--clear-symbol-version with glibc? #284

Manouchehri · 2021-06-23T19:25:19Z

I'm trying to monkey patch out a glibc version check, but having a hard time figuring out exactly how the versions are tracked. Haven't been able to figure out how to remove them. Here's what I started with:

dave@xps:~/dave/reven$ readelf -a /home/dave/Work/reven/squashfs-root/usr/lib/libpython3.7m.so.1.0 | grep "2\.28"
000000433818  011c00000007 R_X86_64_JUMP_SLO 0000000000000000 fcntl64@GLIBC_2.28 + 0
   284: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND fcntl64@GLIBC_2.28 (16)
  11c:  10 (GLIBC_2.28)    0 (*local*)      11 (GLIBC_2.6)     2 (GLIBC_2.2.5)
  0x0110:   Name: GLIBC_2.28  Flags: none  Version: 16

Based off this, I cleared the version for fcntl64@GLIBC_2.28. (At the moment, I'm totally fine if this causes a segfault.)

~/Work/patchelf/src/patchelf --debug --clear-symbol-version fcntl64 /home/dave/Work/reven/squashfs-root/usr/lib/libpython3.7m.so.1.0

dave@xps:~/Work/reven/squashfs-root$ ./AppRun 
/home/dave/Work/reven/squashfs-root/usr/bin/axion: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.28' not found (required by /home/dave/Work/reven/squashfs-root/usr/lib/libpython3.7m.so.1.0)

Version needs section '.gnu.version_r' contains 6 entries:
 Addr: 0x000000000001dcc0  Offset: 0x01dcc0  Link: 26 (.dynstr)
  000000: Version: 1  File: libz.so.1  Cnt: 1
  0x0010:   Name: ZLIB_1.2.0  Flags: none  Version: 21
  0x0020: Version: 1  File: libdl.so.2  Cnt: 1
  0x0030:   Name: GLIBC_2.2.5  Flags: none  Version: 13
  0x0040: Version: 1  File: libutil.so.1  Cnt: 1
  0x0050:   Name: GLIBC_2.2.5  Flags: none  Version: 10
  0x0060: Version: 1  File: libpthread.so.0  Cnt: 2
  0x0070:   Name: GLIBC_2.3.2  Flags: none  Version: 6
  0x0080:   Name: GLIBC_2.2.5  Flags: none  Version: 5
  0x0090: Version: 1  File: libm.so.6  Cnt: 1
  0x00a0:   Name: GLIBC_2.2.5  Flags: none  Version: 3
  0x00b0: Version: 1  File: libc.so.6  Cnt: 15
  0x00c0:   Name: GLIBC_2.15  Flags: none  Version: 22
  0x00d0:   Name: GLIBC_2.14  Flags: none  Version: 20
  0x00e0:   Name: GLIBC_2.10  Flags: none  Version: 19
  0x00f0:   Name: GLIBC_2.7  Flags: none  Version: 18
  0x0100:   Name: GLIBC_2.6  Flags: none  Version: 17
  0x0110:   Name: GLIBC_2.28  Flags: none  Version: 16
  0x0120:   Name: GLIBC_2.3.2  Flags: none  Version: 15
  0x0130:   Name: GLIBC_2.25  Flags: none  Version: 14
  0x0140:   Name: GLIBC_2.26  Flags: none  Version: 12
  0x0150:   Name: GLIBC_2.4  Flags: none  Version: 11
  0x0160:   Name: GLIBC_2.3  Flags: none  Version: 9
  0x0170:   Name: GLIBC_2.17  Flags: none  Version: 8
  0x0180:   Name: GLIBC_2.3.4  Flags: none  Version: 7
  0x0190:   Name: GLIBC_2.9  Flags: none  Version: 4
  0x01a0:   Name: GLIBC_2.2.5  Flags: none  Version: 2

I tried patching the string of GLIBC_2.28 to GLIBC_2.27 myself, and oddly enough that did nothing. Same issue.

dave@xps:~/Work/reven/squashfs-root$ ./AppRun
/home/dave/Work/reven/squashfs-root/usr/bin/axion: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.27' not found (required by /home/dave/Work/reven/squashfs-root/usr/lib/libpython3.7m.so.1.0)

I also tried replacing libc.so.6 as a random last attempt. Didn't seem to make a difference.

