Bug 719 - dlfcn/tststatic writes past end of dtv array
Summary: dlfcn/tststatic writes past end of dtv array
Status: RESOLVED FIXED
Alias: None
Product: glibc
Classification: Unclassified
Component: nptl (show other bugs)
Version: 2.3.4
: P2 normal
Target Milestone: ---
Assignee: Roland McGrath
URL:
Keywords:
Depends on:
Blocks: libc235
  Show dependency treegraph
 
Reported: 2005-02-14 12:25 UTC by Alan Modra
Modified: 2005-02-22 03:52 UTC (History)
1 user (show)

See Also:
Host: powerpc64-linux
Target:
Build:
Last reconfirmed: 2005-02-18 00:44:27

Attachments
(_dl_nothread_init_static_tls): Assert that dtv array index is within bounds. (587 bytes, patch)
2005-02-14 12:26 UTC, Alan Modra 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alan Modra 2005-02-14 12:25:14 UTC 
The static_dtv array used by __libc_setup_tls has only enough room for one dtv.

thread pointer
(gdb) p/x $r13
$1 = 0x100a46a0

tcb
(gdb) p/x *(long *)($r13 - 0x7000 - 8)
$2 = 0x1009a8a8

dtv, including 2 reserved elements.
(gdb) p/x *(long *)(0x1009a8a8 - 16)@6
$3 = {0x1, 0x0, 0x0, 0x0, 0x1009d6a0, 0x100000000000000}

tststatic loads modstatic.so, which depends on libc.so.6, which has a PT_TLS
segment.  libc.so get a tls_modid of 2, and the dtv array isn't extended before
_dl_nothread_init_static_tls is called.

Breakpoint 3, _dl_nothread_init_static_tls (map=0x1009ef90) at dl-reloc.c:128
(gdb) p/x $r13
$8 = 0x100a46a0
(gdb) p/x *(long *)($r13 - 0x7000 - 8)
$9 = 0x1009a8a8
(gdb) p/x *(long *)(0x1009a8a8 - 16)@6
$10 = {0x1, 0x0, 0x0, 0x0, 0x1009d6a0, 0x100000000000000}
(gdb) p map->l_name
$11 = 0x1009ef70 "../libc.so.6"
(gdb) p map->l_tls_modid
$12 = 2

This results in the test failing due to other static vars being trashed.  The
attached patch should make the failure a bit more obvious.
Comment 1 Alan Modra 2005-02-14 12:26:46 UTC 
Created attachment 407 [details]
(_dl_nothread_init_static_tls): Assert that dtv array index is within bounds.
Comment 2 Alan Modra 2005-02-15 12:32:32 UTC 
glibc-2_3-branch has the same problem, as do targets other than powerpc64-linux.
Comment 3 Ulrich Drepper 2005-02-22 03:52:40 UTC 
I checked in a patch.  It consists simply of failing to load modules with TLS
right away.  This never worked, the dtv handling isn't up to this.  None of the
nss or iconv modules we ship uses TLS, so this is no problem at all.
Comment 4 Sourceware Commits 2005-02-26 01:09:57 UTC 
Subject: Bug 719

CVSROOT:	/cvs/glibc
Module name:	libc
Branch: 	glibc-2_3-branch
Changes by:	roland@sources.redhat.com	2005-02-26 01:09:45

Modified files:
	sysdeps/generic: libc-tls.c 

Log message:
	2005-02-22  Ulrich Drepper  <drepper@redhat.com>
	
	[BZ #719]
	* sysdeps/generic/libc-tls.c (static_dtv): Size the same as the
	slotinfo array.
	(__libc_setup_tls): Initialize length of DTV based on array length.
	* elf/dl-load.c: Revert last change.
	* sysdeps/generic/dl-tls.c: Revert last change.

Patches:
http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sysdeps/generic/libc-tls.c.diff?cvsroot=glibc&only_with_tag=glibc-2_3-branch&r1=1.23&r2=1.23.4.1
Comment 5 Sourceware Commits 2005-02-26 01:09:58 UTC 
Subject: Bug 719

CVSROOT:	/cvs/glibc
Module name:	libc
Branch: 	glibc-2_3-branch
Changes by:	roland@sources.redhat.com	2005-02-26 01:09:48

Modified files:
	elf            : dl-reloc.c 

Log message:
	2005-02-21  Alan Modra <amodra@bigpond.net.au>
	
	[BZ #719]
	* elf/dl-reloc.c (_dl_nothread_init_static_tls): Assert that dtv
	array index is within bounds.
	2005-02-21  Ulrich Drepper  <drepper@redhat.com>
	
	[BZ #719]
	* elf/dl-reloc.c (_dl_nothread_init_static_tls): Avoid using
	THREAD_DTV multiple times, this minimally reduces code size on
	some archs.

Patches:
http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/elf/dl-reloc.c.diff?cvsroot=glibc&only_with_tag=glibc-2_3-branch&r1=1.96&r2=1.96.4.1