elf: Refuse to dlopen PIE objects [BZ #24323]

Another executable has already been mapped, so the dynamic linker
cannot perform relocations correctly for the second executable.

(cherry picked from commit 2c75b545de6fe3c44138799c68217a94bc669a88)
(test omitted due to indirect dependency on test-in-container)

diff --git a/ChangeLog b/ChangeLog
index d93248549632aa360057cc5264f1a8b3b499f185..37553b12e7679725013b523f01ac91b831b98ba2 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2019-06-18  Florian Weimer  <fweimer@redhat.com>
+
+       [BZ #24323]
+       * include/elf.h (DT_1_SUPPORTED_MASK): Include DF_1_PIE.
+       * elf/dl-load.c (_dl_map_object_from_fd): Check for DF_1_PIE and
+       fail when called from dlopen.
+
 2019-07-10  DJ Delorie  <dj@redhat.com>
            Sergei Trofimovich <slyfox@inbox.ru>
 

diff --git a/elf/dl-load.c b/elf/dl-load.c
index c51e4b3718ef68915d6d80356fa5caade7ef3019..162a78cb0dc95255bfb175cb4719830e540fa3dc 100644 (file)
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
@@ -1173,6 +1173,10 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd,
        goto call_lose;
       }
 
+    /* dlopen of an executable is not valid because it is not possible
+       to perform proper relocations, handle static TLS, or run the
+       ELF constructors.  For PIE, the check needs the dynamic
+       section, so there is another check below.  */
     if (__glibc_unlikely (type != ET_DYN)
        && __glibc_unlikely ((mode & __RTLD_OPENEXEC) == 0))
       {
@@ -1209,9 +1213,11 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd,
   elf_get_dynamic_info (l, NULL);
 
   /* Make sure we are not dlopen'ing an object that has the
-     DF_1_NOOPEN flag set.  */
-  if (__glibc_unlikely (l->l_flags_1 & DF_1_NOOPEN)
-      && (mode & __RTLD_DLOPEN))
+     DF_1_NOOPEN flag set, or a PIE object.  */
+  if ((__glibc_unlikely (l->l_flags_1 & DF_1_NOOPEN)
+       && (mode & __RTLD_DLOPEN))
+      || (__glibc_unlikely (l->l_flags_1 & DF_1_PIE)
+         && __glibc_unlikely ((mode & __RTLD_OPENEXEC) == 0)))
     {
       /* We are not supposed to load this object.  Free all resources.  */
       _dl_unmap_segments (l);
@@ -1222,7 +1228,11 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd,
       if (l->l_phdr_allocated)
        free ((void *) l->l_phdr);
 
-      errstring = N_("shared object cannot be dlopen()ed");
+      if (l->l_flags_1 & DF_1_PIE)
+       errstring
+         = N_("cannot dynamically load position-independent executable");
+      else
+       errstring = N_("shared object cannot be dlopen()ed");
       goto call_lose;
     }
 

diff --git a/include/elf.h b/include/elf.h
index ab76aafb1e6b408480055ae8eccfa237406e49c7..14ed67ff67d36349b12750c431478ce86c504ab0 100644 (file)
--- a/include/elf.h
+++ b/include/elf.h
@@ -23,7 +23,7 @@
 # endif
 # define DT_1_SUPPORTED_MASK \
    (DF_1_NOW | DF_1_NODELETE | DF_1_INITFIRST | DF_1_NOOPEN \
-    | DF_1_ORIGIN | DF_1_NODEFLIB)
+    | DF_1_ORIGIN | DF_1_NODEFLIB | DF_1_PIE)
 
 #endif /* !_ISOMAC */
 #endif /* elf.h */