~/Work/patchelf/src/patchelf --debug --replace-needed libc.so.6 libc.so.6 /home/dave/Work/reven/squashfs-root/usr/lib/libpython3.7m.so.1.0

Any ideas on what I'm doing wrong? Not sure if it's something on my end or a limitation of patchelf.

Thanks!

The text was updated successfully, but these errors were encountered:

maxlapshin · 2021-07-19T13:37:03Z

I'm also interested in fixing this bug. Trying to remove version dependency

Mic92 · 2021-08-10T06:15:15Z

I think versions are tracked in relocation sections of the binaries i.e. .rela.dyn and .rela.plt. You might be able to replace those with sed. The actual strings are in .dynsim and .symtab. If you use sed it's best to either keep the length or shorten the string by replacing characters with null bytes.

cognivore · 2022-09-04T17:45:35Z

Did anyone manage to actually do that?

This problem did not improve much in the last 20 years. The `patchelf` trick as v0.18.0 (2023-04) is broken due to: NixOS/patchelf#284 NixOS/patchelf#374 NixOS/patchelf#394 Links: https://github.com/phusion/holy-build-box#problem-introduction https://mesonbuild.com/Creating-Linux-binaries.html https://andrewkelley.me/post/zig-cc-powerful-drop-in-replacement-gcc-clang.html

This problem did not improve much in the last 20 years. The `patchelf` trick as v0.18.0 (2023-04) is broken due to: NixOS/patchelf#284 NixOS/patchelf#374 NixOS/patchelf#394 It also looks like a rather fragile and accidental hack. The only real solution is to somehow install older glibc headers and libs and force-build against them. The force-load it when running `curl -V` after the build. There seems to be no out-of-the box way of doing these on Linux. The common solution is to build on a Linux that is older than everyone else's who wants to run the binaries bulit. This is inconvenient, and forces to use old toolchains, possibly with security and performance consequences. Another is to use a tool like crosstool-ng, that involves building the complete toolchain from scratch and also means to deal with a whole lot of supply chain issues, esp. considering the tendency that such tools often pull sources unverified and/or via cleartext HTTP over the internet. Components are often outdated and use custom patches. Plus resources needed for building these. Or possibly using NixOS could help here? Or deploy with Docker, snap, flatpak, which is another thick layer of complexity on top. Links: https://github.com/phusion/holy-build-box#problem-introduction https://mesonbuild.com/Creating-Linux-binaries.html https://andrewkelley.me/post/zig-cc-powerful-drop-in-replacement-gcc-clang.html arm64: ``` U __libc_start_main@GLIBC_2.34 U fstat64@GLIBC_2.33 U fstat@GLIBC_2.33 U pthread_create@GLIBC_2.34 U pthread_detach@GLIBC_2.34 U pthread_getspecific@GLIBC_2.34 U pthread_join@GLIBC_2.34 U pthread_key_create@GLIBC_2.34 U pthread_key_delete@GLIBC_2.34 U pthread_once@GLIBC_2.34 U pthread_rwlock_destroy@GLIBC_2.34 U pthread_rwlock_init@GLIBC_2.34 U pthread_rwlock_rdlock@GLIBC_2.34 U pthread_rwlock_unlock@GLIBC_2.34 U pthread_rwlock_wrlock@GLIBC_2.34 U pthread_setspecific@GLIBC_2.34 U stat64@GLIBC_2.33 U stat@GLIBC_2.33 ``` amd64: ``` U __explicit_bzero_chk@GLIBC_2.25 U __libc_start_main@GLIBC_2.34 U fcntl64@GLIBC_2.28 U fstat64@GLIBC_2.33 U fstat@GLIBC_2.33 w getentropy@GLIBC_2.25 U getrandom@GLIBC_2.25 U pthread_create@GLIBC_2.34 U pthread_detach@GLIBC_2.34 U pthread_getspecific@GLIBC_2.34 U pthread_join@GLIBC_2.34 U pthread_key_create@GLIBC_2.34 U pthread_key_delete@GLIBC_2.34 U pthread_once@GLIBC_2.34 U pthread_rwlock_destroy@GLIBC_2.34 U pthread_rwlock_init@GLIBC_2.34 U pthread_rwlock_rdlock@GLIBC_2.34 U pthread_rwlock_unlock@GLIBC_2.34 U pthread_rwlock_wrlock@GLIBC_2.34 U pthread_setspecific@GLIBC_2.34 U stat64@GLIBC_2.33 U stat@GLIBC_2.33 ```

