glibc-2.34-1.fc35.x86_64 I'm getting this when I run any program under valgrind with glibc tunables: $ LD_PRELOAD=/usr/lib64/libc_malloc_debug.so.0 GLIBC_TUNABLES=glibc.malloc.check=1 valgrind ls ==2958662== Memcheck, a memory error detector ==2958662== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==2958662== Using Valgrind-3.17.0 and LibVEX; rerun with -h for copyright info ==2958662== Command: ls ==2958662== ==2958662== Conditional jump or move depends on uninitialised value(s) ==2958662== at 0x4019615: parse_tunables (dl-tunables.c:211) ==2958662== by 0x4019615: __GI___tunables_init (dl-tunables.c:296) ==2958662== by 0x401D3B1: _dl_sysdep_start (dl-sysdep.c:232) ==2958662== by 0x400209E: _dl_start_final (rtld.c:490) ==2958662== by 0x400209E: _dl_start (rtld.c:583) ==2958662== by 0x4001097: ??? (in /usr/lib64/ld-linux-x86-64.so.2) ==2958662== ==2958662== Conditional jump or move depends on uninitialised value(s) ==2958662== at 0x4019602: parse_tunables (dl-tunables.c:211) ==2958662== by 0x4019602: __GI___tunables_init (dl-tunables.c:296) ==2958662== by 0x401D3B1: _dl_sysdep_start (dl-sysdep.c:232) ==2958662== by 0x400209E: _dl_start_final (rtld.c:490) ==2958662== by 0x400209E: _dl_start (rtld.c:583) ==2958662== by 0x4001097: ??? (in /usr/lib64/ld-linux-x86-64.so.2) ==2958662== ==2958662== Conditional jump or move depends on uninitialised value(s) ==2958662== at 0x401966C: parse_tunables (dl-tunables.c:255) ==2958662== by 0x401966C: __GI___tunables_init (dl-tunables.c:296) ==2958662== by 0x401D3B1: _dl_sysdep_start (dl-sysdep.c:232) ==2958662== by 0x400209E: _dl_start_final (rtld.c:490) ==2958662== by 0x400209E: _dl_start (rtld.c:583) ==2958662== by 0x4001097: ??? (in /usr/lib64/ld-linux-x86-64.so.2) ==2958662== ==2958662== Conditional jump or move depends on uninitialised value(s) ==2958662== at 0x40194D2: parse_tunables (dl-tunables.c:185) ==2958662== by 0x40194D2: __GI___tunables_init (dl-tunables.c:296) ==2958662== by 0x401D3B1: _dl_sysdep_start (dl-sysdep.c:232) ==2958662== by 0x400209E: _dl_start_final (rtld.c:490) ==2958662== by 0x400209E: _dl_start (rtld.c:583) ==2958662== by 0x4001097: ??? (in /usr/lib64/ld-linux-x86-64.so.2) ==2958662== ==2958662== Conditional jump or move depends on uninitialised value(s) ==2958662== at 0x40194DA: parse_tunables (dl-tunables.c:185) ==2958662== by 0x40194DA: __GI___tunables_init (dl-tunables.c:296) ==2958662== by 0x401D3B1: _dl_sysdep_start (dl-sysdep.c:232) ==2958662== by 0x400209E: _dl_start_final (rtld.c:490) ==2958662== by 0x400209E: _dl_start (rtld.c:583) ==2958662== by 0x4001097: ??? (in /usr/lib64/ld-linux-x86-64.so.2) ==2958662== aclocal.m4 config.log include missing server autom4te.cache config.status install-sh nbdkit stamp-h1 bash config.sub libtool nbdkit-wrapper.o test-driver BENCHMARKING configure LICENSE OTHER_PLUGINS tests common configure.ac localconfigure plugins TODO common-rules.mk depcomp ltmain.sh podwrapper.pl TODOTODO compile docs m4 podwrapper.pl.in valgrind config.guess filters Makefile README wrapper.c config.h fuzzing Makefile.am scripts config.h.in html Makefile.in SECURITY ==2958662== ==2958662== HEAP SUMMARY: ==2958662== in use at exit: 25,538 bytes in 55 blocks ==2958662== total heap usage: 90 allocs, 35 frees, 63,479 bytes allocated ==2958662== ==2958662== LEAK SUMMARY: ==2958662== definitely lost: 0 bytes in 0 blocks ==2958662== indirectly lost: 0 bytes in 0 blocks ==2958662== possibly lost: 0 bytes in 0 blocks ==2958662== still reachable: 25,538 bytes in 55 blocks ==2958662== suppressed: 0 bytes in 0 blocks ==2958662== Rerun with --leak-check=full to see details of leaked memory ==2958662== ==2958662== Use --track-origins=yes to see where uninitialised values come from ==2958662== For lists of detected and suppressed errors, rerun with: -s ==2958662== ERROR SUMMARY: 5 errors from 5 contexts (suppressed: 0 from 0) In a slightly different test that I can't easily make a reproducer for I also saw this which is slightly different and might indicate a similar-but-different bug: ==2944389== Conditional jump or move depends on uninitialised value(s) ==2944389== at 0x8147602: __GI___tunables_init (dl-tunables.c:211) ==2944389== by 0x814B3B1: _dl_sysdep_start (dl-sysdep.c:232) ==2944389== by 0x813009E: _dl_start (rtld.c:490) ==2944389== by 0x812F097: ??? (in /usr/lib64/ld-linux-x86-64.so.2) ==2944389== by 0x1: ??? ==2944389== by 0x1FFEFFBF5A: ??? ==2944389== by 0x1FFEFFBF7E: ???
https://sourceware.org/git/?p=glibc.git;a=blob;f=elf/dl-tunables.c;h=8009e54ee5db32beb228e69b05352e80c809c42c;hb=HEAD#l205 Looking at the code it seems like you're adding the length to the p pointer (line 205) and then referencing p[len] (line 211) which is obviously going to reference far beyond the end of the string in memory. I don't think this is exploitable though - GLIBC_TUNABLES is removed in setuid processes.
Patch: https://sourceware.org/pipermail/libc-alpha/2021-August/130392.html
Fixed in 2.35.