Linker can't find C library, ignores .rpath? #489

251 · 2017-09-08T09:14:19Z

OS / Environment

Docker: Ubuntu 16.04

Installed C libraries:

/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libc.so
/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/libc.so.6
/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib/libc.so
/opt/i686-unknown-linux-musl/i686-unknown-linux-musl/sysroot/usr/lib/libc.so
/opt/x86_64-unknown-linux-gnu/x86_64-unknown-linux-gnu/sysroot/lib64/libc.so.6
/opt/x86_64-unknown-linux-gnu/x86_64-unknown-linux-gnu/sysroot/usr/lib64/libc.so
/opt/x86_64-unknown-linux-musl/x86_64-unknown-linux-musl/sysroot/usr/lib/libc.so

Manticore version

Version: 0.1.4

Python version

Python 2.7.12

Dependencies

capstone==3.0.5rc2
manticore==0.1.4
ply==3.10
pyelftools==0.24
unicorn==1.0.1

Summary of the problem

Running natively with LD_DEBUG=libs results in:

      2309:	find library=libcheck-g3-O0-s0.so [0]; searching
      2309:	 search path=/data/i686-unknown-linux-gnu/tls/i686/sse2:/data/i686-unknown-linux-gnu/tls/i686:/data/i686-unknown-linux-gnu/tls/sse2:/data/i686-unknown-linux-gnu/tls:/data/i686-unknown-linux-gnu/i686/sse2:/data/i686-unknown-linux-gnu/i686:/data/i686-unknown-linux-gnu/sse2:/data/i686-unknown-linux-gnu:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/tls/i686/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/tls/i686:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/tls/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/tls:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/i686/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/i686:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib64/tls/i686/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib64/tls/i686:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib64/tls/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib64/tls:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib64/i686/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib64/i686:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib64/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib64:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib/tls/i686/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib/tls/i686:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib/tls/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib/tls:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib/i686/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib/i686:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib64/tls/i686/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib64/tls/i686:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib64/tls/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib64/tls:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib64/i686/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib64/i686:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib64/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib64		(RPATH from file ./secret-g3-O0-s0-d)
      2309:	  trying file=/data/i686-unknown-linux-gnu/tls/i686/sse2/libcheck-g3-O0-s0.so
      2309:	  trying file=/data/i686-unknown-linux-gnu/tls/i686/libcheck-g3-O0-s0.so
      2309:	  trying file=/data/i686-unknown-linux-gnu/tls/sse2/libcheck-g3-O0-s0.so
      2309:	  trying file=/data/i686-unknown-linux-gnu/tls/libcheck-g3-O0-s0.so
      2309:	  trying file=/data/i686-unknown-linux-gnu/i686/sse2/libcheck-g3-O0-s0.so
      2309:	  trying file=/data/i686-unknown-linux-gnu/i686/libcheck-g3-O0-s0.so
      2309:	  trying file=/data/i686-unknown-linux-gnu/sse2/libcheck-g3-O0-s0.so
      2309:	  trying file=/data/i686-unknown-linux-gnu/libcheck-g3-O0-s0.so
      2309:	
      2309:	find library=libc.so.6 [0]; searching
      2309:	 search path=/data/i686-unknown-linux-gnu:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/tls/i686/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/tls/i686:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/tls/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/tls:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/i686/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/i686:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib64/tls/i686/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib64/tls/i686:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib64/tls/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib64/tls:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib64/i686/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib64/i686:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib64/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib64:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib/tls/i686/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib/tls/i686:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib/tls/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib/tls:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib/i686/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib/i686:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib64/tls/i686/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib64/tls/i686:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib64/tls/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib64/tls:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib64/i686/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib64/i686:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib64/sse2:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib64		(RPATH from file ./secret-g3-O0-s0-d)
      2309:	  trying file=/data/i686-unknown-linux-gnu/libc.so.6
      2309:	  trying file=/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/tls/i686/sse2/libc.so.6
      2309:	  trying file=/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/tls/i686/libc.so.6
      2309:	  trying file=/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/tls/sse2/libc.so.6
      2309:	  trying file=/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/tls/libc.so.6
      2309:	  trying file=/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/i686/sse2/libc.so.6
      2309:	  trying file=/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/i686/libc.so.6
      2309:	  trying file=/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/sse2/libc.so.6
      2309:	  trying file=/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/libc.so.6
      2309:	
      2309:	
      2309:	calling init: /opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/libc.so.6
      2309:	
      2309:	
      2309:	calling init: /data/i686-unknown-linux-gnu/libcheck-g3-O0-s0.so
      2309:	
      2309:	
      2309:	initialize program: ./secret-g3-O0-s0-d
      2309:	
      2309:	
      2309:	transferring control: ./secret-g3-O0-s0-d
      2309:	
      2309:	
      2309:	calling fini: ./secret-g3-O0-s0-d [0]
      2309:	
      2309:	
      2309:	calling fini: /data/i686-unknown-linux-gnu/libcheck-g3-O0-s0.so [0]
      2309:

Running with manticore --env LD_DEBUG=all results in:

