[Bug dynamic-link/31185] New: Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc

public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed

* [Bug dynamic-link/31185] New: Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic
@ 2023-12-21  3:29 hjl.tools at gmail dot com
  2023-12-22 13:37 ` [Bug dynamic-link/31185] " cvs-commit at gcc dot gnu.org
                   ` (7 more replies)
  0 siblings, 8 replies; 9+ messages in thread
From: hjl.tools at gmail dot com @ 2023-12-21  3:29 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=31185

            Bug ID: 31185
           Summary: Incorrect thread point access in _dl_tlsdesc_undefweak
                    and _dl_tlsdesc_dynamic
           Product: glibc
           Version: 2.38
            Status: NEW
          Severity: normal
          Priority: P2
         Component: dynamic-link
          Assignee: unassigned at sourceware dot org
          Reporter: hjl.tools at gmail dot com
  Target Milestone: ---
            Target: x32

_dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic in sysdeps/x86_64/dl-tlsdesc.S
access the thread pointer via the tcb field in TCB:

_dl_tlsdesc_undefweak:
        _CET_ENDBR
        movq    8(%rax), %rax
        subq    %fs:0, %rax
        ret 

_dl_tlsdesc_dynamic:
        ,,,
        subq    %fs:0, %rax
        movq    -8(%rsp), %rdi
        ret

Since the tcb field in TCB is a pointer, %fs:0 is a 32-bit location,
not 64-bit. It should use "sub %fs:0, %RAX_LP" instead.  Since
_dl_tlsdesc_undefweak returns ptrdiff_t and _dl_make_tlsdesc_dynamic
returns void *, RAX_LP is appropriate here for x32.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [Bug dynamic-link/31185] Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic
  2023-12-21  3:29 [Bug dynamic-link/31185] New: Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic hjl.tools at gmail dot com
@ 2023-12-22 13:37 ` cvs-commit at gcc dot gnu.org
  2023-12-22 14:44 ` sam at gentoo dot org
                   ` (6 subsequent siblings)
  7 siblings, 0 replies; 9+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2023-12-22 13:37 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=31185

--- Comment #1 from Sourceware Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by H.J. Lu <hjl@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=81be2a61dafc168327c1639e97b6dae128c7ccf3

commit 81be2a61dafc168327c1639e97b6dae128c7ccf3
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Wed Dec 20 19:42:12 2023 -0800

    x86-64: Fix the tcb field load for x32 [BZ #31185]

    _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic access the thread pointer
    via the tcb field in TCB:

    _dl_tlsdesc_undefweak:
            _CET_ENDBR
            movq    8(%rax), %rax
            subq    %fs:0, %rax
            ret

    _dl_tlsdesc_dynamic:
            ...
            subq    %fs:0, %rax
            movq    -8(%rsp), %rdi
            ret

    Since the tcb field in TCB is a pointer, %fs:0 is a 32-bit location,
    not 64-bit. It should use "sub %fs:0, %RAX_LP" instead.  Since
    _dl_tlsdesc_undefweak returns ptrdiff_t and _dl_make_tlsdesc_dynamic
    returns void *, RAX_LP is appropriate here for x32 and x86-64.  This
    fixes BZ #31185.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [Bug dynamic-link/31185] Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic
  2023-12-21  3:29 [Bug dynamic-link/31185] New: Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic hjl.tools at gmail dot com
  2023-12-22 13:37 ` [Bug dynamic-link/31185] " cvs-commit at gcc dot gnu.org
@ 2023-12-22 14:44 ` sam at gentoo dot org
  2023-12-23 15:08 ` cvs-commit at gcc dot gnu.org
                   ` (5 subsequent siblings)
  7 siblings, 0 replies; 9+ messages in thread
From: sam at gentoo dot org @ 2023-12-22 14:44 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=31185

Sam James <sam at gentoo dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sam at gentoo dot org

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [Bug dynamic-link/31185] Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic
  2023-12-21  3:29 [Bug dynamic-link/31185] New: Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic hjl.tools at gmail dot com
  2023-12-22 13:37 ` [Bug dynamic-link/31185] " cvs-commit at gcc dot gnu.org
  2023-12-22 14:44 ` sam at gentoo dot org
@ 2023-12-23 15:08 ` cvs-commit at gcc dot gnu.org
  2023-12-23 17:00 ` cvs-commit at gcc dot gnu.org
                   ` (4 subsequent siblings)
  7 siblings, 0 replies; 9+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2023-12-23 15:08 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=31185

--- Comment #2 from Sourceware Commits <cvs-commit at gcc dot gnu.org> ---
The release/2.38/master branch has been updated by H.J. Lu
<hjl@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=968c983d43bc51f719f3e7a0fcb1bb8669b5f7c4

commit 968c983d43bc51f719f3e7a0fcb1bb8669b5f7c4
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Wed Dec 20 19:42:12 2023 -0800

    x86-64: Fix the tcb field load for x32 [BZ #31185]

