public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/17319] New: init_tls switches around esp during set_thread_area syscall
@ 2014-08-27 15:01 mjw at redhat dot com
2014-08-27 15:02 ` [Bug libc/17319] " mjw at redhat dot com
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: mjw at redhat dot com @ 2014-08-27 15:01 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17319
Bug ID: 17319
Summary: init_tls switches around esp during set_thread_area
syscall
Product: glibc
Version: 2.20
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: mjw at redhat dot com
CC: drepper.fsp at gmail dot com
Originally reported and analysed at
https://bugzilla.redhat.com/show_bug.cgi?id=1133134
TLS_INIT_TP in sysdeps/i386/nptl/tls.h uses some hand written asm to generate a
set_thread_area syscall that might result in exchanging ebx and esp around the
syscall causing introspection tools like valgrind to loose track of the user
stack.
The TLS_INIT_TP macro contains:
/* Install the TLS. */ \
asm volatile (TLS_LOAD_EBX \
"int $0x80\n\t" \
TLS_LOAD_EBX \
: "=a" (_result), "=m" (_segdescr.desc.entry_number) \
: "0" (__NR_set_thread_area), \
TLS_EBX_ARG (&_segdescr.desc), "m" (_segdescr.desc)); \
Which gets turned into:
0x04000a1c <+274>: mov $0xf3,%eax
0x04000a21 <+279>: movl $0xfffff,0x8(%esp)
0x04000a29 <+287>: movl $0x51,0xc(%esp)
=> 0x04000a31 <+295>: xchg %esp,%ebx
0x04000a33 <+297>: int $0x80
0x04000a35 <+299>: xchg %esp,%ebx
0x04000a37 <+301>: test %eax,%eax
0x04000a39 <+303>: jne 0x4000a52 <init_tls+328>
That will cause valgrind errors like:
==10806== Warning: client switching stacks? SP change: 0xfec25590 -->
0x4024f94
==10806== to suppress, use: --max-stackframe=88078852 or greater
==10806== Warning: client switching stacks? SP change: 0x4024f94 -->
0xfec25590
==10806== to suppress, use: --max-stackframe=88078852 or greater
Thanks to Florian Weimer for analysing why the original code generated
the bogus esp usage:
_segdescr.desc happens to be at the top of the stack, so its address
is in %esp. The asm statement says that %3 is an input, so its value
will not change, and GCC can use %esp as the input register for the
expression &_segdescr.desc. But the constraints do not fully describe
the asm statement because the %3 register is actually modified, albeit
only temporarily.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug libc/17319] init_tls switches around esp during set_thread_area syscall
2014-08-27 15:01 [Bug libc/17319] New: init_tls switches around esp during set_thread_area syscall mjw at redhat dot com
@ 2014-08-27 15:02 ` mjw at redhat dot com
2014-08-28 8:20 ` cvs-commit at gcc dot gnu.org
2014-08-28 9:14 ` fweimer at redhat dot com
2 siblings, 0 replies; 4+ messages in thread
From: mjw at redhat dot com @ 2014-08-27 15:02 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17319
--- Comment #1 from Mark Wielaard <mjw at redhat dot com> ---
Patch submitted: https://sourceware.org/ml/libc-alpha/2014-08/msg00417.html
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug libc/17319] init_tls switches around esp during set_thread_area syscall
2014-08-27 15:01 [Bug libc/17319] New: init_tls switches around esp during set_thread_area syscall mjw at redhat dot com
2014-08-27 15:02 ` [Bug libc/17319] " mjw at redhat dot com
@ 2014-08-28 8:20 ` cvs-commit at gcc dot gnu.org
2014-08-28 9:14 ` fweimer at redhat dot com
2 siblings, 0 replies; 4+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2014-08-28 8:20 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17319
--- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via 9570bc53fcc11d3cfe028989e611266e8d55bd09 (commit)
from b0f955c9ac70181532e93aa78c49c204c2a31dfd (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9570bc53fcc11d3cfe028989e611266e8d55bd09
commit 9570bc53fcc11d3cfe028989e611266e8d55bd09
Author: Mark Wielaard <mjw@redhat.com>
Date: Wed Aug 27 17:07:58 2014 +0200
i386 TLS_INIT_TP might produce bogus asm changing stack pointer [BZ #17319]
TLS_INIT_TP in sysdeps/i386/nptl/tls.h uses some hand written asm to
generate a set_thread_area that might result in exchanging ebx and esp
around the syscall causing introspection tools like valgrind to loose
track of the user stack. Just use INTERNAL_SYSCALL which makes sure
esp isn't changed arbitrarily.
Before the patch the code would generate:
mov $0xf3,%eax
movl $0xfffff,0x8(%esp)
movl $0x51,0xc(%esp)
xchg %esp,%ebx
int $0x80
xchg %esp,%ebx
Using INTERNAL_SYSCALL instead will generate:
movl $0xfffff,0x8(%esp)
movl $0x51,0xc(%esp)
xchg %ecx,%ebx
mov $0xf3,%eax
int $0x80
xchg %ecx,%ebx
Thanks to Florian Weimer for analysing why the original code generated
the bogus esp usage:
_segdescr.desc happens to be at the top of the stack, so its address
is in %esp. The asm statement says that %3 is an input, so its value
will not change, and GCC can use %esp as the input register for the
expression &_segdescr.desc. But the constraints do not fully describe
the asm statement because the %3 register is actually modified, albeit
only temporarily.
[BZ #17319]
* sysdeps/i386/nptl/tls.h (TLS_INIT_TP): Use INTERNAL_SYSCALL
to call set_thread_area instead of hand written asm.
(__NR_set_thread_area): Removed define.
(TLS_FLAG_WRITABLE): Likewise.
(__ASSUME_SET_THREAD_AREA): Remove check.
(TLS_EBX_ARG): Remove define.
(TLS_LOAD_EBX): Likewise.
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 11 +++++++++++
NEWS | 2 +-
sysdeps/i386/nptl/tls.h | 31 ++-----------------------------
3 files changed, 14 insertions(+), 30 deletions(-)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug libc/17319] init_tls switches around esp during set_thread_area syscall
2014-08-27 15:01 [Bug libc/17319] New: init_tls switches around esp during set_thread_area syscall mjw at redhat dot com
2014-08-27 15:02 ` [Bug libc/17319] " mjw at redhat dot com
2014-08-28 8:20 ` cvs-commit at gcc dot gnu.org
@ 2014-08-28 9:14 ` fweimer at redhat dot com
2 siblings, 0 replies; 4+ messages in thread
From: fweimer at redhat dot com @ 2014-08-28 9:14 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17319
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
CC| |fweimer at redhat dot com
Resolution|--- |FIXED
Assignee|unassigned at sourceware dot org |mjw at redhat dot com
Flags| |security-
--- Comment #3 from Florian Weimer <fweimer at redhat dot com> ---
Fixed in master.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-08-28 9:14 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-08-27 15:01 [Bug libc/17319] New: init_tls switches around esp during set_thread_area syscall mjw at redhat dot com
2014-08-27 15:02 ` [Bug libc/17319] " mjw at redhat dot com
2014-08-28 8:20 ` cvs-commit at gcc dot gnu.org
2014-08-28 9:14 ` fweimer at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).