Bug 5517 - pthread: TLS array overlapped with guard pages in IA64
Summary: pthread: TLS array overlapped with guard pages in IA64
Status: RESOLVED INVALID
Alias: None
Product: glibc
Classification: Unclassified
Component: nptl (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: ---
Assignee: Ulrich Drepper
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-12-21 05:13 UTC by wang fang
Modified: 2014-07-03 11:44 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security-


Attachments
this is the patch to solve this bug (387 bytes, patch)
2007-12-21 05:19 UTC, wang fang
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description wang fang 2007-12-21 05:13:52 UTC
Hi,

Here are test procedures in IA64:

----------------------------------
[root@Fedora-ia64 TLS]# cat test.c
#include <stdio.h>
#include <pthread.h>

#define TLS_NUM 67400

__thread unsigned long test[TLS_NUM];

void *routine(void *arg)
{
	int i;

#ifdef REVERSE
	for (i = TLS_NUM-1; i >= 0; i--) {
#else
	for (i = 0; i < TLS_NUM; i++) {
#endif
		test[i] = i;
		printf("i = %d\n", test[i]);
	}
	return NULL;
}

int main(int argc, char **argv)
{
	pthread_t pid;
	pthread_attr_t attr;
	size_t stacksize;

	pthread_attr_init(&attr);

	pthread_attr_getstacksize(&attr, &stacksize);
	printf("stacksize: %lu\n", (unsigned long)stacksize);

	pthread_create(&pid, &attr, routine, NULL);

	pthread_join(pid, NULL);

	return 0;
}

[root@Fedora-ia64 TLS]# ulimit -s 1024
[root@Fedora-ia64 TLS]# gcc -o test test.c -lpthread
[root@Fedora-ia64 TLS]# ./test
stacksize: 1048576
i = 0
i = 1
...
i = 36
i = 37
Segmentation fault
[root@Fedora-ia64 TLS]# gcc -o test test.c -lpthread -DREVERSE
stacksize: 1048576
i = 67399
i = 67398
...
i = 2087
i = 2086
Segmentation fault
--------------------------

Seeing from above, the middle of the tls arrary can't be accessed.
This is because the array overflows the normal stack and extends
to the register stack. As show below:

              |<--------ARRAY-------->|
|-------------------------------------------------|
|<---register stack--->| guard |<--normal stack-->|

So the middle of ARRAY is in the guard area, When accessing this
area, the program receives a SIGSEGV.

ARRAY can fit into the stack, but half of the stack is assigned to
register stack, so the normal stack can't place the whole ARRAY.
So I think the stack should be expanded for IA64.
Comment 1 wang fang 2007-12-21 05:19:31 UTC
Created attachment 2152 [details]
this is the patch to solve this bug

this is the patch that expand stacksize for IA64 to solve this bug
Comment 2 Jakub Jelinek 2008-04-10 11:51:56 UTC
This is just misunderstanding of what stacksize means on IA-64.  That's size of
the register stack and normal stack and guard page(s).  If there are any guard
pages, normal stack is limited to half of stacksize - guardsize, if there is no
guard, just the actually used normal stack plus actually used register stack
should be smaller than stacksize.