Bug 23790

Summary: Data race in _dl_profile_fixup with reloc_result update from multiple threads.
Product: glibc Reporter: Carlos O'Donell <carlos>
Component: dynamic-linkAssignee: Not yet assigned to anyone <unassigned>
Status: NEW ---    
Severity: normal CC: fweimer, tuliom
Priority: P2 Flags: fweimer: security-
Version: 2.30   
Target Milestone: ---   
See Also: https://sourceware.org/bugzilla/show_bug.cgi?id=23690
Host: Target:
Build: Last reconfirmed:

Description Carlos O'Donell 2018-10-18 01:51:20 UTC
There is a data race in _dl_profile_fixup where multiple threads may enter from the same PLT entry, and update the same reloc_result index entry.

This is similar to the data dependency issues from bug 23690, but there we only look to solve the issue for threads that find the guard variable indicating the structure is initialized only to see incomplete writes to the structure and crash.

The fix is for _dl_profile_fixup to be rewritten such that the threads work on a local copy of a struct reloc_result and then use a RMW sequence to place it into the final array, and thus we avoid the data races.