From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <glibc-bugs-return-9522-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Received: (qmail 13432 invoked by alias); 14 Apr 2009 16:34:49 -0000
Received: (qmail 13386 invoked by uid 48); 14 Apr 2009 16:34:29 -0000
Date: Tue, 14 Apr 2009 16:34:00 -0000
From: "tom dot aernoudt at coware dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sources.redhat.com
Message-ID: <20090414163428.10069.tom.aernoudt@coware.com>
Reply-To: sourceware-bugzilla@sourceware.org
Subject: [Bug nptl/10069] New: __pthread_init_static_tls (nptl/allocatestack.c) writes out of bounds of dtv array
X-Bugzilla-Reason: CC
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
X-SW-Source: 2009-04/txt/msg00077.txt.bz2

When a multi-threaded executable dynamically loads 15 (or more) shared libraries
that use TLS and are compiled without -fPIC the function
__pthread_init_static_tls (called from dlopen) will write out of bounds of the
dtv array.

The dtv array has initially a size of 16. The module index (map->l_tls_modid)
used as an index in the dtv array is incremented after every dlopen. But the dtv
array is never reallocated.

If the shared library is compiled with -fPIC the dtv array is reallocated from
__tls_get_addr and everything seems to work correctly.

I could verify that the following glibc versions have the problem:
- glibc-2.3.4
- glibc-2.3.5
- glibc-2.4

I could not verify (yet) if glibc-2.8 or the cvs version still have the problem.

Configure:
> ../glibc-2.4/configure --prefix=/usr/users/aernoudt/2/local/glibc-2.4
--enable-add-ons 

Kernel:
> uname -a
Linux tux13 2.6.9-42.ELsmp #1 SMP Wed Jul 12 23:27:17 EDT 2006 i686 i686 i386
GNU/Linux

gcc version:
> gcc -v
Reading specs from /usr/lib/gcc/i386-redhat-linux/3.4.6/specs
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man
--infodir=/usr/share/info --enable-shared --enable-threads=posix
--disable-checking --with-system-zlib --enable-__cxa_atexit
--disable-libunwind-exceptions --enable-java-awt=gtk --host=i386-redhat-linux
Thread model: posix
gcc version 3.4.6 20060404 (Red Hat 3.4.6-3)

ld version:
> ld -v
GNU ld version 2.15.92.0.2 20040927

Valgrind error:
==10407== Invalid write of size 4
==10407==    at 0x4030FF1: __pthread_init_static_tls (allocatestack.c:941)
==10407==    by 0x400F9AC: dl_open_worker (dl-open.c:452)
==10407==    by 0x400C0E3: _dl_catch_error (dl-error.c:178)
==10407==    by 0x400FB9B: _dl_open (dl-open.c:549)
==10407==    by 0x4027CFB: dlopen_doit (dlopen.c:66)
==10407==    by 0x400C0E3: _dl_catch_error (dl-error.c:178)
==10407==    by 0x4028260: _dlerror_run (dlerror.c:164)
==10407==    by 0x4027D7C: dlopen@@GLIBC_2.1 (dlopen.c:87)
==10407==    by 0x8048E1A: main (main.cpp:43)
==10407==  Address 0x4b710b8 is 0 bytes after a block of size 144 alloc'd
==10407==    at 0x401FC3E: calloc (vg_replace_malloc.c:397)
==10407==    by 0x400E49B: allocate_dtv (dl-tls.c:304)
==10407==    by 0x400E73B: _dl_allocate_tls (dl-tls.c:467)
==10407==    by 0x4031A93: pthread_create@@GLIBC_2.1 (allocatestack.c:515)
==10407==    by 0x8048CA4: main (main.cpp:21)
==10407==
==10407== Invalid write of size 1
==10407==    at 0x4030FFA: __pthread_init_static_tls (allocatestack.c:942)
==10407==    by 0x400F9AC: dl_open_worker (dl-open.c:452)
==10407==    by 0x400C0E3: _dl_catch_error (dl-error.c:178)
==10407==    by 0x400FB9B: _dl_open (dl-open.c:549)
==10407==    by 0x4027CFB: dlopen_doit (dlopen.c:66)
==10407==    by 0x400C0E3: _dl_catch_error (dl-error.c:178)
==10407==    by 0x4028260: _dlerror_run (dlerror.c:164)
==10407==    by 0x4027D7C: dlopen@@GLIBC_2.1 (dlopen.c:87)
==10407==    by 0x8048E1A: main (main.cpp:43)
==10407==  Address 0x4b710bc is 4 bytes after a block of size 144 alloc'd
==10407==    at 0x401FC3E: calloc (vg_replace_malloc.c:397)
==10407==    by 0x400E49B: allocate_dtv (dl-tls.c:304)
==10407==    by 0x400E73B: _dl_allocate_tls (dl-tls.c:467)
==10407==    by 0x4031A93: pthread_create@@GLIBC_2.1 (allocatestack.c:515)
==10407==    by 0x8048CA4: main (main.cpp:21)
==10407==
==10407== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 47 from 1)
==10407== malloc/free: in use at exit: 12,896 bytes in 78 blocks.
==10407== malloc/free: 78 allocs, 0 frees, 12,896 bytes allocated.
==10407== For counts of detected errors, rerun with: -v
==10407== searching for pointers to 78 not-freed blocks.
==10407== checked 10,646,920 bytes.

-- 
           Summary: __pthread_init_static_tls (nptl/allocatestack.c) writes
                    out of bounds of dtv array
           Product: glibc
           Version: 2.4
            Status: NEW
          Severity: normal
          Priority: P2
         Component: nptl
        AssignedTo: drepper at redhat dot com
        ReportedBy: tom dot aernoudt at coware dot com
                CC: glibc-bugs at sources dot redhat dot com,tom dot
                    aernoudt at coware dot com
 GCC build triplet: i686-pc-linux-gnu
  GCC host triplet: i686-pc-linux-gnu
GCC target triplet: i686-pc-linux-gnu


http://sourceware.org/bugzilla/show_bug.cgi?id=10069

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.