[Bug libc/17319] New: init_tls switches around esp during set_thread_area syscall

[Bug libc/17319] New: init_tls switches around esp during set_thread_area syscall

[mjw at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17319

            Bug ID: 17319
           Summary: init_tls switches around esp during set_thread_area
                    syscall
           Product: glibc
           Version: 2.20
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: mjw at redhat dot com
                CC: drepper.fsp at gmail dot com

Originally reported and analysed at
https://bugzilla.redhat.com/show_bug.cgi?id=1133134

TLS_INIT_TP in sysdeps/i386/nptl/tls.h uses some hand written asm to generate a
set_thread_area syscall that might result in exchanging ebx and esp around the
syscall causing introspection tools like valgrind to loose track of the user
stack.

The TLS_INIT_TP macro contains:

     /* Install the TLS.  */                                                  \
     asm volatile (TLS_LOAD_EBX                                               \
                   "int $0x80\n\t"                                            \
                   TLS_LOAD_EBX                                               \
                   : "=a" (_result), "=m" (_segdescr.desc.entry_number)       \
                   : "0" (__NR_set_thread_area),                              \
                     TLS_EBX_ARG (&_segdescr.desc), "m" (_segdescr.desc));    \

Which gets turned into:

   0x04000a1c <+274>: mov    $0xf3,%eax
   0x04000a21 <+279>: movl   $0xfffff,0x8(%esp)
   0x04000a29 <+287>: movl   $0x51,0xc(%esp)
=> 0x04000a31 <+295>: xchg   %esp,%ebx
   0x04000a33 <+297>: int    $0x80
   0x04000a35 <+299>: xchg   %esp,%ebx
   0x04000a37 <+301>: test   %eax,%eax
   0x04000a39 <+303>: jne    0x4000a52 <init_tls+328>

That will cause valgrind errors like:

==10806== Warning: client switching stacks?  SP change: 0xfec25590 -->
0x4024f94
==10806==          to suppress, use: --max-stackframe=88078852 or greater
==10806== Warning: client switching stacks?  SP change: 0x4024f94 -->
0xfec25590
==10806==          to suppress, use: --max-stackframe=88078852 or greater

Thanks to Florian Weimer for analysing why the original code generated
the bogus esp usage:

  _segdescr.desc happens to be at the top of the stack, so its address
  is in %esp.  The asm statement says that %3 is an input, so its value
  will not change, and GCC can use %esp as the input register for the
  expression &_segdescr.desc.  But the constraints do not fully describe
  the asm statement because the %3 register is actually modified, albeit
  only temporarily.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/17319] init_tls switches around esp during set_thread_area syscall

[mjw at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17319

--- Comment #1 from Mark Wielaard <mjw at redhat dot com> ---
Patch submitted: https://sourceware.org/ml/libc-alpha/2014-08/msg00417.html

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/17319] init_tls switches around esp during set_thread_area syscall

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=17319

--- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  9570bc53fcc11d3cfe028989e611266e8d55bd09 (commit)
      from  b0f955c9ac70181532e93aa78c49c204c2a31dfd (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9570bc53fcc11d3cfe028989e611266e8d55bd09

commit 9570bc53fcc11d3cfe028989e611266e8d55bd09
Author: Mark Wielaard <mjw@redhat.com>
Date:   Wed Aug 27 17:07:58 2014 +0200

    i386 TLS_INIT_TP might produce bogus asm changing stack pointer [BZ #17319]

    TLS_INIT_TP in sysdeps/i386/nptl/tls.h uses some hand written asm to
    generate a set_thread_area that might result in exchanging ebx and esp
    around the syscall causing introspection tools like valgrind to loose
    track of the user stack. Just use INTERNAL_SYSCALL which makes sure
    esp isn't changed arbitrarily.

    Before the patch the code would generate:

    mov    $0xf3,%eax
    movl   $0xfffff,0x8(%esp)
    movl   $0x51,0xc(%esp)
    xchg   %esp,%ebx
    int    $0x80
    xchg   %esp,%ebx

    Using INTERNAL_SYSCALL instead will generate:

    movl   $0xfffff,0x8(%esp)
    movl   $0x51,0xc(%esp)
    xchg   %ecx,%ebx
    mov    $0xf3,%eax
    int    $0x80
    xchg   %ecx,%ebx

    Thanks to Florian Weimer for analysing why the original code generated
    the bogus esp usage:

      _segdescr.desc happens to be at the top of the stack, so its address
      is in %esp.  The asm statement says that %3 is an input, so its value
      will not change, and GCC can use %esp as the input register for the
      expression &_segdescr.desc.  But the constraints do not fully describe
      the asm statement because the %3 register is actually modified, albeit
      only temporarily.

        [BZ #17319]
        * sysdeps/i386/nptl/tls.h (TLS_INIT_TP): Use INTERNAL_SYSCALL
        to call set_thread_area instead of hand written asm.
        (__NR_set_thread_area): Removed define.
        (TLS_FLAG_WRITABLE): Likewise.
        (__ASSUME_SET_THREAD_AREA): Remove check.
        (TLS_EBX_ARG): Remove define.
        (TLS_LOAD_EBX): Likewise.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog               |   11 +++++++++++
 NEWS                    |    2 +-
 sysdeps/i386/nptl/tls.h |   31 ++-----------------------------
 3 files changed, 14 insertions(+), 30 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/17319] init_tls switches around esp during set_thread_area syscall

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17319

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |fweimer at redhat dot com
         Resolution|---                         |FIXED
           Assignee|unassigned at sourceware dot org   |mjw at redhat dot com
              Flags|                            |security-

--- Comment #3 from Florian Weimer <fweimer at redhat dot com> ---
Fixed in master.

-- 
You are receiving this mail because:
You are on the CC list for the bug.