Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NODEFLIB insufficient for preventing use of target system libs, specifically when any library uses RUNPATH #169

Open
JonathonReinhart opened this issue Feb 6, 2021 · 1 comment
Open

NODEFLIB insufficient for preventing use of target system libs, specifically when any library uses RUNPATH #169

JonathonReinhart opened this issue Feb 6, 2021 · 1 comment
Labels
bug

Comments

@JonathonReinhart
Copy link
Owner

JonathonReinhart commented Feb 6, 2021
edited
Loading

#138 sets NODEFLIB on the user app (the root of the dynamic object tree) in an attempt to prevent libraries from the target system from ever being loaded. This, coupled with RPATH, was supposed to give the (runtime patched) app complete control over the set of libraries loaded.

The problem is that if any object down the tree has RUNPATH set, not only is the root RPATH ignored, but somehow NODEFLIB seems to be ignored too! I don't actually see this in the source code yet, but it's a bit hard to follow.

See #159 (comment) where I originally figured all of this out.

One might think that the solution would be for Staticx to use RUNPATH instead, but alas, that only applies to the object on which it is applied, and not the tree.

From this comment:

The trouble with RUNPATH and the reason we won’t use it is that it’s search semantics are fundamentally broken. It isn’t just a difference in precedence. Whereas an RPATH’d binary will search its RPATH, it’s loading object’s RPATH, all the way up to the executable if need be, RUNPATH gives up after searching the RUNPATH of the object itself. This means that the executable can’t enforce consistent link semantics...

In other words:

  • RPATH binary will search
    • Its own RPATH
    • The loading object's RPATH
    • ...
    • The executable's RPATH
    • Stop
  • RUNPATH binary will search
    • Its own RUNPATH
    • Stop

This is extremely discouraging. I'm running out of tricks for defeating GLIBC.

Damn you, @drepper! 😈 (Reference: bminor/glibc@fcf70d4)

My original comment had some half-baked ideas for fixing/working-around/acknowledging this.
@JonathonReinhart JonathonReinhart mentioned this issue Apr 18, 2021
Closed
@mlech-reef mlech-reef mentioned this issue Sep 22, 2021
Closed
This was referenced Oct 3, 2021
Closed
Closed
Open
JonathonReinhart added a commit that referenced this issue Oct 3, 2021
@JonathonReinhart
staticx: Add StaticxGenerator.audit_library() to check for DT_RUNPATH
7597250 
staticx cannot currently handle any libraries that have DT_RUNPATH set as
it interferes with our ability to fully control the library paths.

See #169
@JonathonReinhart JonathonReinhart mentioned this issue Oct 3, 2021
Merged
@JonathonReinhart
Copy link
Owner Author

RPATH is also a problem: #173 (review)

JonathonReinhart added a commit that referenced this issue Oct 3, 2021
@JonathonReinhart
staticx: Add StaticxGenerator.audit_library() to check for DT_RUNPATH
de60f8c 
staticx cannot currently handle any libraries that have DT_RUNPATH set as
it interferes with our ability to fully control the library paths.

See #169
JonathonReinhart added a commit that referenced this issue Oct 4, 2021
@JonathonReinhart
staticx: Add StaticxGenerator.audit_library() to check for DT_RUNPATH
1668b5a 
staticx cannot currently handle any libraries that have DT_RUNPATH set as
it interferes with our ability to fully control the library paths.

See #169
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JonathonReinhart