Segmentation fault on startup when MIPS_RLD_MAP is 0

Richard Braun rbraun at sceen.net
Tue Jan 25 13:16:53 UTC 2011 

Hello,

When starting Asterisk 1.8 on a mips (32 bits, BE) board, the linker
crashes early during startup. I've traced the problem to the
MIPS_RLD_MAP dynamic section being 0 (not sure if this is a size or
address when reported by readelf). The asterisk binary is built with
the --version-script option, which seems to be the reason why there is
a MIPS_RLD_MAP entry, and AIUI, this option is intended to be used for
shared objects. Question: can it be safely used by executables too ?

The crash happens here :

ldso/ldso/mips/dl-sysdep.h:102:
#define ARCH_DYNAMIC_INFO(dpnt,  dynamic, debug_addr) \
do { \
if (dpnt->d_tag == DT_MIPS_GOTSYM) \
     dynamic[DT_MIPS_GOTSYM_IDX] = dpnt->d_un.d_val; \
else if (dpnt->d_tag == DT_MIPS_LOCAL_GOTNO) \
     dynamic[DT_MIPS_LOCAL_GOTNO_IDX] = dpnt->d_un.d_val; \
else if (dpnt->d_tag == DT_MIPS_SYMTABNO) \
     dynamic[DT_MIPS_SYMTABNO_IDX] = dpnt->d_un.d_val; \
else if (dpnt->d_tag == DT_MIPS_PLTGOT) \
     dynamic[DT_MIPS_PLTGOT_IDX] = dpnt->d_un.d_val; \
else if ((dpnt->d_tag == DT_MIPS_RLD_MAP) && (dpnt->d_un.d_ptr)) \
     *(ElfW(Addr) *)(dpnt->d_un.d_ptr) =  (ElfW(Addr)) debug_addr; \
} while (0)

The line

*(ElfW(Addr) *)(dpnt->d_un.d_ptr) =  (ElfW(Addr)) debug_addr;

doesn't check that the destination address isn't null. It looks like the
linker is inconsistent about how this entry type is handled, i.e. it
doesn't allocate any memory for it, but still references it without
checking. A similar problem was reported at Debian [1], which resulted
in a patch checking that d_ptr isn't null before storing debug_addr.
This effectively fixes the segfault I was getting. It looks like this
code was inherited from glibc/eglibc, neither of which includes this
fix (although the Debian patch applies on eglibc). Question: is this
an appropriate fix or just a workaround, meaning the build process of
the crashing executable should be fixed instead ?

-- 
Richard Braun

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=582362

More information about the uClibc mailing list