public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug dynamic-link/29039] Corrupt DTV after reuse of a TLS module ID following dlclose with unused TLS
Date: Wed, 20 Dec 2023 08:46:06 +0000 [thread overview]
Message-ID: <bug-29039-131-luR9HRVXoC@http.sourceware.org/bugzilla/> (raw)
In-Reply-To: <bug-29039-131@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=29039
--- Comment #5 from Sourceware Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Szabolcs Nagy <nsz@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=980450f12685326729d63ff72e93a996113bf073
commit 980450f12685326729d63ff72e93a996113bf073
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date: Wed Nov 29 11:31:37 2023 +0000
elf: Add TLS modid reuse test for bug 29039
This is a minimal regression test for bug 29039 which only affects
targets with TLSDESC and a reproducer requires that
1) Have modid gaps (closed modules) with old generation.
2) Update a DTV to a newer generation (needs a newer dlopen).
3) But do not update the closed gap entry in that DTV.
4) Reuse the modid gap for a new module (another dlopen).
5) Use dynamic TLSDESC in that new module with old generation (bug).
6) Access TLS via this TLSDESC and the now outdated DTV.
However step (3) in practice rarely happens: during DTV update the
entries for closed modids are initialized to "unallocated" and then
dynamic TLSDESC calls __tls_get_addr independently of its generation.
The only exception to this is DTV setup at thread creation (gaps are
initialized to NULL instead of unallocated) or DTV resize where the
gap entries are outside the previous DTV array (again NULL instead
of unallocated, and this requires loading > DTV_SURPLUS modules).
So the bug can only cause NULL (+ offset) dereference, not use after
free. And the easiest way to get (3) is via thread creation.
Note that step (5) requires that the newly loaded module has larger
TLS than the remaining optional static TLS. And for (6) there cannot
be other TLS access or dlopen in the thread that updates the DTV.
Tested on aarch64-linux-gnu.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
--
You are receiving this mail because:
You are on the CC list for the bug.
next prev parent reply other threads:[~2023-12-20 8:46 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-10 5:36 [Bug dynamic-link/29039] New: _dl_tlsdesc_dynamic (sometimes) returns garbage offsets alex_y_xu at yahoo dot ca
2022-04-10 9:46 ` [Bug dynamic-link/29039] " evangelos at foutrelis dot com
2022-04-10 14:34 ` alex_y_xu at yahoo dot ca
2022-04-12 11:27 ` fweimer at redhat dot com
2022-04-12 15:18 ` alex_y_xu at yahoo dot ca
2022-05-17 20:20 ` j at bitron dot ch
2023-11-26 14:16 ` sam at gentoo dot org
2023-11-26 14:17 ` sam at gentoo dot org
2023-11-28 10:12 ` [Bug dynamic-link/29039] Corrupt DTV after reuse of a TLS module ID following dlclose with unused TLS fweimer at redhat dot com
2023-11-28 17:29 ` cvs-commit at gcc dot gnu.org
2023-12-20 8:46 ` cvs-commit at gcc dot gnu.org [this message]
2023-12-22 14:43 ` sam at gentoo dot org
2023-12-22 14:57 ` dilfridge at gentoo dot org
2023-12-22 16:58 ` cvs-commit at gcc dot gnu.org
2023-12-22 16:58 ` cvs-commit at gcc dot gnu.org
2023-12-22 16:59 ` cvs-commit at gcc dot gnu.org
2023-12-22 16:59 ` cvs-commit at gcc dot gnu.org
2023-12-22 17:00 ` cvs-commit at gcc dot gnu.org
2023-12-22 17:00 ` cvs-commit at gcc dot gnu.org
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-29039-131-luR9HRVXoC@http.sourceware.org/bugzilla/ \
--to=sourceware-bugzilla@sourceware.org \
--cc=glibc-bugs@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).