From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) by sourceware.org (Postfix) with ESMTPS id CA6943858CDB for ; Mon, 15 Apr 2024 20:22:48 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org CA6943858CDB Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org CA6943858CDB Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::62a ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1713212572; cv=none; b=ExBpjav/OgAacQJNAayEsEwWw6Ssq4RU3vMh1EGVw7RE04D5LTeyI4VKwxgDW9GztVg2i7RCNS25YjPQvKHkPmfsBJeKMWWedwwuUJT7yGaeU1KHTQLzrz6ZsQOcu+e9Hw8/IDHpqfRx8fgCyD//lxyh0pyQYH+Qlld9NGMW8mU= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1713212572; c=relaxed/simple; bh=BoOJ3HNEr9bo/dQFZAgMO7vYqR1/eC9qTI8Ixk8HiyM=; h=DKIM-Signature:Message-ID:Date:MIME-Version:Subject:To:From; b=CWV4Wf1lkFvDGlEQeYkdALmdVUzk55TcgU3zyrxw1ihhlj94waDWCy4g2CFRlWkiC3hmuKDV7O7mTwcRf8xBGRa2D+nGP+uNLFyr7CPEn2TviDH+luR4rUt7eabcRW/r0e/X6EblqibDMMN3FLFYNs1tMGXkz8e+3qg16N8MaXQ= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pl1-x62a.google.com with SMTP id d9443c01a7336-1e5715a9ebdso29085165ad.2 for ; Mon, 15 Apr 2024 13:22:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1713212568; x=1713817368; darn=sourceware.org; h=content-transfer-encoding:in-reply-to:organization:from :content-language:references:cc:to:subject:user-agent:mime-version :date:message-id:from:to:cc:subject:date:message-id:reply-to; bh=GKR7qX4co4aC6vit0N0ynPzM85yMh4yY0/BHH5oj96c=; b=ncOp3QIDMvWlclcs6s2UqdpWho2nYRcVPwn9PplJugBWzYVTSZ204S7cwCr0bq1SFL AxGMhIOlCwjpNVV7qBCbVfWzrpEaJwwOP+ltfsLq4nxVpGtasvl12mW+qOFFW3XYALaH 1m55ffvgyBcv12b5AxD6OK0NGpXVL9zsKB4l9cHiC/ZF+zEL/8s7nc2O7/SfwualblDP JxxuY3IszBXukMcnZSrM9bscUSOVnCwIeFht2Ko8kQd2FPez5+Df9JK5Vv94XAxWsSdS z8U7GtyOHjn368G9HzK/ygkzI6gmSQVX8/nbmiS3kfGFTGcECGXm6JUk1gcPpvVBKQUv Ec/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713212568; x=1713817368; h=content-transfer-encoding:in-reply-to:organization:from :content-language:references:cc:to:subject:user-agent:mime-version :date:message-id:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=GKR7qX4co4aC6vit0N0ynPzM85yMh4yY0/BHH5oj96c=; b=WLY7kc8lH40HcJzCOSDuF8cD7z/FjBZiO4e9gcjzZN8VjG3cZWL3EjCm3VqSY/BMeu RHDBj81JlNTLmmpzWgNmqV5y/VvWgKF9bCl3QxR/tWeYuVXuXlQQiFmAiA4AKGJ73Q5Q iLoZuKsNwqiTZQmDKrrTyUnVRHNuK4wV9bdaVfluT/1QOre4nr/QccRmwfB34ERblcBh W/6RgVOY99mSEiv8y7hKSCweoKO4J+WvKuAS/ZNA3nrlr8ToRg8ewhdlEfJu+PuRBUqi pcO0vG7gLWvoadIzEC3P3pIhfZLuSXFmg2te4sL1a5kCQG4Wx9CMjgP7VUk3WyI/+JAz HyUQ== X-Forwarded-Encrypted: i=1; AJvYcCW3gbSyGurMtETHWFupzyo+0nbChrnf93PX/p3F4vC+1Z12zF5j9YM7plhXZKUnVRZ3l/q5q7+O+tbIkS8kveWq7MMS8VduwzTO X-Gm-Message-State: AOJu0Yyw16PeFCwvSt/Pp7eVsIC8hBRnMpcXIV6/PNO0xOz2QBHtOmOU 58Iv0QnKXqmbXDX7irnrL0wa431aX+EqPQJXzRRgb/6q2F04AUSoNPibgNJQ4fo= X-Google-Smtp-Source: AGHT+IF7LvDf8GF8PGMEaEsl3uC9oJKncxg9iuHdo4gStg/wTS8L4EeGZMxSZj8WRXJB9E8/wY0W8g== X-Received: by 2002:a17:903:120c:b0:1e7:b6f4:971 with SMTP id l12-20020a170903120c00b001e7b6f40971mr1488913plh.27.1713212567736; Mon, 15 Apr 2024 13:22:47 -0700 (PDT) Received: from ?IPV6:2804:1b3:a7c0:d8e5:34bc:e1c9:2b45:c06a? ([2804:1b3:a7c0:d8e5:34bc:e1c9:2b45:c06a]) by smtp.gmail.com with ESMTPSA id bi5-20020a170902bf0500b001e3e0a6e76csm8296513plb.99.2024.04.15.13.22.44 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 15 Apr 2024 13:22:47 -0700 (PDT) Message-ID: Date: Mon, 15 Apr 2024 17:22:38 -0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] aarch64: Remove ld.so __tls_get_addr plt usage To: Florian Weimer , Fangrui Song Cc: Szabolcs Nagy , =?UTF-8?Q?Cristian_Rodr=C3=ADguez?= , "H.J. Lu" , libc-alpha@sourceware.org, Vitaly Buka , Fangrui Song , Evgenii Stepanov , Kostya Serebryany , Dmitry Vyukov References: <20240405123550.1748641-1-adhemerval.zanella@linaro.org> <87a5m14odr.fsf@oldenburg.str.redhat.com> Content-Language: en-US From: Adhemerval Zanella Netto Organization: Linaro In-Reply-To: <87a5m14odr.fsf@oldenburg.str.redhat.