From cd2ae4f68ba0771c5bb87364ef8c3f5a96d66986 Mon Sep 17 00:00:00 2001 From: Daniel Levin Date: Mon, 8 Jun 2026 16:42:03 +0200 Subject: [PATCH] rtld: Check for -1 as an-end-of-section marker rtld calls functions in the .init_array section one at a time, until it finds a distinguished sentinel value. The C runtime does the same thing (in crtend.c). However, that checks for the sentinel -1 and not 1. If one is using a linker that unifies .ctors and .init_array, then rtld will miss the sentinel value. I believe the author of this code intended to write -1 instead of 1. Indeed, changing the code to also check for -1 prevents rtld from attempting to call a non-existent function. The same is true of .dtors and .fini_array. Signed-off-by: Daniel Levin --- libexec/rtld-elf/rtld.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libexec/rtld-elf/rtld.c b/libexec/rtld-elf/rtld.c index d27af520c21d1d..099f19ee8526d7 100644 --- a/libexec/rtld-elf/rtld.c +++ b/libexec/rtld-elf/rtld.c @@ -3166,7 +3166,8 @@ objlist_call_fini(Objlist *list, Obj_Entry *root, RtldLockState *lockstate) for (index = elm->obj->fini_array_num - 1; index >= 0; index--) { if (fini_addr[index] != 0 && - fini_addr[index] != 1) { + fini_addr[index] != 1 && + fini_addr[index] != (Elf_Addr)-1) { dbg("calling fini function for %s at %p", elm->obj->path, (void *)fini_addr[index]); @@ -3272,7 +3273,8 @@ objlist_call_init(Objlist *list, RtldLockState *lockstate) for (index = 0; index < elm->obj->init_array_num; index++) { if (init_addr[index] != 0 && - init_addr[index] != 1) { + init_addr[index] != 1 && + init_addr[index] != (Elf_Addr)-1) { dbg("calling init function for %s at %p", elm->obj->path, (void *)init_addr[index]);