From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <sourceware-bugzilla@sourceware.org>
Received: by sourceware.org (Postfix, from userid 48)
 id C9C7A3942029; Sun, 15 Mar 2020 10:15:01 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org C9C7A3942029
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
 s=default; t=1584267301;
 bh=ICKvzuFvMdYqZHlY4AC+uawJCRVqidgRhpAJjMb3gog=;
 h=From:To:Subject:Date:From;
 b=Qur4NA2BmL3VUUDh9aUNNph66f/wE1zu7SMPxWDiT+jg27055gV2vRhArNAu3Hg6w
 /QEa6vgw5yVtDdRxpI9wg5OvBs3SoUOg0i4y5/eaD/kVzkQFQqG7U1yvpOUXco6g65
 nBCqKAjM46gp4pNv4ZqjUpsKRGderOZFyCdXisao=
From: "slyfox at inbox dot ru" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug dynamic-link/25680] New: ifuncmain9picstatic and
 ifuncmain9picstatic crash in IFUNC resolver due to stack canary
 (--enable-stack-protector=all)
Date: Sun, 15 Mar 2020 10:15:01 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: dynamic-link
X-Bugzilla-Version: 2.31
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: slyfox at inbox dot ru
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status
 bug_severity priority component assigned_to reporter target_milestone
Message-ID: <bug-25680-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: glibc-bugs@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Glibc-bugs mailing list <glibc-bugs.sourceware.org>
List-Unsubscribe: <http://sourceware.org/mailman/options/glibc-bugs>,
 <mailto:glibc-bugs-request@sourceware.org?subject=unsubscribe>
List-Archive: <http://sourceware.org/pipermail/glibc-bugs/>
List-Help: <mailto:glibc-bugs-request@sourceware.org?subject=help>
List-Subscribe: <http://sourceware.org/mailman/listinfo/glibc-bugs>,
 <mailto:glibc-bugs-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Mar 2020 10:15:01 -0000

https://sourceware.org/bugzilla/show_bug.cgi?id=3D25680

            Bug ID: 25680
           Summary: ifuncmain9picstatic and ifuncmain9picstatic crash in
                    IFUNC resolver due to stack canary
                    (--enable-stack-protector=3Dall)
           Product: glibc
           Version: 2.31
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: dynamic-link
          Assignee: unassigned at sourceware dot org
          Reporter: slyfox at inbox dot ru
  Target Milestone: ---

Bug is originally reported as a https://bugs.gentoo.org/712356.

In this case the following tests fail:

    FAIL: elf/ifuncmain9picstatic
    FAIL: elf/ifuncmain9static

The crash seem to happen at a point when we access TLS canary before TLS
segment is initialized (yes?)

$ /tmp/portage/sys-libs/glibc-9999:gdb --quiet --args
work/build-x86-x86_64-pc-linux-gnu-nptl/elf/ifuncmain9static
Reading symbols from
work/build-x86-x86_64-pc-linux-gnu-nptl/elf/ifuncmain9static...
(gdb) run
Starting program:
/tmp/portage/sys-libs/glibc-9999/work/build-x86-x86_64-pc-linux-gnu-nptl/el=
f/ifuncmain9static

