]> sourceware.org Git - glibc.git/commitdiff
git://sourceware.org / glibc.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c489c35)
elf: Refactor _dl_update_slotinfo to avoid use after free
authorSzabolcs Nagy <szabolcs.nagy@arm.com>
Wed, 30 Dec 2020 21:52:38 +0000 (21:52 +0000)
committerSzabolcs Nagy <szabolcs.nagy@arm.com>
Thu, 15 Apr 2021 08:30:43 +0000 (09:30 +0100)
map is not valid to access here because it can be freed by a concurrent
dlclose: during tls access (via __tls_get_addr) _dl_update_slotinfo is
called without holding dlopen locks. So don't check the modid of map.

The map == 0 and map != 0 code paths can be shared (avoiding the dtv
resize in case of map == 0 is just an optimization: larger dtv than
necessary would be fine too).

Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
elf/dl-tls.c patch | blob | blame | history

diff --git a/elf/dl-tls.c b/elf/dl-tls.c
index 24d00c14ef0ee316347827f8bb9bbaf7a3b85bad..f8b32b3ecbd19e6f0cda6780df3c3e0b9381c877 100644 (file)
--- a/elf/dl-tls.c
+++ b/elf/dl-tls.c
@@ -743,6 +743,8 @@ _dl_update_slotinfo (unsigned long int req_modid)
        {
          for (size_t cnt = total == 0 ? 1 : 0; cnt < listp->len; ++cnt)
            {
+             size_t modid = total + cnt;
+
              size_t gen = listp->slotinfo[cnt].gen;
 
              if (gen > new_gen)
@@ -758,25 +760,12 @@ _dl_update_slotinfo (unsigned long int req_modid)
 
              /* If there is no map this means the entry is empty.  */
              struct link_map *map = listp->slotinfo[cnt].map;
-             if (map == NULL)
-               {
-                 if (dtv[-1].counter >= total + cnt)
-                   {
-                     /* If this modid was used at some point the memory
-                        might still be allocated.  */
-                     free (dtv[total + cnt].pointer.to_free);
-                     dtv[total + cnt].pointer.val = TLS_DTV_UNALLOCATED;
-                     dtv[total + cnt].pointer.to_free = NULL;
-                   }
-
-                 continue;
-               }
-
              /* Check whether the current dtv array is large enough.  */
-             size_t modid = map->l_tls_modid;
-             assert (total + cnt == modid);
              if (dtv[-1].counter < modid)
                {
+                 if (map == NULL)
+                   continue;
+
                  /* Resize the dtv.  */
                  dtv = _dl_resize_dtv (dtv);
 
GNU C Library master sources
This page took 0.04165 seconds and 5 git commands to generate.