From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2089.outbound.protection.outlook.com [40.107.20.89]) by sourceware.org (Postfix) with ESMTPS id 9CE673896837 for ; Wed, 7 Apr 2021 08:01:29 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 9CE673896837 Received: from AM3PR05CA0112.eurprd05.prod.outlook.com (2603:10a6:207:2::14) by DBBPR08MB6267.eurprd08.prod.outlook.com (2603:10a6:10:20d::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3999.29; Wed, 7 Apr 2021 08:01:26 +0000 Received: from AM5EUR03FT015.eop-EUR03.prod.protection.outlook.com (2603:10a6:207:2:cafe::8e) by AM3PR05CA0112.outlook.office365.com (2603:10a6:207:2::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4020.17 via Frontend Transport; Wed, 7 Apr 2021 08:01:26 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; sourceware.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;sourceware.org; dmarc=pass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT015.mail.protection.outlook.com (10.152.16.132) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3999.29 via Frontend Transport; Wed, 7 Apr 2021 08:01:26 +0000 Received: ("Tessian outbound 81a4524e9a48:v90"); Wed, 07 Apr 2021 08:01:25 +0000 X-CheckRecipientChecked: true X-CR-MTA-CID: 9de0e32f487545cb X-CR-MTA-TID: 64aa7808 Received: from a4db30d07e21.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 8BB46195-D8F8-46B1-81A2-F1A9191DE32E.1; Wed, 07 Apr 2021 08:01:19 +0000 Received: from EUR01-VE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id a4db30d07e21.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Wed, 07 Apr 2021 08:01:19 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oWpUVFK6sxNPTXKHJNoSmPqkkKd+C6bNvl9TI/A+BgwxxAKKxvIarcEuV1lO0px5gHqKZChRkmsI6/yMhyu6QchjigdWwT+SOdx6noh1P5YyUAnCzmcHGHfbPAIJaks+7TE+aQFzakHDr/eFAi2AZlPLPSGsepC0UoelonHFpu4Kt64Yu474NmyjC4EoCBswBZvtcbzhkiohOcinCZOn4+6D1GJw1M3o+uTlbQ0kDNxrqFlx8ZCfpYaKlWZ3mMnX1SPTC/qx1Qn9zH13PmhXdMG8tV8WdB+UFHQXXxHeAPqNLV0eHQ9UqghXewgFqAJyLio2RfVYLqGHGW+llz7zlg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ocuV6z5w0mmroFNHDTQPFjHckfO14NERJ17Rcw73ziU=; b=Zn5Nob21hO0P8BB7a+xnLxX4GWsnJpDZC4wIykSn5RQl0+1nQE3BvUISTH/zK7rIBg8levUfzyk6p87gVEvzO57U9xm9YxJPNN1qwz5vuXuz+3bYG7RlZgaDp9YkKVijlXRa1bEqCI7O/xrXJprfBOyFZkEkkiDUd+U/9BNPpWbQp1qddZolubnydjHtDzHof33uxJ45RvdzgD785uzdVHnlrVV7tTXmj0JeBE4+mKpD69PjXPHbcfTjtIU7oFmEZvUQVVkKT0AkIyKtHcuuxn5zit+OssyIXFyEkyP92lQMKsMun6LcD/JlPcY549HtdYQeyKPzISlMha0h5u6mwA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none Authentication-Results-Original: linaro.org; dkim=none (message not signed) header.d=none;linaro.org; dmarc=none action=none header.from=arm.com; Received: from PA4PR08MB6320.eurprd08.prod.outlook.com (2603:10a6:102:e5::9) by PAXPR08MB6527.eurprd08.prod.outlook.com (2603:10a6:102:156::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3999.27; Wed, 7 Apr 2021 08:01:17 +0000 Received: from PA4PR08MB6320.eurprd08.prod.outlook.com ([fe80::c99f:671d:bb2c:f20b]) by PA4PR08MB6320.eurprd08.prod.outlook.com ([fe80::c99f:671d:bb2c:f20b%7]) with mapi id 15.20.4020.017; Wed, 7 Apr 