public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug dynamic-link/19129] New: [arm] Concurrent lazy TLSDESC resolution can crash
@ 2015-10-14 13:49 nszabolcs at gmail dot com
2015-10-14 16:02 ` [Bug dynamic-link/19129] " cvs-commit at gcc dot gnu.org
2015-10-14 16:08 ` nszabolcs at gmail dot com
0 siblings, 2 replies; 3+ messages in thread
From: nszabolcs at gmail dot com @ 2015-10-14 13:49 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=19129
Bug ID: 19129
Summary: [arm] Concurrent lazy TLSDESC resolution can crash
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: dynamic-link
Assignee: unassigned at sourceware dot org
Reporter: nszabolcs at gmail dot com
Target Milestone: ---
_dl_tlsdesc_resolve_hold can crash because it does not save/restore r0
(tlsdesc pointer) which gets clobbered.
happens with lazy binding (default), tlsdesc (-mtls-dialect=gnu2) and
concurrent first access to the same tls object:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 _dl_tlsdesc_resolve_hold () at ../sysdeps/arm/dl-tlsdesc.S:214
214 sfi_breg r0, \
[Current thread is 1 (Thread 0xf72cca00 (LWP 9307))]
(gdb) disas
Dump of assembler code for function _dl_tlsdesc_resolve_hold:
0xf7479630 <+0>: push {r2, r3, r12, lr}
0xf7479634 <+4>: sub r1, pc, #12
0xf7479638 <+8>: bl 0xf74794fc <_dl_tlsdesc_resolve_hold_fixup>
0xf747963c <+12>: pop {r2, r3, r12, lr}
=> 0xf7479640 <+16>: ldr r1, [r0, #4]
0xf7479644 <+20>: bx r1
End of assembler dump.
(gdb) i reg
r0 0x0 0
r1 0x0 0
r2 0xf745fc74 4148558964
r3 0x7 7
r4 0xf72cca00 4146907648
r5 0xffbb3c18 4290460696
r6 0x0 0
r7 0x152 338
r8 0xffbb3c18 4290460696
r9 0xf748d4c0 4148745408
r10 0x0 0
r11 0xf72cc53c 4146906428
r12 0xf7441fa4 4148436900
sp 0xf72cc3fc 0xf72cc3fc
lr 0xf7441fb8 -146530376
pc 0xf7479640 0xf7479640 <_dl_tlsdesc_resolve_hold+16>
cpsr 0x60080010 1611137040
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug dynamic-link/19129] [arm] Concurrent lazy TLSDESC resolution can crash
2015-10-14 13:49 [Bug dynamic-link/19129] New: [arm] Concurrent lazy TLSDESC resolution can crash nszabolcs at gmail dot com
@ 2015-10-14 16:02 ` cvs-commit at gcc dot gnu.org
2015-10-14 16:08 ` nszabolcs at gmail dot com
1 sibling, 0 replies; 3+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2015-10-14 16:02 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=19129
--- Comment #1 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via 1fae5a6800b07d0a8225664ac65a628bbe98cae7 (commit)
from f45e45a3e07ccd555a3130a9413fcebe6d8f5213 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1fae5a6800b07d0a8225664ac65a628bbe98cae7
commit 1fae5a6800b07d0a8225664ac65a628bbe98cae7
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date: Wed Oct 14 16:58:41 2015 +0100
[BZ #19129][ARM] Fix _dl_tlsdesc_resolve_hold to save r0
_dl_tlsdesc_resolve_hold calls into a C function that clobbers r0,
but it assumes the original argument is still in r0 after the call.
This can cause crash in case of concurrent TLS access when TLSDESC
is in use (-mtls-dialect=gnu2).
Run into this while fixing BZ 18572.
Both r0 and r1 are saved/restored so the stack remains 8 byte aligned.
[BZ #19129]
* sysdeps/arm/dl-tlsdesc.S (_dl_tlsdesc_resolve_hold): Save and restore
r0 and r1.
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 6 ++++++
NEWS | 2 +-
sysdeps/arm/dl-tlsdesc.S | 27 ++++++++++++++++++---------
3 files changed, 25 insertions(+), 10 deletions(-)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug dynamic-link/19129] [arm] Concurrent lazy TLSDESC resolution can crash
2015-10-14 13:49 [Bug dynamic-link/19129] New: [arm] Concurrent lazy TLSDESC resolution can crash nszabolcs at gmail dot com
2015-10-14 16:02 ` [Bug dynamic-link/19129] " cvs-commit at gcc dot gnu.org
@ 2015-10-14 16:08 ` nszabolcs at gmail dot com
1 sibling, 0 replies; 3+ messages in thread
From: nszabolcs at gmail dot com @ 2015-10-14 16:08 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=19129
Szabolcs Nagy <nszabolcs at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Host| |arm-*
Resolution|--- |FIXED
Target Milestone|--- |2.23
--- Comment #2 from Szabolcs Nagy <nszabolcs at gmail dot com> ---
fixed in commit 1fae5a6800b07d0a8225664ac65a628bbe98cae7
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-10-14 16:08 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-10-14 13:49 [Bug dynamic-link/19129] New: [arm] Concurrent lazy TLSDESC resolution can crash nszabolcs at gmail dot com
2015-10-14 16:02 ` [Bug dynamic-link/19129] " cvs-commit at gcc dot gnu.org
2015-10-14 16:08 ` nszabolcs at gmail dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).