Bug 23790 - Data race in _dl_profile_fixup with reloc_result update from multiple threads.
Summary: Data race in _dl_profile_fixup with reloc_result update from multiple threads.
Status: NEW
Alias: None
Product: glibc
Classification: Unclassified
Component: dynamic-link (show other bugs)
Version: 2.30
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-18 01:51 UTC by Carlos O'Donell
Modified: 2018-10-18 11:46 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos O'Donell 2018-10-18 01:51:20 UTC
There is a data race in _dl_profile_fixup where multiple threads may enter from the same PLT entry, and update the same reloc_result index entry.

This is similar to the data dependency issues from bug 23690, but there we only look to solve the issue for threads that find the guard variable indicating the structure is initialized only to see incomplete writes to the structure and crash.

The fix is for _dl_profile_fixup to be rewritten such that the threads work on a local copy of a struct reloc_result and then use a RMW sequence to place it into the final array, and thus we avoid the data races.