Program received signal SIGSEGV, Segmentation fault.
0xf7f5a0cd in resolver () at ifuncmain9.c:47
47      {
(gdb) bt
#0  0xf7f5a0cd in resolver () at ifuncmain9.c:47
#1  0xf7f8ddc2 in elf_machine_rel (skip_ifunc=3D0, reloc_addr_arg=3D0xf7ffb=
098
<*ABS*@got.plt>, version=3D0x0, sym=3D0xf7f561ac, reloc=3D0xf7f58b80,
    map=3D0xf7ffba80 <_dl_main_map>) at ../sysdeps/i386/dl-machine.h:484
#2  elf_dynamic_do_Rel (skip_ifunc=3D0, lazy=3D0, nrelative=3D<optimized ou=
t>,
relsize=3D<optimized out>, reladdr=3D<optimized out>, map=3D<optimized out>)
    at do-rel.h:170
#3  _dl_relocate_static_pie () at dl-reloc-static-pie.c:49
#4  0xf7f5a4f8 in __libc_start_main (main=3D0xf7f59930 <main>, argc=3D1,
argv=3D0xffffca14, init=3D0xf7f5af20 <__libc_csu_init>,
    fini=3D0xf7f5afc0 <__libc_csu_fini>, rtld_fini=3D0x0, stack_end=3D0xfff=
fca0c) at
../csu/libc-start.c:144
#5  0xf7f59f62 in _start () at ../sysdeps/i386/start.S:113
(gdb) disassemble
Dump of assembler code for function resolver:
   0xf7f5a0c0 <+0>:     call   0xf7f5a105 <__x86.get_pc_thunk.ax>
   0xf7f5a0c5 <+5>:     add    $0xa0f3b,%eax
   0xf7f5a0ca <+10>:    sub    $0x1c,%esp
=3D> 0xf7f5a0cd <+13>:    mov    %gs:0x14,%ecx
   0xf7f5a0d4 <+20>:    mov    %ecx,0xc(%esp)
   0xf7f5a0d8 <+24>:    xor    %ecx,%ecx
   0xf7f5a0da <+26>:    mov    0x1304(%eax),%edx
   0xf7f5a0e0 <+32>:    add    $0x1,%edx
   0xf7f5a0e3 <+35>:    mov    %edx,0x1304(%eax)
   0xf7f5a0e9 <+41>:    mov    0xc(%esp),%ecx
   0xf7f5a0ed <+45>:    sub    %gs:0x14,%ecx
   0xf7f5a0f4 <+52>:    jne    0xf7f5a100 <resolver+64>
   0xf7f5a0f6 <+54>:    lea    -0xa0f90(%eax),%eax
   0xf7f5a0fc <+60>:    add    $0x1c,%esp
   0xf7f5a0ff <+63>:    ret
   0xf7f5a100 <+64>:    call   0xf7f8ab70 <__stack_chk_fail>
End of assembler dump.

glibc was build with the following configure options:

 *       Manual CC:   x86_64-pc-linux-gnu-gcc -m32
 * Running do_src_configure for ABI x86
 * Configuring glibc for nptl
 *             ABI:   x86
 *          CBUILD:   x86_64-pc-linux-gnu
 *           CHOST:   x86_64-pc-linux-gnu
 *         CTARGET:   x86_64-pc-linux-gnu
 *      CBUILD_OPT:   i686-pc-linux-gnu
 *     CTARGET_OPT:   i686-pc-linux-gnu
 *              CC:   x86_64-pc-linux-gnu-gcc -m32
 *             CXX:
 *              LD:
 *         ASFLAGS:
 *          CFLAGS:   -march=3Dsandybridge -mtune=3Dsandybridge -pipe
-fdiagnostics-show-option -Wall -Wextra -Wstack-protector -g -O2
 *        CPPFLAGS:
 *        CXXFLAGS:   -march=3Dsandybridge -mtune=3Dsandybridge -pipe
-fdiagnostics-show-option -Wall -Wextra -Wstack-protector -g -O2
 *         LDFLAGS:   -Wl,-O1 -Wl,--as-needed -Wl,--hash-style=3Dgnu
 *        MAKEINFO:   /dev/null
 *       Manual CC:   x86_64-pc-linux-gnu-gcc -m32 -march=3Dsandybridge
-mtune=3Dsandybridge -pipe -fdiagnostics-show-option -Wall -Wextra
-Wstack-protector -g -O2 -Wl,-O1 -Wl,--as-needed -Wl,--hash-style=3Dgnu
 *      Manual CXX:   x86_64-pc-linux-gnu-g++ -m32 -march=3Dsandybridge
-mtune=3Dsandybridge -pipe -fdiagnostics-show-option -Wall -Wextra
-Wstack-protector -g -O2

/tmp/portage/sys-libs/glibc-9999/work/glibc-9999/configure
--enable-stack-protector=3Dall --enable-stackguard-randomization --disable-=
cet
--enable-kernel=3D3.2.0 --without-selinux --without-cvs --disable-werror
--enable-bind-now --build=3Di686-pc-linux-gnu --host=3Di686-pc-linux-gnu
--disable-profile --without-gd --with-headers=3D/usr/include --prefix=3D/usr
--sysconfdir=3D/etc --localstatedir=3D/var --libdir=3D$(prefix)/lib
--mandir=3D$(prefix)/share/man --infodir=3D$(prefix)/share/info
--libexecdir=3D$(libdir)/misc/glibc --with-bugurl=3Dhttps://bugs.gentoo.org/
--with-pkgversion=3DGentoo 9999 p16 --enable-crypt --enable-static-pie
--disable-systemtap --disable-nscd --disable-timezone-tools

--=20
You are receiving this mail because:
You are on the CC list for the bug.=