      1000:	
      1000:	file=libcheck-g3-O0-s0.so [0];  needed by secret-g3-O0-s0-d [0]
      1000:	find library=libcheck-g3-O0-s0.so [0]; searching
      1000:	 search path=/data/i686-unknown-linux-gnu/tls:/data/i686-unknown-linux-gnu:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/tls:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib64/tls:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib64:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib/tls:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib64/tls:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib64		(RPATH from file secret-g3-O0-s0-d)
      1000:	  trying file=/data/i686-unknown-linux-gnu/tls/libcheck-g3-O0-s0.so
      1000:	  trying file=/data/i686-unknown-linux-gnu/libcheck-g3-O0-s0.so
      1000:	
      1000:	file=libcheck-g3-O0-s0.so [0];  generating link map
      1000:	  dynamic: 0xf7ffcf44  base: 0xf7ffb000   size: 0x00002018
      1000:	    entry: 0xf7ffb360  phdr: 0xf7ffb034  phnum:          6
      1000:	
      1000:	
      1000:	file=libc.so.6 [0];  needed by secret-g3-O0-s0-d [0]
      1000:	find library=libc.so.6 [0]; searching
      1000:	 search path=/data/i686-unknown-linux-gnu:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/tls:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib64/tls:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib64:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib/tls:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib64/tls:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib64		(RPATH from file secret-g3-O0-s0-d)
      1000:	  trying file=/data/i686-unknown-linux-gnu/libc.so.6
      1000:	 search cache=/etc/ld.so.cache
      1000:	 search path=/lib/tls:/lib:/usr/lib/tls:/usr/lib		(system search path)
      1000:	  trying file=/lib/tls/libc.so.6
      1000:	  trying file=/lib/libc.so.6
      1000:	  trying file=/usr/lib/tls/libc.so.6
      1000:	  trying file=/usr/lib/libc.so.6
      1000:

test_00000000.stdout:

secret-g3-O0-s0-d: error while loading shared libraries: libc.so.6: cannot open shared object file: Error 9

As you can see, it ignores all but the first path in .rpath and doesn't find the right C library.

Readelf sections:

ELF Header:
  Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF32
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Intel 80386
  Version:                           0x1
  Entry point address:               0x8048540
  Start of program headers:          52 (bytes into file)
  Start of section headers:          31372 (bytes into file)
  Flags:                             0x0
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         9
  Size of section headers:           40 (bytes)
  Number of section headers:         38
  Section header string table index: 35
...
  INTERP         0x000154 0x08048154 0x08048154 0x0004d 0x0004d R   0x1
      [Requesting program interpreter: /opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/ld-linux.so.2]
...
 0x0000000f (RPATH)                      Library rpath: [/data/i686-unknown-linux-gnu:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib64:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib:/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/usr/lib64]
...

Strace shows that it loads the right interpreter (ld-linux.so.2 links to ld-2.25.so):

strace_manticore.log.1032:open("/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/ld-linux.so.2", O_RDONLY) = 5</opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/ld-2.25.so>
strace_manticore.log.1032:open("/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/ld-linux.so.2", O_RDONLY) = 6</opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/ld-2.25.so>
strace_manticore.log.1032:open("/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/ld-linux.so.2", O_RDONLY) = 6</opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/ld-2.25.so>
strace_manticore.log.1070:open("/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/ld-linux.so.2", O_RDONLY) = 8</opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/ld-2.25.so>
strace_manticore.log.1070:open("/opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/ld-linux.so.2", O_RDONLY) = 8</opt/i686-unknown-linux-gnu/i686-unknown-linux-gnu/sysroot/lib/ld-2.25.so>

The text was updated successfully, but these errors were encountered:

offlinemark · 2018-01-20T14:48:55Z

Bounty

ehennenfent · 2020-01-29T00:18:17Z

https://github.com/trailofbits/manticore/wiki/Ideas

## newstat - Currently `sys_newstat`'s implementation is based on `sys_stat64` - This is inaccurate because `sys_stat64` is expected to return a `struct stat64` back to userland [ref1](https://elixir.bootlin.com/linux/v5.17.5/source/fs/stat.c#L521) [ref2](https://elixir.bootlin.com/linux/v5.17.5/source/arch/x86/include/uapi/asm/stat.h#L42) - Instead, `sys_newstat` is supposed to return a `struct stat` [ref1](https://elixir.bootlin.com/linux/v5.17.5/source/fs/stat.c#L380) [ref2](https://elixir.bootlin.com/linux/v5.17.5/source/arch/x86/include/uapi/asm/stat.h#L83) - This causes issues because the two structs have different definitions, and in practice causes errors in the loader. For example "LD_LIBRARY_PATH" environment variable does not work. I suspect #489 might be related as well but I have yet to test. - To fix this we can reuse the `sys_newfstat` implementation, which returns the correct `struct stat` structure to userland ## newfstat - Currently `sys_newfstat` returns a structure based on the x86_64 version of `struct stat` [ref1](https://elixir.bootlin.com/linux/v5.17.5/source/arch/x86/include/uapi/asm/stat.h#L83) - This does not account for the different `struct stat` definition on 32-bit x86 [ref1](https://elixir.bootlin.com/linux/v5.17.5/source/arch/x86/include/uapi/asm/stat.h#L10) (Notice the `#ifdef`)

offlinemark added bug loader labels Sep 8, 2017

ehennenfent added this to the Validate Existing issues milestone Jan 23, 2019

ehennenfent added the needs_review label Feb 26, 2019

ehennenfent removed this from the Validate Existing issues milestone Feb 26, 2019

ehennenfent closed this as completed Jan 29, 2020

lordidiot mentioned this issue May 3, 2022

Fix newstat and newfstat syscalls #2544

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Linker can't find C library, ignores .rpath? #489

Linker can't find C library, ignores .rpath? #489

251 commented Sep 8, 2017 •

edited

offlinemark commented Jan 20, 2018

ehennenfent commented Jan 29, 2020

Linker can't find C library, ignores .rpath? #489

Linker can't find C library, ignores .rpath? #489

Comments

251 commented Sep 8, 2017 • edited

OS / Environment

Manticore version

Python version

Dependencies

Summary of the problem

offlinemark commented Jan 20, 2018

ehennenfent commented Jan 29, 2020

251 commented Sep 8, 2017 •

edited