[Bug dynamic-link/13862] Reuse of cached stack can cause bounds overrun of thread DTV

["paul at vineyardnetworks dot com" <sourceware-bugzilla@sourceware.org>]

http://sourceware.org/bugzilla/show_bug.cgi?id=13862

--- Comment #1 from Paul Archard <paul at vineyardnetworks dot com> 2012-03-16 23:01:57 UTC ---
An alternative fix would be the following - it is possibly a more complete fix
but it does break encapsulation a little.  The previous suggested fix relies on
the dtv being fixed up later.

*** dl-tls.c    2011-05-30 21:12:33.000000000 -0700
--- ../../glibc-2.14.orig/elf/dl-tls.c    2012-03-12 14:37:27.422794007 -0700
***************
*** 35,48 ****


  /* Out-of-memory handler.  */
- #ifdef SHARED
  static void
  __attribute__ ((__noreturn__))
  oom (void)
  {
    _dl_fatal_printf ("cannot allocate memory for thread-local data: ABORT\n");
  }
- #endif


  size_t
--- 35,46 ----
***************
*** 388,393 ****
--- 386,437 ----
       TLS.  For those which are dynamically loaded we add the values
       indicating deferred allocation.  */
    listp = GL(dl_tls_dtv_slotinfo_list);
+ 
+   /* check if current dtv is big enough */
+   if (dtv[-1].counter < GL(dl_tls_max_dtv_idx))
+   {
+     dtv_t *newp;
+     size_t newsize = GL(dl_tls_max_dtv_idx) + DTV_SURPLUS;
+     size_t oldsize = dtv[-1].counter;
+       
+     if (
+ #ifdef SHARED
+         dtv == GL(dl_initial_dtv)
+ #else
+         0
+ #endif
+         )
+     {
+       /* This is the initial dtv that was allocated
+       during rtld startup using the dl-minimal.c
+       malloc instead of the real malloc.  We can't
+       free it, we have to abandon the old storage.  */
+       newp = malloc ((2 + newsize) * sizeof (dtv_t));
+       if (newp == NULL)
+         oom ();
+       memcpy (newp, &dtv[-1], (2 + oldsize) * sizeof (dtv_t));
+     }
+     else
+     {
+       newp = realloc(&dtv[-1], (2 + newsize) * sizeof (dtv_t));
+       if (newp == NULL)
+         oom();
+     }
+ 
+     newp[0].counter = newsize;
+ 
+     /* Clear the newly allocated part.  */
+     memset (newp + 2 + oldsize, '\0', (newsize - oldsize) * sizeof (dtv_t));
+ 
+     /* Point dtv to the generation counter.  */
+     dtv = &newp[1];
+ 
+     /* Install this new dtv in the given thread */
+     INSTALL_DTV (result, newp);
+   
+     assert(dtv[-1].counter >= GL(dl_tls_max_dtv_idx));
+   }
+ 
    while (1)
      {
        size_t cnt;

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.