Reproduction steps: 1. Set WITH_BIND_NOW=yes in /etc/src.conf 2. Install world to some directory 3. Try to chroot execute /bin/sh # env LD_DEBUG=1 chroot . /bin/sh /libexec/ld-elf.so.1 is initialized, base address = 0x3f49fd865000 RTLD dynamic = 0x3f49fd888310 RTLD pltgot = 0 initializing thread locks ... resolving ifuncs reloc_jmpslot: *0xdf2395a830 = 0xdf23835630 Segmentation fault (core dumped)
A commit references this bug: Author: emaste Date: Mon Nov 19 18:12:39 UTC 2018 New revision: 340640 URL: https://svnweb.freebsd.org/changeset/base/340640 Log: libc: forcibly disable BIND_NOW Building libc WITH_BIND_NOW results in segfault at process start. For now force BIND_NOW off until the root cause can be identified and fixed. PR: 233333 Sponsored by: The FreeBSD Foundation Changes: head/lib/libc/Makefile
We did the same in HardenedBSD: https://github.com/HardenedBSD/hardenedBSD/commit/ccb4ab6b7607a05b680b167fc899abb27673b3c1 I wonder if the ifunc resolver must be called prior to BIND_NOW being activated by the RTLD.
Created attachment 199379 [details] Process plt irelocs together with other relocs early if LD_BIND_NOW is set.
Created attachment 199380 [details] Process plt irelocs together with other relocs early if LD_BIND_NOW is set.
Tested patch w/ r340640 reverted; works for me.
A commit references this bug: Author: kib Date: Tue Nov 20 14:52:44 UTC 2018 New revision: 340675 URL: https://svnweb.freebsd.org/changeset/base/340675 Log: rtld: when immediate bind mode is requested, process irelocs in PLT immediately after other PLT relocs. Otherwise, if the object has relro page, we write to readonly page, and we would need to use mprotect(2) two more times to fix it. Note that resolve_object_ifunc() does nothing when called second time, so there is no need to avoid existing call. Reported and tested by: emaste PR: 233333 Sponsored by: The FreeBSD Foundation MFC after: 1 week Changes: head/libexec/rtld-elf/rtld.c
A commit references this bug: Author: emaste Date: Mon Nov 26 13:56:19 UTC 2018 New revision: 340969 URL: https://svnweb.freebsd.org/changeset/base/340969 Log: revert r340640 "libc: forcibly disable BIND_NOW" When immediate bind mode is requested, as of r340675 rtld processes irelocs in PLT immediately after other PLT relocs. That addresses the libc + BIND_NOW startup crash the workaround is no longer needed. PR: 233333 Changes: head/lib/libc/Makefile
A commit references this bug: Author: emaste Date: Mon Dec 3 15:59:47 UTC 2018 New revision: 341429 URL: https://svnweb.freebsd.org/changeset/base/341429 Log: disable BIND_NOW in libc, libthr, and rtld An issue remains with BIND_NOW and processes using threads. For now, restore libc's BIND_NOW disable, and also disable BIND_NOW in rtld and libthr. A patch is in review (D18400) that likely fixes this issue, but just disable BIND_NOW pending further testing after it is committed. PR: 233333 Sponsored by: The FreeBSD Foundation Changes: head/lib/libc/Makefile head/lib/libthr/Makefile head/libexec/rtld-elf/Makefile
D18400 is committed, but reverting 341429 (tested in combination with WITH_RETPOLINE WITH_BIND_NOW WITH_PIE) still fails.
A commit references this bug: Author: emaste Date: Thu Mar 28 02:12:33 UTC 2019 New revision: 345625 URL: https://svnweb.freebsd.org/changeset/base/345625 Log: revert r341429 "disable BIND_NOW in libc, libthr, and rtld" r345620 by kib@ fixed the rtld issue that caused a crash at startup during resolution of libc's ifuncs with BIND_NOW. PR: 233333 Sponsored by: The FreeBSD Foundation Changes: head/contrib/elftoolchain/readelf/readelf.c head/lib/libc/Makefile head/lib/libthr/Makefile head/libexec/rtld-elf/Makefile head/sys/sys/elf_common.h
r352752 in stable/12 merged associated changes