libio: Set _vtable_offset before calling _IO_link_in [BZ #32148]

Since _IO_vtable_offset is used to detect the old binaries, set it
in _IO_old_file_init_internal before calling _IO_link_in which checks
_IO_vtable_offset.  Add a glibc 2.0 test with copy relocation on
_IO_stderr_@GLIBC_2.0 to verify that fopen won't cause memory corruption.
This fixes BZ #32148.

Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
Reviewed-by: Noah Goldstein <goldstein.w.n@gmail.com>

libio/Makefile

@@ -293,11 +293,18 @@ endif
 ifeq ($(build-shared),yes)
 aux	+= oldfileops oldstdfiles
 tests += \
+  tst-fopen-compat \
   tst-stderr-compat \
 # tests
 tests-2.0 += \
+  tst-fopen-compat \
   tst-stderr-compat \
 # tests-2.0
+
+tst-fopen-compat-ARGS = tst-fopen-compat.c
+# Disable PIE to trigger copy relocation.
+CFLAGS-tst-fopen-compat.c += -fno-pie
+tst-fopen-compat-no-pie = yes
 endif
 
 shared-only-routines = oldiofopen oldiofdopen oldiofclose oldfileops	\

libio/oldfileops.c

@@ -103,9 +103,11 @@ _IO_old_file_init_internal (struct _IO_FILE_plus *fp)
   fp->file._old_offset = _IO_pos_BAD;
   fp->file._flags |= CLOSED_FILEBUF_FLAGS;
 
-  _IO_link_in (fp);
+  /* NB: _vtable_offset must be set before calling _IO_link_in since
+     _IO_vtable_offset is used to detect the old binaries.  */
   fp->file._vtable_offset = ((int) sizeof (struct _IO_FILE)
 			     - (int) sizeof (struct _IO_FILE_complete));
+  _IO_link_in (fp);
   fp->file._fileno = -1;
 
   if (&_IO_stdin_used != NULL || !_IO_legacy_file ((FILE *) fp))

libio/tst-fopen-compat.c

@@ -0,0 +1,85 @@
+/* Verify that fopen works with copy relocation on _IO_stderr_ in binaries
+   linked with glibc 2.0.
+   Copyright (C) 2024 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <shlib-compat.h>
+
+#if TEST_COMPAT (libc, GLIBC_2_0, GLIBC_2_1)
+# define _LIBC
+# define _IO_USE_OLD_IO_FILE
+# include <stdio.h>
+# include <string.h>
+# include <unistd.h>
+# include <limits.h>
+# include <sys/stat.h>
+# include <support/check.h>
+
+struct _IO_jump_t;
+
+struct _IO_FILE_plus
+{
+  FILE file;
+  const struct _IO_jump_t *vtable;
+};
+
+extern struct _IO_FILE_plus _IO_stderr_;
+compat_symbol_reference (libc, _IO_stderr_, _IO_stderr_, GLIBC_2_0);
+compat_symbol_reference (libc, fopen, fopen, GLIBC_2_0);
+compat_symbol_reference (libc, fclose, fclose, GLIBC_2_0);
+
+static int
+do_test (int argc, char *argv[])
+{
+  static char filename[PATH_MAX + 1];
+  struct stat st;
+  char *name = NULL;
+  int i;
+
+  /* Try to trigger copy relocation.  */
+  TEST_VERIFY_EXIT (_IO_stderr_.file._fileno == STDERR_FILENO);
+
+  for (i = 1; i < argc; i++)
+    {
+      name = argv[i];
+      if (stat (name, &st) == 0)
+	{
+	  TEST_VERIFY_EXIT (strlen (name) <= PATH_MAX);
+	  break;
+	}
+    }
+  TEST_VERIFY_EXIT (name != NULL);
+
+  strcpy (filename, name);
+  FILE *fp = fopen (filename, "r");
+  TEST_VERIFY_EXIT (strcmp (filename, name) == 0);
+  TEST_VERIFY_EXIT (fp != NULL);
+  TEST_VERIFY_EXIT (fclose (fp) == 0);
+  return 0;
+}
+#else
+# include <support/test-driver.h>
+
+static int
+do_test (int argc, char *argv[])
+{
+  return EXIT_UNSUPPORTED;
+}
+#endif
+
+#define TEST_FUNCTION_ARGV do_test
+#include <support/test-driver.c>