Bug 685 - NPTL causes random application crashes
Summary: NPTL causes random application crashes
Status: RESOLVED WORKSFORME
Alias: None
Product: glibc
Classification: Unclassified
Component: libc (show other bugs)
Version: 2.3.2
: P1 critical
Target Milestone: ---
Assignee: GOTO Masanori
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-01-20 05:59 UTC by David Mosberger-Tang
Modified: 2019-04-10 09:13 UTC (History)
1 user (show)

See Also:
Host: ia64-linux
Target: ia64-linux
Build: ia64-linux
Last reconfirmed:
fweimer: security-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description David Mosberger-Tang 2005-01-20 05:59:46 UTC
Several of us noticed that evolution on Debian/unstable sometimes crashes early
during program startup.  It turns out that the crash is due to memory
corruption.  In one particular case, the memory that got corrupted was in the
address range:

 0x2000000002daff10-0x2000000002daff1f

which happened to hold the function descriptors for shared library linkage stubs
("jump slots").  Of relevance was that the thread-pointer (r13) had the value:

 0x2000000002db0500

The corruption was caused by any NPTL routine trying to access the
thread-descriptor, since NPTL uses a "struct pthread" of size 1680 bytes (0x690).

I believe the problem is due to the fact that /lib/ld-linux-ia64.so.2 was built
for Linux Threads, which uses a thread descriptor size of 0x500.  Note that
sysdeps/generic/dl-tls.c has several references to TLS_PRE_TCB_SIZE for the case
where TLS_DTV_AT_TP is defined.  In other words, ld.so ends up having a
dependency on the size of the thread-descriptor.  Sure enough, if I invoke
evolution like this:

  /lib/tls/ld-linux-ia64.so.2 evolution

it works just fine.

My understanding is that /lib/ld-linux-ia64.so.2 should work for both NPTL and
LinuxThreads libraries and the dependency on the size of the thread-descriptor
is accidental.

I believe this same bug may affect Alpha, PowerPC, and SH.

For Alpha, I found this bug report, which sounds potentially related:

  http://sources.redhat.com/bugzilla/show_bug.cgi?id=299
Comment 1 Ulrich Drepper 2005-09-25 21:10:46 UTC
If this is a real problem and related to LinuxThreads, it should be fixed now
that LinuxThreads is not available anymore.  Otherwise the report is useless
since it provides not enought information.  If there are problems file a new
report with all the necessary information including backtraces etc.