    _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic access the thread pointer
    via the tcb field in TCB:

    _dl_tlsdesc_undefweak:
            _CET_ENDBR
            movq    8(%rax), %rax
            subq    %fs:0, %rax
            ret

    _dl_tlsdesc_dynamic:
            ...
            subq    %fs:0, %rax
            movq    -8(%rsp), %rdi
            ret

    Since the tcb field in TCB is a pointer, %fs:0 is a 32-bit location,
    not 64-bit. It should use "sub %fs:0, %RAX_LP" instead.  Since
    _dl_tlsdesc_undefweak returns ptrdiff_t and _dl_make_tlsdesc_dynamic
    returns void *, RAX_LP is appropriate here for x32 and x86-64.  This
    fixes BZ #31185.

    (cherry picked from commit 81be2a61dafc168327c1639e97b6dae128c7ccf3)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [Bug dynamic-link/31185] Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic
  2023-12-21  3:29 [Bug dynamic-link/31185] New: Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic hjl.tools at gmail dot com
                   ` (2 preceding siblings ...)
  2023-12-23 15:08 ` cvs-commit at gcc dot gnu.org
@ 2023-12-23 17:00 ` cvs-commit at gcc dot gnu.org
  2023-12-23 17:35 ` cvs-commit at gcc dot gnu.org
                   ` (3 subsequent siblings)
  7 siblings, 0 replies; 9+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2023-12-23 17:00 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=31185

--- Comment #3 from Sourceware Commits <cvs-commit at gcc dot gnu.org> ---
The release/2.37/master branch has been updated by H.J. Lu
<hjl@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d052665f359be24623c0ca0aea8abd372cbefe90

commit d052665f359be24623c0ca0aea8abd372cbefe90
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Wed Dec 20 19:42:12 2023 -0800

    x86-64: Fix the tcb field load for x32 [BZ #31185]

    _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic access the thread pointer
    via the tcb field in TCB:

    _dl_tlsdesc_undefweak:
            _CET_ENDBR
            movq    8(%rax), %rax
            subq    %fs:0, %rax
            ret

    _dl_tlsdesc_dynamic:
            ...
            subq    %fs:0, %rax
            movq    -8(%rsp), %rdi
            ret

    Since the tcb field in TCB is a pointer, %fs:0 is a 32-bit location,
    not 64-bit. It should use "sub %fs:0, %RAX_LP" instead.  Since
    _dl_tlsdesc_undefweak returns ptrdiff_t and _dl_make_tlsdesc_dynamic
    returns void *, RAX_LP is appropriate here for x32 and x86-64.  This
    fixes BZ #31185.

    (cherry picked from commit 81be2a61dafc168327c1639e97b6dae128c7ccf3)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [Bug dynamic-link/31185] Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic
  2023-12-21  3:29 [Bug dynamic-link/31185] New: Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic hjl.tools at gmail dot com
                   ` (3 preceding siblings ...)
  2023-12-23 17:00 ` cvs-commit at gcc dot gnu.org
@ 2023-12-23 17:35 ` cvs-commit at gcc dot gnu.org
  2023-12-23 17:36 ` cvs-commit at gcc dot gnu.org
                   ` (2 subsequent siblings)
  7 siblings, 0 replies; 9+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2023-12-23 17:35 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=31185

--- Comment #4 from Sourceware Commits <cvs-commit at gcc dot gnu.org> ---
The release/2.36/master branch has been updated by H.J. Lu
<hjl@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5dfafca33cf5db5ca88af43f4f764c29a69aff18

commit 5dfafca33cf5db5ca88af43f4f764c29a69aff18
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Wed Dec 20 19:42:12 2023 -0800

    x86-64: Fix the tcb field load for x32 [BZ #31185]

    _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic access the thread pointer
    via the tcb field in TCB:

    _dl_tlsdesc_undefweak:
            _CET_ENDBR
            movq    8(%rax), %rax
            subq    %fs:0, %rax
            ret

    _dl_tlsdesc_dynamic:
            ...
            subq    %fs:0, %rax
            movq    -8(%rsp), %rdi
            ret

    Since the tcb field in TCB is a pointer, %fs:0 is a 32-bit location,
    not 64-bit. It should use "sub %fs:0, %RAX_LP" instead.  Since
    _dl_tlsdesc_undefweak returns ptrdiff_t and _dl_make_tlsdesc_dynamic
    returns void *, RAX_LP is appropriate here for x32 and x86-64.  This
    fixes BZ #31185.

