Library corruption with armv7 android library when soname changed

[JamesMBallard]

Describe the bug

I used this tool to patch the soname attribute in an armv7 Android library. The tool was used temporarily as a stop-gap measure to avoid renaming a library in our build infrastructure.

The patched library functioned normally until a C++ exception was thrown, and then it would cause a runtime abort and corrupt the stack. I attempted to debug the problem on an armv7 Android emulator, but the problem would cause the emulator itself to crash. The problem did not happen with x86 or arm64 under the same circumstances.

When I would rename and produce the armv7 library I needed as part of our build (so eliminate the patchelf step), the problem went away entirely.

The library format is as follows via the file command:

ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked

Steps To Reproduce

This is the command I used (run on macOS):

# rename and patch to the soname we need...
mv libtestlibrary.so libtestlibrary_armeabi-v7a.so
patchelf --set-soname libtestlibrary_armeabi-v7a.so libtestlibrary_armeabi-v7a.so

During runtime everything worked correctly, until a C++ exception was thrown and then the app would abort. Here is an example of the output captured with logcat. To be clear, the exception is handled, so the error message is misleading that it is an uncaught exception.

06-16 19:40:49.542 13622 13676 F libc    : /Volumes/Android/buildbot/src/android/ndk-release-r21/external/libcxx/../../external/libcxxabi/src/abort_message.cpp:72: abort_message: assertion "terminating with uncaught exception of type pplx::task_canceled: " failed
06-16 19:40:49.542 13622 13676 F libc    : Fatal signal 6 (SIGABRT), code -6 in tid 13676 (QtThread)
06-16 19:40:49.543  2673  2673 W         : debuggerd: handling request: pid=13622 uid=10830 gid=10830 tid=13676
06-16 19:40:49.645 13692 13692 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
06-16 19:40:49.645 13692 13692 F DEBUG   : Build fingerprint: 'Verizon/gts210ltevzw/gts210ltevzw:7.0/NRD90M/T817VVRU2DQE1:user/release-keys'
06-16 19:40:49.645 13692 13692 F DEBUG   : Revision: '6'
06-16 19:40:49.646 13692 13692 F DEBUG   : ABI: 'arm'
06-16 19:40:49.646 13692 13692 F DEBUG   : pid: 13622, tid: 13676, name: QtThread  >>> com.testapp <<<
06-16 19:40:49.646 13692 13692 F DEBUG   : signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
06-16 19:40:49.652 13692 13692 F DEBUG   : Abort message: '/Volumes/Android/buildbot/src/android/ndk-release-r21/external/libcxx/../../external/libcxxabi/src/abort_message.cpp:72: abort_message: assertion "terminating with uncaught exception of type pplx::task_canceled: " failed'
06-16 19:40:49.652 13692 13692 F DEBUG   :     r0 00000000  r1 0000356c  r2 00000006  r3 00000008
06-16 19:40:49.652 13692 13692 F DEBUG   :     r4 7c87f978  r5 00000006  r6 7c87f920  r7 0000010c
06-16 19:40:49.652 13692 13692 F DEBUG   :     r8 89fd0ae5  r9 8017a588  sl 8017a594  fp 00000000
06-16 19:40:49.652 13692 13692 F DEBUG   :     ip 00000002  sp 7c87efe0  lr aa90b4b7  pc aa90dd20  cpsr 600e0010
06-16 19:40:49.672 13692 13692 F libc    : stack corruption detected
06-16 19:40:49.673  2680  2680 E audit   : type=1701 audit(1592361649.664:565): auid=4294967295 uid=1045 gid=1045 ses=4294967295 subj=u:r:debuggerd:s0 pid=13692 comm="debuggerd" reason="memory violation" sig=6 audit_filtered
06-16 19:40:49.673  3180  3632 E NativeCrashListener: Unable to read from debuggerd
06-16 19:40:49.674  2673  2673 E         : debuggerd: worker process 13692 terminated due to signal 6
06-16 19:40:49.674  2673  2673 E         : debuggerd: killing target 13622
06-16 19:40:49.675  3180  3308 I BootReceiver: Copying /data/tombstones/tombstone_07 to DropBox (SYSTEM_TOMBSTONE)

Expected behavior

Not have modified runtime behavior.

Version Information

patchelf --version output

Version output: patchelf 0.10

I tested with this specific commit, which was the latest at time I built the tool
https://github.com/NixOS/patchelf/tree/978325def61e0126d13d7936eee51326cbd433d4

Additional context

The patched library was built with Android NDK r20 (clang 8.0.7). I tested with r20b as well but it made no difference.

[domenkozar]

Could you try with patchelf 0.11?

[JamesMBallard]

@domenkozar problem still happens with patchelf 0.11.

[JarlPenguin]

Can confirm with 0.10, patchelf corrupts the library when using --set-soname or --add-needed. Readelf output contains this error:
readelf: Error: the PHDR segment is not covered by a LOAD segment
Was not a problem with 0.9

[JarlPenguin]

Still happens with 0.11

[domenkozar]

Someone needs to bisect between 0.9 and 0.10

[JarlPenguin]

If I have git bisected properly then c4deb5e is causing the problem

Edit: still happening with some previous revisions
Nevermind, that commit is indeed the problem, previous revision doesn't have the bug

[JarlPenguin]

Seems fixed in 0.12

[JarlPenguin]

Fixed for some libs, still happens with others

[DerDakon]

While I was debugging other strange crashes with patched binaries a colleague found at least one issue: the Linux kernel assumes the bss is located after the last LOAD segment. When introducing a new one and moving things around this will lead to the bss not being last, and so it will not be zeroed out. If your static variables are suddenly random junk on startup you are doomed…