2021 08:01:17 +0000 Date: Wed, 7 Apr 2021 09:01:10 +0100 From: Szabolcs Nagy To: Adhemerval Zanella Cc: libc-alpha@sourceware.org Subject: Re: [PATCH 07/15] elf: Refactor _dl_update_slotinfo to avoid use after free Message-ID: <20210407080109.GP23289@arm.com> References: <3ecdb956cbf6d1b46e36311ffe7f491ce186cdbc.1613390045.git.szabolcs.nagy@arm.com> <2f925732-4c85-4dfe-036e-ed2dde651202@linaro.org> Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <2f925732-4c85-4dfe-036e-ed2dde651202@linaro.org> User-Agent: Mutt/1.9.4 (2018-02-28) X-Originating-IP: [217.140.106.54] X-ClientProxiedBy: SA9PR10CA0027.namprd10.prod.outlook.com (2603:10b6:806:a7::32) To PA4PR08MB6320.eurprd08.prod.outlook.com (2603:10a6:102:e5::9) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from arm.com (217.140.106.54) by SA9PR10CA0027.namprd10.prod.outlook.com (2603:10b6:806:a7::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4020.16 via Frontend Transport; Wed, 7 Apr 2021 08:01:16 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 1213c810-36c5-468b-0050-08d8f99b57d2 X-MS-TrafficTypeDiagnostic: PAXPR08MB6527:|DBBPR08MB6267: X-Microsoft-Antispam-PRVS: x-checkrecipientrouted: true NoDisclaimer: true X-MS-Oob-TLC-OOBClassifiers: OLM:10000;OLM:10000; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Untrusted: BCL:0; X-Microsoft-Antispam-Message-Info-Original: CsP0/c7vZycU84+iHE4MiwtbxePwi3uc5y4yo4i5lDDQdMAMOO2iSYmH+dZPUBVfwczTsAO9sd8qSKBs4sYOWChApfs3nDS3AIeyplhH95snNPzDntJ8q3b+wnV6hAU3z0fEtTG0q/usry7BnhW0R4gNaKIBFcxDCCwDqCUQQt1bZ8PN+nZfDfM6w5XzOv/Nagw0rsgtiXIKRmaANVqTD9eQ+1LDhGjOuJykA8DRCaoTWr/YPSVtS7qRgoBLw0yc3oYuMW2b9hAGxFQXDW3eoMoju5PCYMkub772iYes27lA/y1VK5c89q4QGgflavTmtcRZoK5r6Q0kOKJ3+KYnhSj1A5FAYTDNt19r+Mde+Hf0SYh4NT8hWed64/Z3GV0L3Iod07gHMCQ6/EP7jjl4h6CuFDLWHzBHlWqI5kIHJ/lONODduk3zIsgcYtD0cr9SLuKI57O8OCdaZAADxdvW99BLbiqec6v1yq8OIu1zz2xh+DLSnFw3O6d0S0936R6DqlpxFzLCuFlUFKliUlcyvu+ZtxEaD9dQME9w3P5BhHhv3goGVSkhQoa4K2drEUNHbYEswU4asvbrHHibVxZKfVWP7BNm+3dSWcHouyaV211p+WRbY5lF54GOw49XwbnulTA6mL6hBFy/yx6ObKZgrIShuGbBXxqRzmdKOoqJf175JxG7HS8C0YW++Z0X+xCz X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PA4PR08MB6320.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(346002)(366004)(376002)(39860400002)(136003)(7696005)(478600001)(66476007)(52116002)(38350700001)(26005)(83380400001)(36756003)(33656002)(8936002)(66556008)(8676002)(53546011)(5660300002)(86362001)(6916009)(55016002)(2906002)(4326008)(956004)(1076003)(2616005)(66946007)(186003)(16526019)(6666004)(44832011)(8886007)(38100700001)(316002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData: =?utf-8?B?d2o4elMzUHc3aWU3VFFJTGJmZlBBUkhBYTlFVnBNMEdKZjFKM0k2NWgxWUx2?= =?utf-8?B?azZUYjVEQnpTclh4NkxoYjJoaitiWDRFeGltMkVFdmdLOE5hamJTemJsdk5s?= =?utf-8?B?TWExNmZnVzFwQnNGQVZxWm93d1JUNkZ5RmZtQjB2NGY0Ull6RDVXVXMzcnFE?= =?utf-8?B?ZVl1NVQwMUpVbnlUMTN4NWovdURVQWs4YWFnT3M4NnRUdWJ1RXN5UHNRaS9Z?= =?utf-8?B?QXVwU0FFampYK01JZXh1ZFgwanJQaHZMWWtSMWZ3NFZLMnI0UlBUZEJUOUsw?= =?utf-8?B?M2JDUXNnM1dFR2c1bzFlTGxyOTZzUVR4M3FZdHhZUUVKOUJ4a2dMdVMwcHpG?= =?utf-8?B?ZDJ2alcwbXo3RVhESDJLazUyYVBjNHZ5UitvaVk3U2h6N29URnFiOU5FckNY?= =?utf-8?B?cElMUDZaSnBXdVp1NU8rcW9uRlBLeUkrZlVPS1ovRThtcUkyTEU1eEEvZ0lV?= =?utf-8?B?WDBQZGliYnVhQnh5YTRMUGMwOEpFSm9TWVc3MzExRjJiOTE1ZlFHbE9ZTVRK?= =?utf-8?B?cDRUSUxIeWh0WWxHNFFpdDRGTGxTMFJXWHB5cGkvYW5CdHozY3RTdzFoNTgr?= =?utf-8?B?enY0Q29LdjVKeXNtVDgvR3FoYmpra1YyV3dLU3FUV2dhNjI0aWFHMzNVS0dq?= =?utf-8?B?MkFPaG45ODNqRzQzOWlPbkFub0JJWjM3VVdGam50Vzc0aEJuV1pPWW91Wklk?= =?utf-8?B?SlA1SkxrYStQRVEzRkVGSW4rWmMvV3BZUmZsK1BXWGJvTm5UTktwWm5ZQjRr?= =?utf-8?B?aWZld083Sm1qOGgxK25mSGhIbi9zMGVyTjJkcmNaS0xPV0NSdUROSkpra29N?= =?utf-8?B?ckdta0d2a2xXVi81WmVYdEdEc3BUWXV0alVJNUF5ejFwckFPcUVtVTVPZXNp?= =?utf-8?B?eGNsK2lEQkV0cFNaM1pRZGF2MzFoSENENitXc3owYjVmUmlIZldqV3VNaFBj?= =?utf-8?B?Wk54SUZmWlJpNXl6TE9xeFpnY1VmempOaGJlOC90ZjlGa0c3RkU1akZGdmd4?= =?utf-8?B?NERsQzZuT040VW50ZzJwTkRQNUQ3MVZ1ejJPZVFlcFRjbi9VV2xuMGV0azUx?= =?utf-8?B?b1YycG04OXFxVTVmak5RVGc4aU1VVXdLNUY5cE1qamllM0hxYUVGd1FDRjhq?= =?utf-8?B?WEE1cHlnVU5nOUN0d29kcTdrdndEekxFSEZmTHVOcE9TNGoxR05kT3pQcUJj?= =?utf-8?B?VGZVRkYxQkVNYkRQUXoydW9ndkovUmJNMVNZNUNDNFVzUFBUUG1LOVBkWTVq?= =?utf-8?B?Uys2T3gwc1daTW1MTi83ejlxcWZNdm5SSVFMRVZJVFNnYmgvWE9taEkwZTA5?= =?utf-8?B?bjJMdEkxdEpwamIxNjY5blB1THRvVW56dTRobU5UOEVyMjJKa29xR3hMSm51?= =?utf-8?B?REFnZStPOWVkVjQzaXd2enphRTV0QXVQTzh5T0NXa2UzOVE5Y2h4eGtFdXp1?= =?utf-8?B?ODhQNEJRSXBscXhTS0Z2R1NaNDdTSENGeU5OeVF2Y1k3UXl6a21Xa3VIWEF3?= =?utf-8?B?NUI2eEY2ODdzcXNTL3NHaTlZbnFaUWUzV0xMeXhkQ2E3ZExMSWpYdVZGTXVt?= =?utf-8?B?R0tGNmFGSFdQaks5aGEyOWdqV3U2UEsvYmNMYlBSTUlleDJDWm9HeHF2RnFq?= =?utf-8?B?c0FYQmxiblNudjB3SnVHaWJGUlo2ZjlJNlZRbUNNS0VtVER4Zi8zL2lMRHBy?= =?utf-8?B?TlRJMVFjRjdEVjhKaEMxKzNJNkxETFM5N0VGWlB0ZHFnZUtLdG1mTGFUWG9s?= =?utf-8?Q?tC8wTYNx8bSwDn1DFdG+FX5ckorxJInmjKCOKUW?= X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR08MB6527 Original-Authentication-Results: linaro.org; dkim=none (message not signed) header.d=none;linaro.org; dmarc=none action=none header.from=arm.com; X-EOPAttributedMessage: 0 X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT015.eop-EUR03.prod.protection.outlook.com X-MS-Office365-Filtering-Correlation-Id-Prvs: 447fb4f6-108b-4753-72f4-08d8f99b527f X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: zg+iPE21TWEyjsrBaAK4CbvV+flWMP5AafWwrVFpxOflxud/9SdD0aqSX1YDvJYfZsycXgW2p9rXtDjKCp7xlmhiEyxjzR6AvrhbxytkP4KehZ+EkraRS6yhMbRGfYZKIoDboHG44V2lubPT5Ky8xqULTOz0j9z/cJBmoTJEwgYl9kgFr80jvPVRquIGvj45ujV9Iwle8ECTE2w1r5wQk+HNBH7q6/BAzQ1d/awUSijT/F5XZwfF/2SEGyhbOp52jbKvI8N14ebeOATIZqK2tqIhP9xM7IPfAPKFTfE650xIuOsLLLui7FSIQfzWvv7AD0VgcWNaoc57yEZ1zAwLG1kci3OzOIPs7bZikIsHzx+duSXsgawI3ch5stj/IpJ43g6rlHySOLMa2Jw2v55ipc7h+Z28CKi7iY2GVhWX4KrYzlJkQzFcN8wHuh5ONMuqH7I01qlA7nvzqWY3mh70gBeIHrx/BzldStv83wYMXxvIXTt5W2je8VXVyjPD7dVwcofJ+Z8SVN1JlSMoWdpI4Ks7kNK/OG5P3EEwCzbabZ3UePZFiVpcfRq8ZDi36CAf8jILD8Z24w5KTkcjPF+OZTwd0pvOXZ/UlrAm4I0fn7oZ5A4JJimQ56jf+CenSKSZCWjM8ceBEBef9+U9kEnkpbvPtylXRRZgEmFnE2JuvzQ= X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(136003)(39860400002)(396003)(346002)(376002)(46966006)(36840700001)(478600001)(6862004)(70586007)(336012)(70206006)(53546011)(47076005)(44832011)(316002)(186003)(4326008)(5660300002)(956004)(2616005)(16526019)(8676002)(55016002)(8936002)(1076003)(7696005)(36860700001)(2906002)(83380400001)(82310400003)(356005)(6666004)(82740400003)(26005)(33656002)(36756003)(8886007)(86362001)(81166007); DIR:OUT; SFP:1101; X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Apr 2021 08:01:26.0998 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 1213c810-36c5-468b-0050-08d8f99b57d2 X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-AuthSource: AM5EUR03FT015.eop-EUR03.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBBPR08MB6267 X-Spam-Status: No, score=-14.2 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, GIT_PATCH_0, MSGID_FROM_MTA_HEADER, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2, SPF_HELO_PASS, SPF_PASS, TXREP, UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2021 08:01:35 -0000 The 04/06/2021 16:40, Adhemerval Zanella wrote: > On 15/02/2021 09:00, Szabolcs Nagy via Libc-alpha wrote: > > map is not valid to access here because it can be freed by a > > concurrent dlclose, so don't check the modid. > > Won't it be protected by the recursive GL(dl_load_lock) in such case? > I think the concurrency issue is between dlopen and _dl_deallocate_tls > called by pthread stack handling (nptl/allocatestack.c). Am I missing > something here? _dl_update_slotinfo is called both with and without the dlopen lock held: during dynamic tls access the lock is not held (see the __tls_get_addr path) we cannot add a lock there because that would cause new deadlocks, dealing with this is the tricky part of the patchset. > > > > The map == 0 and map != 0 code paths can be shared (avoiding > > the dtv resize in case of map == 0 is just an optimization: > > larger dtv than necessary would be fine too). > > --- > > elf/dl-tls.c | 21 +++++---------------- > > 1 file changed, 5 insertions(+), 16 deletions(-) > > > > diff --git a/elf/dl-tls.c b/elf/dl-tls.c > > index 24d00c14ef..f8b32b3ecb 100644 > > --- a/elf/dl-tls.c > > +++ b/elf/dl-tls.c > > @@ -743,6 +743,8 @@ _dl_update_slotinfo (unsigned long int req_modid) > > { > > for (size_t cnt = total == 0 ? 1 : 0; cnt < listp->len; ++cnt) > > { > > + size_t modid = total + cnt; > > + > > size_t gen = listp->slotinfo[cnt].gen; > > > > if (gen > new_gen) > > @@ -758,25 +760,12 @@ _dl_update_slotinfo (unsigned long int req_modid) > > > > /* If there is no map this means the entry is empty. */ > > struct link_map *map = listp->slotinfo[cnt].map; > > - if (map == NULL) > > - { > > - if (dtv[-1].counter >= total + cnt) > > - { > > - /* If this modid was used at some point the memory > > - might still be allocated. */ > > - free (dtv[total + cnt].pointer.to_free); > > - dtv[total + cnt].pointer.val = TLS_DTV_UNALLOCATED; > > - dtv[total + cnt].pointer.to_free = NULL; > > - } > > - > > - continue; > > - } > > - > > /* Check whether the current dtv array is large enough. */ > > - size_t modid = map->l_tls_modid; > > - assert (total + cnt == modid); > > if (dtv[-1].counter < modid) > > { > > + if (map == NULL) > > + continue; > > + > > /* Resize the dtv. */ > > dtv = _dl_resize_dtv (dtv); > > > >