This problem did not improve much in the last 20 years. The `patchelf` trick as v0.18.0 (2023-04) is broken due to: NixOS/patchelf#284 NixOS/patchelf#374 NixOS/patchelf#394 It also looks like a rather fragile and accidental hack. The only real solution is to somehow install older glibc headers and libs and force-build against them. The force-load it when running `curl -V` after the build. There seems to be no out-of-the box way of doing these on Linux. The common solution is to build on a Linux that is older than everyone else's who wants to run the binaries bulit. This is inconvenient, and forces to use old toolchains, possibly with security and performance consequences. Another is to use a tool like crosstool-ng, that involves building the complete toolchain from scratch and also means to deal with a whole lot of supply chain issues, esp. considering the tendency that such tools often pull sources unverified and/or via cleartext HTTP over the internet. Components are often outdated and use custom patches. Plus resources needed for building these. Or possibly using NixOS could help here? Or deploy with Docker, snap, flatpak, which is another thick layer of complexity on top. Links: https://github.com/phusion/holy-build-box#problem-introduction https://mesonbuild.com/Creating-Linux-binaries.html https://andrewkelley.me/post/zig-cc-powerful-drop-in-replacement-gcc-clang.html https://developers.redhat.com/blog/2019/08/01/how-the-gnu-c-library-handles-backward-compatibility arm64: ``` U __libc_start_main@GLIBC_2.34 U fstat64@GLIBC_2.33 U fstat@GLIBC_2.33 U pthread_create@GLIBC_2.34 U pthread_detach@GLIBC_2.34 U pthread_getspecific@GLIBC_2.34 U pthread_join@GLIBC_2.34 U pthread_key_create@GLIBC_2.34 U pthread_key_delete@GLIBC_2.34 U pthread_once@GLIBC_2.34 U pthread_rwlock_destroy@GLIBC_2.34 U pthread_rwlock_init@GLIBC_2.34 U pthread_rwlock_rdlock@GLIBC_2.34 U pthread_rwlock_unlock@GLIBC_2.34 U pthread_rwlock_wrlock@GLIBC_2.34 U pthread_setspecific@GLIBC_2.34 U stat64@GLIBC_2.33 U stat@GLIBC_2.33 ``` amd64: ``` U __explicit_bzero_chk@GLIBC_2.25 U __libc_start_main@GLIBC_2.34 U fcntl64@GLIBC_2.28 U fstat64@GLIBC_2.33 U fstat@GLIBC_2.33 w getentropy@GLIBC_2.25 U getrandom@GLIBC_2.25 U pthread_create@GLIBC_2.34 U pthread_detach@GLIBC_2.34 U pthread_getspecific@GLIBC_2.34 U pthread_join@GLIBC_2.34 U pthread_key_create@GLIBC_2.34 U pthread_key_delete@GLIBC_2.34 U pthread_once@GLIBC_2.34 U pthread_rwlock_destroy@GLIBC_2.34 U pthread_rwlock_init@GLIBC_2.34 U pthread_rwlock_rdlock@GLIBC_2.34 U pthread_rwlock_unlock@GLIBC_2.34 U pthread_rwlock_wrlock@GLIBC_2.34 U pthread_setspecific@GLIBC_2.34 U stat64@GLIBC_2.33 U stat@GLIBC_2.33 ```