    (cherry picked from commit 81be2a61dafc168327c1639e97b6dae128c7ccf3)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [Bug dynamic-link/31185] Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic
  2023-12-21  3:29 [Bug dynamic-link/31185] New: Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic hjl.tools at gmail dot com
                   ` (4 preceding siblings ...)
  2023-12-23 17:35 ` cvs-commit at gcc dot gnu.org
@ 2023-12-23 17:36 ` cvs-commit at gcc dot gnu.org
  2023-12-23 17:38 ` cvs-commit at gcc dot gnu.org
  2023-12-23 17:40 ` hjl.tools at gmail dot com
  7 siblings, 0 replies; 9+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2023-12-23 17:36 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=31185

--- Comment #5 from Sourceware Commits <cvs-commit at gcc dot gnu.org> ---
The release/2.35/master branch has been updated by H.J. Lu
<hjl@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5d1fe26b49a9ac373dabba217df9bd7179b267d2

commit 5d1fe26b49a9ac373dabba217df9bd7179b267d2
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Wed Dec 20 19:42:12 2023 -0800

    x86-64: Fix the tcb field load for x32 [BZ #31185]

    _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic access the thread pointer
    via the tcb field in TCB:

    _dl_tlsdesc_undefweak:
            _CET_ENDBR
            movq    8(%rax), %rax
            subq    %fs:0, %rax
            ret

    _dl_tlsdesc_dynamic:
            ...
            subq    %fs:0, %rax
            movq    -8(%rsp), %rdi
            ret

    Since the tcb field in TCB is a pointer, %fs:0 is a 32-bit location,
    not 64-bit. It should use "sub %fs:0, %RAX_LP" instead.  Since
    _dl_tlsdesc_undefweak returns ptrdiff_t and _dl_make_tlsdesc_dynamic
    returns void *, RAX_LP is appropriate here for x32 and x86-64.  This
    fixes BZ #31185.

    (cherry picked from commit 81be2a61dafc168327c1639e97b6dae128c7ccf3)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [Bug dynamic-link/31185] Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic
  2023-12-21  3:29 [Bug dynamic-link/31185] New: Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic hjl.tools at gmail dot com
                   ` (5 preceding siblings ...)
  2023-12-23 17:36 ` cvs-commit at gcc dot gnu.org
@ 2023-12-23 17:38 ` cvs-commit at gcc dot gnu.org
  2023-12-23 17:40 ` hjl.tools at gmail dot com
  7 siblings, 0 replies; 9+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2023-12-23 17:38 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=31185

--- Comment #6 from Sourceware Commits <cvs-commit at gcc dot gnu.org> ---
The release/2.34/master branch has been updated by H.J. Lu
<hjl@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2143fcd54025df8ee1e95a31b2cbadcb2e3547ac

commit 2143fcd54025df8ee1e95a31b2cbadcb2e3547ac
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Wed Dec 20 19:42:12 2023 -0800

    x86-64: Fix the tcb field load for x32 [BZ #31185]

    _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic access the thread pointer
    via the tcb field in TCB:

    _dl_tlsdesc_undefweak:
            _CET_ENDBR
            movq    8(%rax), %rax
            subq    %fs:0, %rax
            ret

    _dl_tlsdesc_dynamic:
            ...
            subq    %fs:0, %rax
            movq    -8(%rsp), %rdi
            ret

    Since the tcb field in TCB is a pointer, %fs:0 is a 32-bit location,
    not 64-bit. It should use "sub %fs:0, %RAX_LP" instead.  Since
    _dl_tlsdesc_undefweak returns ptrdiff_t and _dl_make_tlsdesc_dynamic
    returns void *, RAX_LP is appropriate here for x32 and x86-64.  This
    fixes BZ #31185.

    (cherry picked from commit 81be2a61dafc168327c1639e97b6dae128c7ccf3)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [Bug dynamic-link/31185] Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic
  2023-12-21  3:29 [Bug dynamic-link/31185] New: Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic hjl.tools at gmail dot com
                   ` (6 preceding siblings ...)
  2023-12-23 17:38 ` cvs-commit at gcc dot gnu.org
@ 2023-12-23 17:40 ` hjl.tools at gmail dot com
  7 siblings, 0 replies; 9+ messages in thread
From: hjl.tools at gmail dot com @ 2023-12-23 17:40 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=31185

H.J. Lu <hjl.tools at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |2.39
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #7 from H.J. Lu <hjl.tools at gmail dot com> ---
Fixed for 2.39 and backported to 2.38/2.37/2.36/2.35/2.34 branches.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2023-12-23 17:40 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-12-21  3:29 [Bug dynamic-link/31185] New: Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic hjl.tools at gmail dot com
2023-12-22 13:37 ` [Bug dynamic-link/31185] " cvs-commit at gcc dot gnu.org
2023-12-22 14:44 ` sam at gentoo dot org
2023-12-23 15:08 ` cvs-commit at gcc dot gnu.org
2023-12-23 17:00 ` cvs-commit at gcc dot gnu.org
2023-12-23 17:35 ` cvs-commit at gcc dot gnu.org
2023-12-23 17:36 ` cvs-commit at gcc dot gnu.org
2023-12-23 17:38 ` cvs-commit at gcc dot gnu.org
2023-12-23 17:40 ` hjl.tools at gmail dot com

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).