dlopen() crashes in sandboxed binary with LC_RPATH load commands

Originator:thakis
Number:rdar://11554244 Date Originated:May 29, 2012
Status:Open Resolved:
Product:Mac OS X Product Version:10.6.8
Classification:Crash/Hang/Data Loss Reproducible:Always
 
29-May-2012 08:24 PM Nico Weber:
Summary:
dlopen() crashes in sandboxed binary with LC_RPATH load commands

Steps to Reproduce:
Build a program that is sandboxed and that calls dlopen() with -Wl,-rpath,@executable_path/foo. Run it.

For example this program:

#include <dlfcn.h>
#include <sandbox.h>
int main() {
  char* err;
  sandbox_init(kSBXProfilePureComputation, SANDBOX_NAMED, &err);
 dlopen("/System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.framework/Resources/libFontRegistry.dylib", RTLD_LAZY | RTLD_LOCAL);
}

This doesn't crash:
clang  foo.c -o foo   && ./foo

This does crash:
clang  foo.c -o foo -Wl,-rpath,@loader_path/foo  && ./foo
foo(47269) malloc: *** error for object 0x10000062c: pointer being freed was not allocated
*** set a breakpoint in malloc_error_break to debug



Expected Results:
dlopen() should fail, but not crash.

Actual Results:
It crashes.

Regression:
No.

Notes:

29-May-2012 08:24 PM Nico Weber:
'foo.c' was successfully uploaded

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!