From: Adhemerval Zanella <adhemerval.zanella@linaro.org>
To: Szabolcs Nagy <szabolcs.nagy@arm.com>
Cc: libc-alpha@sourceware.org
Subject: Re: [PATCH 07/15] elf: Refactor _dl_update_slotinfo to avoid use after free
Date: Wed, 7 Apr 2021 11:28:08 -0300 [thread overview]
Message-ID: <1ccd8aa7-ff8e-96e7-7bf8-d229572d1a27@linaro.org> (raw)
In-Reply-To: <20210407080109.GP23289@arm.com>
On 07/04/2021 05:01, Szabolcs Nagy wrote:
> The 04/06/2021 16:40, Adhemerval Zanella wrote:
>> On 15/02/2021 09:00, Szabolcs Nagy via Libc-alpha wrote:
>>> map is not valid to access here because it can be freed by a
>>> concurrent dlclose, so don't check the modid.
>>
>> Won't it be protected by the recursive GL(dl_load_lock) in such case?
>> I think the concurrency issue is between dlopen and _dl_deallocate_tls
>> called by pthread stack handling (nptl/allocatestack.c). Am I missing
>> something here?
>
>
> _dl_update_slotinfo is called both with and without
> the dlopen lock held: during dynamic tls access
> the lock is not held (see the __tls_get_addr path)
Right, revising the patch I mapped the calls (not sure if it is
fully complete):
| _dl_open
| __rtld_lock_lock_recursive (GL(dl_load_lock));
| dl_open_worker
| update_tls_slotinfo
| _dl_update_slotinfo
| __rtld_lock_unlock_recursive (GL(dl_load_lock));
| __tls_get_addr
| update_get_addr
| _dl_update_slotinfo
| rtld
| _dl_resolve_conflicts
| elf_machine_rela
| TRY_STATIC_TLS
| _dl_try_allocate_static_tls
| _dl_update_slotinfo
|
| elf_machine_rela
| CHECK_STATIC_TLS
| _dl_allocate_static_tls
| _dl_try_allocate_static_tls
| _dl_update_slotinfo
The rtld part should not matter, since it is done before thread
is supported.
>
> we cannot add a lock there because that would cause
> new deadlocks, dealing with this is the tricky part
> of the patchset.
I understand this patch from previous discussion about it. The
part is confusing me is "because it can be freed by a concurrent
dlclose". My understanding is '_dl_deallocate_tls' might be called
in thread exit / deallocation without the GL(dl_load_lock) (which
is a potential issue); what I can't see is how concurrent dlclose
might trigger this issue (since it should be synchronized with dlopen
through the lock).
>
>>>
>>> The map == 0 and map != 0 code paths can be shared (avoiding
>>> the dtv resize in case of map == 0 is just an optimization:
>>> larger dtv than necessary would be fine too).
>>> ---
>>> elf/dl-tls.c | 21 +++++----------------
>>> 1 file changed, 5 insertions(+), 16 deletions(-)
>>>
>>> diff --git a/elf/dl-tls.c b/elf/dl-tls.c
>>> index 24d00c14ef..f8b32b3ecb 100644
>>> --- a/elf/dl-tls.c
>>> +++ b/elf/dl-tls.c
>>> @@ -743,6 +743,8 @@ _dl_update_slotinfo (unsigned long int req_modid)
>>> {
>>> for (size_t cnt = total == 0 ? 1 : 0; cnt < listp->len; ++cnt)
>>> {
>>> + size_t modid = total + cnt;
>>> +
>>> size_t gen = listp->slotinfo[cnt].gen;
>>>
>>> if (gen > new_gen)
>>> @@ -758,25 +760,12 @@ _dl_update_slotinfo (unsigned long int req_modid)
>>>
>>> /* If there is no map this means the entry is empty. */
>>> struct link_map *map = listp->slotinfo[cnt].map;
>>> - if (map == NULL)
>>> - {
>>> - if (dtv[-1].counter >= total + cnt)
>>> - {
>>> - /* If this modid was used at some point the memory
>>> - might still be allocated. */
