH, &found_other_class);

3. dl-load.c:1946 might write to this attribute_relro (if none of the
directories exist)

static int
open_path (const char *name, size_t namelen, int preloaded,
           struct r_search_path_struct *sps, char **realname,
           struct filebuf *fbp, struct link_map *loader, int whatcode,
           bool *found_other_class)
{
   ...

   /* rtld_search_dirs is attribute_relro, therefore avoid writing
      into it.  */

   if (sps != &rtld_search_dirs)
      sps->dirs = (void *) -1;
   }

Note that there is a check whether sps is rtld_search_dirs but not whether it is
env_path_list - which also seems to be attribute_relro. Is this logic correct?
It segfaults for me at this very line. Your mileage may vary, but I'm suspicious
about the code itself.


--
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|WORKSFORME                  |


http://sourceware.org/bugzilla/show_bug.cgi?id=10411

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

------- Additional Comments From azzie at astronet dot pl  2009-11-02 18:22 -------
Oops, sorry. Those version numbers were actually from an ancient setup ;-)

It segfaults for me on:

marcin@marcade ~ $ display --version
Version: ImageMagick 6.5.4-2 2009-07-17 Q16 OpenMP http://www.imagemagick.org
Copyright: Copyright (C) 1999-2009 ImageMagick Studio LLC

marcin@marcade /lib $ ls -la libc.so.6
lrwxrwxrwx 1 marcin robots 14 Jul 13 15:14 libc.so.6 -> libc-2.10.1.so


--


http://sourceware.org/bugzilla/show_bug.cgi?id=10411

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.