This problem did not improve much in the last 20 years. The `patchelf` trick as v0.18.0 (2023-04) is broken due to: https://github dot com/NixOS/patchelf/issues/284 https://github dot com/NixOS/patchelf/pull/374 https://github dot com/NixOS/patchelf/pull/394 It also looks like a rather fragile and accidental hack. The only real solution is to somehow install older glibc headers and libs and force-build against them. The force-load it when running `curl -V` after the build. There seems to be no out-of-the box way of doing these on Linux. The common solution is to build on a Linux that is older than everyone else's who wants to run the binaries bulit. This is inconvenient, and forces to use old toolchains, possibly with security and performance consequences. Another is to use a tool like crosstool-ng, that involves building the complete toolchain from scratch and also means to deal with a whole lot of supply chain issues, esp. considering the tendency that such tools often pull sources unverified and/or via cleartext HTTP over the internet. Components are often outdated and use custom patches. Plus resources needed for building these. Or possibly using NixOS could help here? Or deploy with Docker, snap, flatpak, which is another thick layer of complexity on top. Links: https://github.com/phusion/holy-build-box#problem-introduction https://mesonbuild.com/Creating-Linux-binaries.html https://andrewkelley.me/post/zig-cc-powerful-drop-in-replacement-gcc-clang.html https://developers.redhat.com/blog/2019/08/01/how-the-gnu-c-library-handles-backward-compatibility arm64: ``` U __libc_start_main@GLIBC_2.34 U fstat64@GLIBC_2.33 U fstat@GLIBC_2.33 U pthread_create@GLIBC_2.34 U pthread_detach@GLIBC_2.34 U pthread_getspecific@GLIBC_2.34 U pthread_join@GLIBC_2.34 U pthread_key_create@GLIBC_2.34 U pthread_key_delete@GLIBC_2.34 U pthread_once@GLIBC_2.34 U pthread_rwlock_destroy@GLIBC_2.34 U pthread_rwlock_init@GLIBC_2.34 U pthread_rwlock_rdlock@GLIBC_2.34 U pthread_rwlock_unlock@GLIBC_2.34 U pthread_rwlock_wrlock@GLIBC_2.34 U pthread_setspecific@GLIBC_2.34 U stat64@GLIBC_2.33 U stat@GLIBC_2.33 ``` amd64: ``` U __explicit_bzero_chk@GLIBC_2.25 U __libc_start_main@GLIBC_2.34 U fcntl64@GLIBC_2.28 U fstat64@GLIBC_2.33 U fstat@GLIBC_2.33 w getentropy@GLIBC_2.25 U getrandom@GLIBC_2.25 U pthread_create@GLIBC_2.34 U pthread_detach@GLIBC_2.34 U pthread_getspecific@GLIBC_2.34 U pthread_join@GLIBC_2.34 U pthread_key_create@GLIBC_2.34 U pthread_key_delete@GLIBC_2.34 U pthread_once@GLIBC_2.34 U pthread_rwlock_destroy@GLIBC_2.34 U pthread_rwlock_init@GLIBC_2.34 U pthread_rwlock_rdlock@GLIBC_2.34 U pthread_rwlock_unlock@GLIBC_2.34 U pthread_rwlock_wrlock@GLIBC_2.34 U pthread_setspecific@GLIBC_2.34 U stat64@GLIBC_2.33 U stat@GLIBC_2.33 ```