>>> - free (dtv[total + cnt].pointer.to_free);
>>> - dtv[total + cnt].pointer.val = TLS_DTV_UNALLOCATED;
>>> - dtv[total + cnt].pointer.to_free = NULL;
>>> - }
>>> -
>>> - continue;
>>> - }
>>> -
>>> /* Check whether the current dtv array is large enough. */
>>> - size_t modid = map->l_tls_modid;
>>> - assert (total + cnt == modid);
>>> if (dtv[-1].counter < modid)
>>> {
>>> + if (map == NULL)
>>> + continue;
>>> +
>>> /* Resize the dtv. */
>>> dtv = _dl_resize_dtv (dtv);
>>>
>>>
next prev parent reply other threads:[~2021-04-07 14:28 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-15 11:56 [PATCH 00/15] Dynamic TLS related data race fixes Szabolcs Nagy
2021-02-15 11:56 ` [PATCH 01/15] aarch64: free tlsdesc data on dlclose [BZ #27403] Szabolcs Nagy
2021-04-01 12:57 ` Adhemerval Zanella
2021-04-06 13:43 ` Szabolcs Nagy
2021-04-06 16:52 ` Adhemerval Zanella
2021-02-15 11:56 ` [PATCH 02/15] elf: Fix data race in _dl_name_match_p [BZ #21349] Szabolcs Nagy
2021-04-01 14:01 ` Adhemerval Zanella
2021-04-06 16:41 ` Szabolcs Nagy
2021-02-15 11:57 ` [PATCH 03/15] Add test case for [BZ #19329] Szabolcs Nagy
2021-04-02 19:10 ` Adhemerval Zanella
2021-02-15 11:59 ` [PATCH 04/15] Add a DTV setup test [BZ #27136] Szabolcs Nagy
2021-04-02 19:35 ` Adhemerval Zanella
2021-02-15 11:59 ` [PATCH 05/15] elf: Fix a DTV setup issue " Szabolcs Nagy
2021-04-02 19:46 ` Adhemerval Zanella
2021-02-15 11:59 ` [PATCH 06/15] elf: Fix comments and logic in _dl_add_to_slotinfo Szabolcs Nagy
2021-04-02 20:50 ` Adhemerval Zanella
2021-04-06 15:48 ` Szabolcs Nagy
2021-04-06 17:47 ` Adhemerval Zanella
2021-04-07 7:57 ` Szabolcs Nagy
2021-04-07 14:20 ` Adhemerval Zanella
2021-02-15 12:00 ` [PATCH 07/15] elf: Refactor _dl_update_slotinfo to avoid use after free Szabolcs Nagy
2021-04-06 19:40 ` Adhemerval Zanella
2021-04-07 8:01 ` Szabolcs Nagy
2021-04-07 14:28 ` Adhemerval Zanella [this message]
2021-04-07 14:36 ` Adhemerval Zanella
2021-04-07 17:05 ` Adhemerval Zanella
2021-02-15 12:01 ` [PATCH 08/15] elf: Fix data races in pthread_create and TLS access [BZ #19329] Szabolcs Nagy
2021-02-15 12:01 ` [PATCH 09/15] elf: Use relaxed atomics for racy accesses " Szabolcs Nagy
2021-02-15 12:01 ` [PATCH 10/15] elf: Fix DTV gap reuse logic [BZ #27135] Szabolcs Nagy
2021-02-15 12:02 ` [PATCH 11/15] x86_64: Avoid lazy relocation of tlsdesc [BZ #27137] Szabolcs Nagy
2021-04-09 0:14 ` Ben Woodard
2021-04-09 13:38 ` Szabolcs Nagy
2021-04-09 14:55 ` Ben Woodard
2021-02-15 12:02 ` [PATCH 12/15] i386: " Szabolcs Nagy
2021-02-15 12:02 ` [PATCH 13/15] x86_64: Remove lazy tlsdesc relocation related code Szabolcs Nagy
2021-02-15 12:03 ` [PATCH 14/15] i386: " Szabolcs Nagy
2021-02-15 12:03 ` [PATCH 15/15] elf: " Szabolcs Nagy
2021-02-15 12:08 ` [PATCH 03/15] Add test case for [BZ #19329] Szabolcs Nagy
2021-02-15 12:08 ` [PATCH 06/15] elf: Fix comments and logic in _dl_add_to_slotinfo Szabolcs Nagy
[not found] ` <CGME20210215115731epcas5p45614957debad2f679230d0bd1efbd57f@epcms5p7>
2021-02-15 12:11 ` [PATCH 02/15] elf: Fix data race in _dl_name_match_p [BZ #21349] Maninder Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1ccd8aa7-ff8e-96e7-7bf8-d229572d1a27@linaro.org \
--to=adhemerval.zanella@linaro.org \
--cc=libc-alpha@sourceware.org \
--cc=szabolcs.nagy@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).