From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qv1-xf29.google.com (mail-qv1-xf29.google.com [IPv6:2607:f8b0:4864:20::f29]) by sourceware.org (Postfix) with ESMTPS id 67C313858028 for ; Wed, 7 Apr 2021 14:36:52 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 67C313858028 Received: by mail-qv1-xf29.google.com with SMTP id es6so2478622qvb.0 for ; Wed, 07 Apr 2021 07:36:52 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:cc:references:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=FXHK+gEgCtjO82f9JWxzitMdoAwzzp66m5FQ74i1d3Y=; b=f//MnyCO2BKDCBdVFXD/qx/Jroh/UKhCLZbtx+yoaU107nG4zMu9MZHbFHkAYZ6wfq E/89ou9KF7Kbpg5cB9vUGWafc3iSQRSBZH1RE32e7x07sPY2/3Qmtgd6GWP5dMjg/5Pm YjgCgdrDpTSG1+YgidS+KS48gmeeRBMCC6oYFvg9FdtI2/8P9pOAZXH0PakzPT2pDBt3 wXqBL8O/YGToFfkZmMq8u6AscotSPhB0O12JAf5A6r3UrKHfURZJo2eXu3xcqAMy7DFT 6LIxIosFAw/fd7kRaiEEw65541VFsusrxf6K1s9bWQRGASBktVDxpWk5f6gP+GYnzWum g/qg== X-Gm-Message-State: AOAM533AfF7qVa4jcCqCfMf2gVwphWkHCt+zfg8dERZgHkONcjhNE0lU 30v/x/E6uJevCPjSzHElu5GOX+nTFknNG18g X-Google-Smtp-Source: ABdhPJxTIsa3evZ/dhtjqFtazqgJHKnQsDGU+jchS1UlOY11XNPUTRP8TuvUrb0QmM3hcqjohAp/gQ== X-Received: by 2002:a0c:c20e:: with SMTP id l14mr3767326qvh.19.1617806211930; Wed, 07 Apr 2021 07:36:51 -0700 (PDT) Received: from [192.168.1.132] ([177.194.41.149]) by smtp.gmail.com with ESMTPSA id b15sm16992718qtr.58.2021.04.07.07.36.50 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 07 Apr 2021 07:36:51 -0700 (PDT) Subject: Re: [PATCH 07/15] elf: Refactor _dl_update_slotinfo to avoid use after free From: Adhemerval Zanella To: Szabolcs Nagy Cc: libc-alpha@sourceware.org References: <3ecdb956cbf6d1b46e36311ffe7f491ce186cdbc.1613390045.git.szabolcs.nagy@arm.com> <2f925732-4c85-4dfe-036e-ed2dde651202@linaro.org> <20210407080109.GP23289@arm.com> <1ccd8aa7-ff8e-96e7-7bf8-d229572d1a27@linaro.org> Message-ID: <2c40fc8a-89ae-ea39-3312-1fa61e03e327@linaro.org> Date: Wed, 7 Apr 2021 11:36:49 -0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1 MIME-Version: 1.0 In-Reply-To: <1ccd8aa7-ff8e-96e7-7bf8-d229572d1a27@linaro.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-6.5 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, NICE_REPLY_A, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2021 14:36:53 -0000 On 07/04/2021 11:28, Adhemerval Zanella wrote: > > > On 07/04/2021 05:01, Szabolcs Nagy wrote: >> The 04/06/2021 16:40, Adhemerval Zanella wrote: >>> On 15/02/2021 09:00, Szabolcs Nagy via Libc-alpha wrote: >>>> map is not valid to access here because it can be freed by a >>>> concurrent dlclose, so don't check the modid. >>> >>> Won't it be protected by the recursive GL(dl_load_lock) in such case? >>> I think the concurrency issue is between dlopen and _dl_deallocate_tls >>> called by pthread stack handling (nptl/allocatestack.c). Am I missing >>> something here? >> >> >> _dl_update_slotinfo is called both with and without >> the dlopen lock held: during dynamic tls access >> the lock is not held (see the __tls_get_addr path) > > > Right, revising the patch I mapped the calls (not sure if it is > fully complete): > > | _dl_open > | __rtld_lock_lock_recursive (GL(dl_load_lock)); > | dl_open_worker > | update_tls_slotinfo > | _dl_update_slotinfo > | __rtld_lock_unlock_recursive (GL(dl_load_lock)); > > | __tls_get_addr > | update_get_addr > | _dl_update_slotinfo > > | rtld > | _dl_resolve_conflicts > | elf_machine_rela > | TRY_STATIC_TLS > | _dl_try_allocate_static_tls > | _dl_update_slotinfo > | > | elf_machine_rela > | CHECK_STATIC_TLS > | _dl_allocate_static_tls > | _dl_try_allocate_static_tls > | _dl_update_slotinfo > > The rtld part should not matter, since it is done before thread > is supported. > >> >> we cannot add a lock there because that would cause >> new deadlocks, dealing with this is the tricky part >> of the patchset. > > I understand this patch from previous discussion about it. The > part is confusing me is "because it can be freed by a concurrent > dlclose". My understanding is '_dl_deallocate_tls' might be called > in thread exit / deallocation without the GL(dl_load_lock) (which > is a potential issue); what I can't see is how concurrent dlclose > might trigger this issue (since it should be synchronized with dlopen > through the lock). I think I got what you meant: the concurrency issues is not related to dlopen open, but rather to __tls_get_addr and dclose. Maybe making this explicit on the commit message.