This problem did not improve much in the last 20 years. The `patchelf` trick as v0.18.0 (2023-04) is broken due to: NixOS/patchelf#284 NixOS/patchelf#374 NixOS/patchelf#394 It also looks like a rather fragile and accidental hack. The only real solution is to somehow install older glibc headers and libs and force-build against them. The force-load it when running `curl -V` after the build. There seems to be no out-of-the box way of doing these on Linux. The common solution is to build on a Linux that is older than everyone else's who wants to run the binaries bulit. This is inconvenient, and forces to use old toolchains, possibly with security and performance consequences. Another is to use a tool like crosstool-ng, that involves building the complete toolchain from scratch and also means to deal with a whole lot of supply chain issues, esp. considering the tendency that such tools often pull sources unverified and/or via cleartext HTTP over the internet. Components are often outdated and use custom patches. Plus resources needed for building these. Or possibly using NixOS could help here? Or deploy with Docker, snap, flatpak, which is another thick layer of complexity on top. Links: https://github.com/phusion/holy-build-box#problem-introduction https://mesonbuild.com/Creating-Linux-binaries.html https://andrewkelley.me/post/zig-cc-powerful-drop-in-replacement-gcc-clang.html https://developers.redhat.com/blog/2019/08/01/how-the-gnu-c-library-handles-backward-compatibility arm64: ``` U __libc_start_main@GLIBC_2.34 U fstat64@GLIBC_2.33 U fstat@GLIBC_2.33 U pthread_create@GLIBC_2.34 U pthread_detach@GLIBC_2.34 U pthread_getspecific@GLIBC_2.34 U pthread_join@GLIBC_2.34 U pthread_key_create@GLIBC_2.34 U pthread_key_delete@GLIBC_2.34 U pthread_once@GLIBC_2.34 U pthread_rwlock_destroy@GLIBC_2.34 U pthread_rwlock_init@GLIBC_2.34 U pthread_rwlock_rdlock@GLIBC_2.34 U pthread_rwlock_unlock@GLIBC_2.34 U pthread_rwlock_wrlock@GLIBC_2.34 U pthread_setspecific@GLIBC_2.34 U stat64@GLIBC_2.33 U stat@GLIBC_2.33 ``` amd64: ``` U __explicit_bzero_chk@GLIBC_2.25 U __libc_start_main@GLIBC_2.34 U fcntl64@GLIBC_2.28 U fstat64@GLIBC_2.33 U fstat@GLIBC_2.33 w getentropy@GLIBC_2.25 U getrandom@GLIBC_2.25 U pthread_create@GLIBC_2.34 U pthread_detach@GLIBC_2.34 U pthread_getspecific@GLIBC_2.34 U pthread_join@GLIBC_2.34 U pthread_key_create@GLIBC_2.34 U pthread_key_delete@GLIBC_2.34 U pthread_once@GLIBC_2.34 U pthread_rwlock_destroy@GLIBC_2.34 U pthread_rwlock_init@GLIBC_2.34 U pthread_rwlock_rdlock@GLIBC_2.34 U pthread_rwlock_unlock@GLIBC_2.34 U pthread_rwlock_wrlock@GLIBC_2.34 U pthread_setspecific@GLIBC_2.34 U stat64@GLIBC_2.33 U stat@GLIBC_2.33 ```

Should fix NixOS#252, NixOS#284, --remove-needed-version works by removing specified version in .gnu.version_r, and resets version in referenced entry in .gnu.version.

Manouchehri added the bug label Jun 23, 2021

chitao1234 mentioned this issue Aug 3, 2024

Add --remove-needed-version #564

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

--clear-symbol-version with glibc? #284

--clear-symbol-version with glibc? #284

Manouchehri commented Jun 23, 2021

maxlapshin commented Jul 19, 2021

Mic92 commented Aug 10, 2021

cognivore commented Sep 4, 2022

--clear-symbol-version with glibc? #284

--clear-symbol-version with glibc? #284

Comments

Manouchehri commented Jun 23, 2021

maxlapshin commented Jul 19, 2021

Mic92 commented Aug 10, 2021

cognivore commented Sep 4, 2022