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-5.5 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,KAM_INFOUSMEBIZ,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 10/04/24 05:23, Florian Weimer wrote: > * Fangrui Song: > >> Last time I analyzed the __tls_get_addr interceptor in sanitizers, I >> have made quite some notes at >> https://maskray.me/blog/2021-02-14-all-about-thread-local-storage#why-does-compiler-rt-need-to-know-tls-blocks >> >> Yes, an interceptor is needed. > > There's no guarantuee that TLS access goes through a regular function > call, so any design that relies on such a call happening is > fundamentally broken. > > Quoting from your article: > > | Note: if the allocation is rtld/libc internal and not intercepted, > | there is no need to unpoison the range. The associated shadow is > | supposed to be zeros. However, if the allocation is intercepted, the > | runtime should unpoison the range in case the range reuses a previous > | allocation which happens to contain poisoned bytes. > | > | In glibc, _dl_allocate_tls and _dl_deallocate_tls call malloc/free > | functions which are internal and not intercepted, so the allocations > | are opaque to the runtime and the shadow bytes are all zeroes. > > I don't think this is accurate. We call the application malloc/free for > non-main threads after initialization. > > Having an accurate description of sanitizer needs in this area would be > really helpful, but I think we are not quite there yet. (This is > different from an API description.) > > I think there are several aspects here: > > (a) Avoid false errors for bounds checks for Address Sanitizer. > > (b) Support pointer discovery for Leak Sanitizer (essentially conservative > garbage collection). > > (c) Avoid false data race reports for Thread Sanitizer after TLS reuse > from one thread for a different thread (only with non-overlapping > lifetimes). > > Based on your description, I'm not sure if (a) is actually a problem. > If we don't use application malloc for TLS allocations, bounds checking > is bypassed apparently? And if we use malloc, out-of-bounds accesses > would be actual bugs. > > Aspect (b) is a real issue. Could we address that by allocating the TCB > (with static TLS) and all dynamic TLS with application malloc (or > rather, memalign/aligned_alloc), and keep a pointer to the allocation on > the thread stack? Then a conservative collector could find it, and scan > it for pointers. A gap remains for the main thread, whose TCB is not > allocated using application malloc—and can't be, as the application > malloc itself very likely depends on the TCB already being there. We > could switch TCBs after allocating another one with malloc, but that > would require some hand-off protocol, I believe. Maybe it's better to > register early allocations with the sanitizer directly, using some > appropriate API. Using malloc will also improve TCB hardening [1], so I think it would be valuable to implement regardless of sanitizer work. > > For (c), we could just stop caching TCBs after thread exit. If we call > free, and reallocate for the new thread, that should avoid the false > data race. This issue does not affect the main thread. We already have a tunable, glibc.pthread.stack_cache_size, which controls the thread cached size and setting to 0 should disable it. I do not think API to dynamically change tunables is a good approach (we might have potential issues to adapt the code to a dynamic value), so maybe an option would be to have interposable symbol programs could implement that can override the tunable values at programs startup. > > Based on that, I don't think we need to support discovery of TLS areas, > or export any other internal implementation details. We just need to > use more malloc within glibc if we detect an active sanitizer, and find > a way to make the TCB allocation of the main thread known to the > sanitizer. > > Thanks, > Florian > [1] https://sourceware.org/bugzilla/show_bug.cgi?id=22850