Skip to content

Instantly share code, notes, and snippets.

@daurnimator

daurnimator/README.md

Last active August 29, 2015 14:24
Show Gist options
  • Save daurnimator/a468e01800752d11cd15 to your computer and use it in GitHub Desktop.
Save daurnimator/a468e01800752d11cd15 to your computer and use it in GitHub Desktop.
Download ZIP
Having a weird issue here: if I dlsym() something in a constructor, but don't use the result; the shared library segfaults at load.
Raw
README.md 
gcc -shared -O2 -fPIC bug-shared.c -ldl -o shared.so
gcc -O2 -fPIC bug-main.c -ldl
./a.out

Now comment out the printf of the pointer in bug-shared.c

Backtrace:

#0  0x00007ffff7de4b77 in _dl_lookup_symbol_x () from /lib64/ld-linux-x86-64.so.2
#1  0x00007ffff7951b91 in do_sym () from /usr/lib/libc.so.6
#2  0x00007ffff7bd80f4 in ?? () from /usr/lib/libdl.so.2
#3  0x00007ffff7de9f94 in _dl_catch_error () from /lib64/ld-linux-x86-64.so.2
#4  0x00007ffff7bd85e1 in ?? () from /usr/lib/libdl.so.2
#5  0x00007ffff7bd8148 in dlsym () from /usr/lib/libdl.so.2
#6  0x00007ffff7dea0ea in call_init.part () from /lib64/ld-linux-x86-64.so.2
#7  0x00007ffff7dea1fb in _dl_init () from /lib64/ld-linux-x86-64.so.2
#8  0x00007ffff7dee627 in dl_open_worker () from /lib64/ld-linux-x86-64.so.2
#9  0x00007ffff7de9f94 in _dl_catch_error () from /lib64/ld-linux-x86-64.so.2
#10 0x00007ffff7dede01 in _dl_open () from /lib64/ld-linux-x86-64.so.2
#11 0x00007ffff7bd7fc9 in ?? () from /usr/lib/libdl.so.2
#12 0x00007ffff7de9f94 in _dl_catch_error () from /lib64/ld-linux-x86-64.so.2
#13 0x00007ffff7bd85e1 in ?? () from /usr/lib/libdl.so.2
#14 0x00007ffff7bd8061 in dlopen () from /usr/lib/libdl.so.2
#15 0x0000000000400622 in main ()

I've attached the compiled assembly of bus-shared.c

Raw
bug-main.c
#define _GNU_SOURCE
#include <dlfcn.h>
int main() {
void *foo = dlopen("./shared.so", RTLD_NOW);
void (*some_exported_function)() = dlsym(foo, "some_exported_function");
some_exported_function();
return 0;
}
Raw
bug-shared.c
#define _GNU_SOURCE
#include <dlfcn.h>
#include <stdio.h>
static int (*pointer) ();
static int stub () { return 0; }
__attribute__((constructor)) static void some_init() {
if ((pointer = dlsym(RTLD_DEFAULT, "anything")) == NULL) {
pointer = stub;
}
}
void some_exported_function() {
printf("in some_exported_function\n");
printf("%p\n", pointer);
}
Raw
bus-shared.s
.file "bug-shared.c"
.section .text.unlikely,"ax",@progbits
.LCOLDB0:
.text
.LHOTB0:
.p2align 4,,15
.type stub, @function
stub:
.LFB12:
.cfi_startproc
xorl %eax, %eax
ret
.cfi_endproc
.LFE12:
.size stub, .-stub
.section .text.unlikely
.LCOLDE0:
.text
.LHOTE0:
.section .rodata.str1.1,"aMS",@progbits,1
.LC1:
.string "anything"
.section .text.unlikely
.LCOLDB2:
.section .text.startup,"ax",@progbits
.LHOTB2:
.p2align 4,,15
.type some_init, @function
some_init:
.LFB13:
.cfi_startproc
leaq .LC1(%rip), %rsi
xorl %edi, %edi
jmp dlsym@PLT
.cfi_endproc
.LFE13:
.size some_init, .-some_init
.section .text.unlikely
.LCOLDE2:
.section .text.startup
.LHOTE2:
.section .init_array,"aw"
.align 8
.quad some_init
.section .rodata.str1.1
.LC3:
.string "in some_exported_function"
.section .text.unlikely
.LCOLDB4:
.text
.LHOTB4:
.p2align 4,,15
.globl some_exported_function
.type some_exported_function, @function
some_exported_function:
.LFB14:
.cfi_startproc
leaq .LC3(%rip), %rdi
jmp puts@PLT
.cfi_endproc
.LFE14:
.size some_exported_function, .-some_exported_function
.section .text.unlikely
.LCOLDE4:
.text
.LHOTE4:
.ident "GCC: (GNU) 5.1.0"
.section .note.GNU-stack,"",@progbits
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment