[Bug dynamic-link/25680] New: ifuncmain9picstatic and ifuncmain9picstatic crash in IFUNC resolver due to stack canary (--enable-stack-protector=all)

public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed

From: "slyfox at inbox dot ru" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug dynamic-link/25680] New: ifuncmain9picstatic and ifuncmain9picstatic crash in IFUNC resolver due to stack canary (--enable-stack-protector=all)
Date: Sun, 15 Mar 2020 10:15:01 +0000	[thread overview]
Message-ID: <bug-25680-131@http.sourceware.org/bugzilla/> (raw)

https://sourceware.org/bugzilla/show_bug.cgi?id=25680

            Bug ID: 25680
           Summary: ifuncmain9picstatic and ifuncmain9picstatic crash in
                    IFUNC resolver due to stack canary
                    (--enable-stack-protector=all)
           Product: glibc
           Version: 2.31
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: dynamic-link
          Assignee: unassigned at sourceware dot org
          Reporter: slyfox at inbox dot ru
  Target Milestone: ---

Bug is originally reported as a https://bugs.gentoo.org/712356.

In this case the following tests fail:

    FAIL: elf/ifuncmain9picstatic
    FAIL: elf/ifuncmain9static

The crash seem to happen at a point when we access TLS canary before TLS
segment is initialized (yes?)

$ /tmp/portage/sys-libs/glibc-9999:gdb --quiet --args
work/build-x86-x86_64-pc-linux-gnu-nptl/elf/ifuncmain9static
Reading symbols from
work/build-x86-x86_64-pc-linux-gnu-nptl/elf/ifuncmain9static...
(gdb) run
Starting program:
/tmp/portage/sys-libs/glibc-9999/work/build-x86-x86_64-pc-linux-gnu-nptl/elf/ifuncmain9static

Program received signal SIGSEGV, Segmentation fault.
0xf7f5a0cd in resolver () at ifuncmain9.c:47
47      {
(gdb) bt
#0  0xf7f5a0cd in resolver () at ifuncmain9.c:47
#1  0xf7f8ddc2 in elf_machine_rel (skip_ifunc=0, reloc_addr_arg=0xf7ffb098
<*ABS*@got.plt>, version=0x0, sym=0xf7f561ac, reloc=0xf7f58b80,
    map=0xf7ffba80 <_dl_main_map>) at ../sysdeps/i386/dl-machine.h:484
#2  elf_dynamic_do_Rel (skip_ifunc=0, lazy=0, nrelative=<optimized out>,
relsize=<optimized out>, reladdr=<optimized out>, map=<optimized out>)
    at do-rel.h:170
#3  _dl_relocate_static_pie () at dl-reloc-static-pie.c:49
#4  0xf7f5a4f8 in __libc_start_main (main=0xf7f59930 <main>, argc=1,
argv=0xffffca14, init=0xf7f5af20 <__libc_csu_init>,
    fini=0xf7f5afc0 <__libc_csu_fini>, rtld_fini=0x0, stack_end=0xffffca0c) at
../csu/libc-start.c:144
#5  0xf7f59f62 in _start () at ../sysdeps/i386/start.S:113
(gdb) disassemble
Dump of assembler code for function resolver:
   0xf7f5a0c0 <+0>:     call   0xf7f5a105 <__x86.get_pc_thunk.ax>
   0xf7f5a0c5 <+5>:     add    $0xa0f3b,%eax
   0xf7f5a0ca <+10>:    sub    $0x1c,%esp
=> 0xf7f5a0cd <+13>:    mov    %gs:0x14,%ecx
   0xf7f5a0d4 <+20>:    mov    %ecx,0xc(%esp)
   0xf7f5a0d8 <+24>:    xor    %ecx,%ecx
   0xf7f5a0da <+26>:    mov    0x1304(%eax),%edx
   0xf7f5a0e0 <+32>:    add    $0x1,%edx
   0xf7f5a0e3 <+35>:    mov    %edx,0x1304(%eax)
   0xf7f5a0e9 <+41>:    mov    0xc(%esp),%ecx
   0xf7f5a0ed <+45>:    sub    %gs:0x14,%ecx
   0xf7f5a0f4 <+52>:    jne    0xf7f5a100 <resolver+64>
   0xf7f5a0f6 <+54>:    lea    -0xa0f90(%eax),%eax
   0xf7f5a0fc <+60>:    add    $0x1c,%esp
   0xf7f5a0ff <+63>:    ret
   0xf7f5a100 <+64>:    call   0xf7f8ab70 <__stack_chk_fail>
End of assembler dump.

glibc was build with the following configure options:

 *       Manual CC:   x86_64-pc-linux-gnu-gcc -m32
 * Running do_src_configure for ABI x86
 * Configuring glibc for nptl
 *             ABI:   x86
 *          CBUILD:   x86_64-pc-linux-gnu
 *           CHOST:   x86_64-pc-linux-gnu
 *         CTARGET:   x86_64-pc-linux-gnu
 *      CBUILD_OPT:   i686-pc-linux-gnu
 *     CTARGET_OPT:   i686-pc-linux-gnu
 *              CC:   x86_64-pc-linux-gnu-gcc -m32
 *             CXX:
 *              LD:
 *         ASFLAGS:
 *          CFLAGS:   -march=sandybridge -mtune=sandybridge -pipe
-fdiagnostics-show-option -Wall -Wextra -Wstack-protector -g -O2
 *        CPPFLAGS:
 *        CXXFLAGS:   -march=sandybridge -mtune=sandybridge -pipe
-fdiagnostics-show-option -Wall -Wextra -Wstack-protector -g -O2
 *         LDFLAGS:   -Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu
 *        MAKEINFO:   /dev/null
 *       Manual CC:   x86_64-pc-linux-gnu-gcc -m32 -march=sandybridge
-mtune=sandybridge -pipe -fdiagnostics-show-option -Wall -Wextra
-Wstack-protector -g -O2 -Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu
 *      Manual CXX:   x86_64-pc-linux-gnu-g++ -m32 -march=sandybridge
-mtune=sandybridge -pipe -fdiagnostics-show-option -Wall -Wextra
-Wstack-protector -g -O2

/tmp/portage/sys-libs/glibc-9999/work/glibc-9999/configure
--enable-stack-protector=all --enable-stackguard-randomization --disable-cet
--enable-kernel=3.2.0 --without-selinux --without-cvs --disable-werror
--enable-bind-now --build=i686-pc-linux-gnu --host=i686-pc-linux-gnu
--disable-profile --without-gd --with-headers=/usr/include --prefix=/usr
--sysconfdir=/etc --localstatedir=/var --libdir=$(prefix)/lib
--mandir=$(prefix)/share/man --infodir=$(prefix)/share/info
--libexecdir=$(libdir)/misc/glibc --with-bugurl=https://bugs.gentoo.org/
--with-pkgversion=Gentoo 9999 p16 --enable-crypt --enable-static-pie
--disable-systemtap --disable-nscd --disable-timezone-tools

-- 
You are receiving this mail because:
You are on the CC list for the bug.

next             reply	other threads:[~2020-03-15 10:15 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-03-15 10:15 slyfox at inbox dot ru [this message]
2020-03-15 10:18 ` [Bug dynamic-link/25680] " slyfox at inbox dot ru
2020-03-15 10:39 ` fw at deneb dot enyo.de
2020-03-15 12:18 ` slyfox at inbox dot ru
2020-03-15 12:25 ` fw at deneb dot enyo.de
2020-04-05 19:17 ` nick.alcock at oracle dot com
2020-04-05 19:18 ` nick.alcock at oracle dot com
2020-04-05 19:20 ` nick.alcock at oracle dot com
2020-06-25 22:37 ` davidhughes205 at gmail dot com
2021-03-15 16:25 ` cvs-commit at gcc dot gnu.org
2021-03-15 16:36 ` siddhesh at sourceware dot org
2021-03-15 16:37 ` siddhesh at sourceware dot org
2024-06-12 23:22 ` sam at gentoo dot org
2024-06-12 23:22 ` sam at gentoo dot org

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-25680-131@http.sourceware.org/bugzilla/ \
    --to=sourceware-bugzilla@sourceware.org \
    --cc=glibc-bugs@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).