From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 246A63858CD1; Wed, 20 Dec 2023 08:46:08 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 246A63858CD1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1703061968; bh=AzwAZIrukY1/plugdTaTzkNp9ZzbQo09oJ4U3FzcFiA=; h=From:To:Subject:Date:In-Reply-To:References:From; b=fOtnSyW+Z/vZ1tuXnMgKREGNYT/8d5PbH/Yn3Qlcl34zLr9mr2W3V2O/TsN8H+wHA 1fTLfUZaJMLdzIdOiCs7g60I3hmLlGbgNuYOjT+zsPtx8K7+m57Djfig3KfaIKn672 0bg+JQXlHsM7HZ6D+hJxQ7dxb+OBT6bZGM3vP73g= From: "cvs-commit at gcc dot gnu.org" To: glibc-bugs@sourceware.org Subject: [Bug dynamic-link/29039] Corrupt DTV after reuse of a TLS module ID following dlclose with unused TLS Date: Wed, 20 Dec 2023 08:46:06 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: dynamic-link X-Bugzilla-Version: 2.35 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: cvs-commit at gcc dot gnu.org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security- X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D29039 --- Comment #5 from Sourceware Commits --- The master branch has been updated by Szabolcs Nagy : https://sourceware.org/git/gitweb.cgi?p=3Dglibc.git;h=3D980450f12685326729d= 63ff72e93a996113bf073 commit 980450f12685326729d63ff72e93a996113bf073 Author: Szabolcs Nagy Date: Wed Nov 29 11:31:37 2023 +0000 elf: Add TLS modid reuse test for bug 29039 This is a minimal regression test for bug 29039 which only affects targets with TLSDESC and a reproducer requires that 1) Have modid gaps (closed modules) with old generation. 2) Update a DTV to a newer generation (needs a newer dlopen). 3) But do not update the closed gap entry in that DTV. 4) Reuse the modid gap for a new module (another dlopen). 5) Use dynamic TLSDESC in that new module with old generation (bug). 6) Access TLS via this TLSDESC and the now outdated DTV. However step (3) in practice rarely happens: during DTV update the entries for closed modids are initialized to "unallocated" and then dynamic TLSDESC calls __tls_get_addr independently of its generation. The only exception to this is DTV setup at thread creation (gaps are initialized to NULL instead of unallocated) or DTV resize where the gap entries are outside the previous DTV array (again NULL instead of unallocated, and this requires loading > DTV_SURPLUS modules). So the bug can only cause NULL (+ offset) dereference, not use after free. And the easiest way to get (3) is via thread creation. Note that step (5) requires that the newly loaded module has larger TLS than the remaining optional static TLS. And for (6) there cannot be other TLS access or dlopen in the thread that updates the DTV. Tested on aarch64-linux-gnu. Reviewed-by: Adhemerval Zanella --=20 You are receiving this mail because: You are on the CC list for the bug.=