public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
From: "nszabolcs at gmail dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug dynamic-link/19129] New: [arm] Concurrent lazy TLSDESC resolution can crash
Date: Wed, 14 Oct 2015 13:49:00 -0000	[thread overview]
Message-ID: <bug-19129-131@http.sourceware.org/bugzilla/> (raw)

https://sourceware.org/bugzilla/show_bug.cgi?id=19129

            Bug ID: 19129
           Summary: [arm] Concurrent lazy TLSDESC resolution can crash
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: dynamic-link
          Assignee: unassigned at sourceware dot org
          Reporter: nszabolcs at gmail dot com
  Target Milestone: ---

_dl_tlsdesc_resolve_hold can crash because it does not save/restore r0
(tlsdesc pointer) which gets clobbered.

happens with lazy binding (default), tlsdesc (-mtls-dialect=gnu2) and
concurrent first access to the same tls object:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  _dl_tlsdesc_resolve_hold () at ../sysdeps/arm/dl-tlsdesc.S:214
214             sfi_breg r0, \
[Current thread is 1 (Thread 0xf72cca00 (LWP 9307))]
(gdb) disas
Dump of assembler code for function _dl_tlsdesc_resolve_hold:
   0xf7479630 <+0>:     push    {r2, r3, r12, lr}
   0xf7479634 <+4>:     sub     r1, pc, #12
   0xf7479638 <+8>:     bl      0xf74794fc <_dl_tlsdesc_resolve_hold_fixup>
   0xf747963c <+12>:    pop     {r2, r3, r12, lr}
=> 0xf7479640 <+16>:    ldr     r1, [r0, #4]
   0xf7479644 <+20>:    bx      r1
End of assembler dump.
(gdb) i reg
r0             0x0      0
r1             0x0      0
r2             0xf745fc74       4148558964
r3             0x7      7
r4             0xf72cca00       4146907648
r5             0xffbb3c18       4290460696
r6             0x0      0
r7             0x152    338
r8             0xffbb3c18       4290460696
r9             0xf748d4c0       4148745408
r10            0x0      0
r11            0xf72cc53c       4146906428
r12            0xf7441fa4       4148436900
sp             0xf72cc3fc       0xf72cc3fc
lr             0xf7441fb8       -146530376
pc             0xf7479640       0xf7479640 <_dl_tlsdesc_resolve_hold+16>
cpsr           0x60080010       1611137040

-- 
You are receiving this mail because:
You are on the CC list for the bug.


             reply	other threads:[~2015-10-14 13:49 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-10-14 13:49 nszabolcs at gmail dot com [this message]
2015-10-14 16:02 ` [Bug dynamic-link/19129] " cvs-commit at gcc dot gnu.org
2015-10-14 16:08 ` nszabolcs at gmail dot com

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-19129-131@http.sourceware.org/bugzilla/ \
    --to=sourceware-bugzilla@sourceware.org \
    --cc=glibc-bugs@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).