Bug 28256 - Conditional jump or move depends on uninitialised value(s) in __GI___tunables_init
Summary: Conditional jump or move depends on uninitialised value(s) in __GI___tunables...
Status: RESOLVED FIXED
Alias: None
Product: glibc
Classification: Unclassified
Component: malloc (show other bugs)
Version: 2.34
: P2 normal
Target Milestone: 2.35
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-08-21 13:47 UTC by Richard Jones
Modified: 2023-08-30 16:21 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Richard Jones 2021-08-21 13:47:37 UTC 
glibc-2.34-1.fc35.x86_64

I'm getting this when I run any program under valgrind with glibc tunables:

$ LD_PRELOAD=/usr/lib64/libc_malloc_debug.so.0 GLIBC_TUNABLES=glibc.malloc.check=1 valgrind ls
==2958662== Memcheck, a memory error detector
==2958662== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==2958662== Using Valgrind-3.17.0 and LibVEX; rerun with -h for copyright info
==2958662== Command: ls
==2958662== 
==2958662== Conditional jump or move depends on uninitialised value(s)
==2958662==    at 0x4019615: parse_tunables (dl-tunables.c:211)
==2958662==    by 0x4019615: __GI___tunables_init (dl-tunables.c:296)
==2958662==    by 0x401D3B1: _dl_sysdep_start (dl-sysdep.c:232)
==2958662==    by 0x400209E: _dl_start_final (rtld.c:490)
==2958662==    by 0x400209E: _dl_start (rtld.c:583)
==2958662==    by 0x4001097: ??? (in /usr/lib64/ld-linux-x86-64.so.2)
==2958662== 
==2958662== Conditional jump or move depends on uninitialised value(s)
==2958662==    at 0x4019602: parse_tunables (dl-tunables.c:211)
==2958662==    by 0x4019602: __GI___tunables_init (dl-tunables.c:296)
==2958662==    by 0x401D3B1: _dl_sysdep_start (dl-sysdep.c:232)
==2958662==    by 0x400209E: _dl_start_final (rtld.c:490)
==2958662==    by 0x400209E: _dl_start (rtld.c:583)
==2958662==    by 0x4001097: ??? (in /usr/lib64/ld-linux-x86-64.so.2)
==2958662== 
==2958662== Conditional jump or move depends on uninitialised value(s)
==2958662==    at 0x401966C: parse_tunables (dl-tunables.c:255)
==2958662==    by 0x401966C: __GI___tunables_init (dl-tunables.c:296)
==2958662==    by 0x401D3B1: _dl_sysdep_start (dl-sysdep.c:232)
==2958662==    by 0x400209E: _dl_start_final (rtld.c:490)
==2958662==    by 0x400209E: _dl_start (rtld.c:583)
==2958662==    by 0x4001097: ??? (in /usr/lib64/ld-linux-x86-64.so.2)
==2958662== 
==2958662== Conditional jump or move depends on uninitialised value(s)
==2958662==    at 0x40194D2: parse_tunables (dl-tunables.c:185)
==2958662==    by 0x40194D2: __GI___tunables_init (dl-tunables.c:296)
==2958662==    by 0x401D3B1: _dl_sysdep_start (dl-sysdep.c:232)
==2958662==    by 0x400209E: _dl_start_final (rtld.c:490)
==2958662==    by 0x400209E: _dl_start (rtld.c:583)
==2958662==    by 0x4001097: ??? (in /usr/lib64/ld-linux-x86-64.so.2)
==2958662== 
==2958662== Conditional jump or move depends on uninitialised value(s)
==2958662==    at 0x40194DA: parse_tunables (dl-tunables.c:185)
==2958662==    by 0x40194DA: __GI___tunables_init (dl-tunables.c:296)
==2958662==    by 0x401D3B1: _dl_sysdep_start (dl-sysdep.c:232)
==2958662==    by 0x400209E: _dl_start_final (rtld.c:490)
==2958662==    by 0x400209E: _dl_start (rtld.c:583)
==2958662==    by 0x4001097: ??? (in /usr/lib64/ld-linux-x86-64.so.2)
==2958662== 
aclocal.m4	 config.log	include		missing		  server
autom4te.cache	 config.status	install-sh	nbdkit		  stamp-h1
bash		 config.sub	libtool		nbdkit-wrapper.o  test-driver
BENCHMARKING	 configure	LICENSE		OTHER_PLUGINS	  tests
common		 configure.ac	localconfigure	plugins		  TODO
common-rules.mk  depcomp	ltmain.sh	podwrapper.pl	  TODOTODO
compile		 docs		m4		podwrapper.pl.in  valgrind
config.guess	 filters	Makefile	README		  wrapper.c
config.h	 fuzzing	Makefile.am	scripts
config.h.in	 html		Makefile.in	SECURITY
==2958662== 
==2958662== HEAP SUMMARY:
==2958662==     in use at exit: 25,538 bytes in 55 blocks
==2958662==   total heap usage: 90 allocs, 35 frees, 63,479 bytes allocated
==2958662== 
==2958662== LEAK SUMMARY:
==2958662==    definitely lost: 0 bytes in 0 blocks
==2958662==    indirectly lost: 0 bytes in 0 blocks
==2958662==      possibly lost: 0 bytes in 0 blocks
==2958662==    still reachable: 25,538 bytes in 55 blocks
==2958662==         suppressed: 0 bytes in 0 blocks
==2958662== Rerun with --leak-check=full to see details of leaked memory
==2958662== 
==2958662== Use --track-origins=yes to see where uninitialised values come from
==2958662== For lists of detected and suppressed errors, rerun with: -s
==2958662== ERROR SUMMARY: 5 errors from 5 contexts (suppressed: 0 from 0)


In a slightly different test that I can't easily make a reproducer for
I also saw this which is slightly different and might indicate a
similar-but-different bug:

==2944389== Conditional jump or move depends on uninitialised value(s)
==2944389==    at 0x8147602: __GI___tunables_init (dl-tunables.c:211)
==2944389==    by 0x814B3B1: _dl_sysdep_start (dl-sysdep.c:232)
==2944389==    by 0x813009E: _dl_start (rtld.c:490)
==2944389==    by 0x812F097: ??? (in /usr/lib64/ld-linux-x86-64.so.2)
==2944389==    by 0x1: ???
==2944389==    by 0x1FFEFFBF5A: ???
==2944389==    by 0x1FFEFFBF7E: ???
Comment 1 Richard Jones 2021-08-22 13:08:30 UTC 
https://sourceware.org/git/?p=glibc.git;a=blob;f=elf/dl-tunables.c;h=8009e54ee5db32beb228e69b05352e80c809c42c;hb=HEAD#l205

Looking at the code it seems like you're adding the length
to the p pointer (line 205) and then referencing p[len] (line 211)
which is obviously going to reference far beyond the end
of the string in memory.

I don't think this is exploitable though - GLIBC_TUNABLES
is removed in setuid processes.
Comment 3 Andreas Schwab 2021-08-23 13:33:09 UTC 
Fixed in 2.35.