[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
lib/48324: ld.elf_so - tty.c memcpy overwrites tcb for tls variant 2
>Synopsis: ld.elf_so - tty.c memcpy overwrites tcb for tls variant 2
>Arrival-Date: Fri Oct 18 23:05:00 +0000 2013
>Originator: Nat Sloss
>Release: NetBSD 6.1.1
NetBSD test 6.1.1_PATCH NetBSD 6.1.1_PATCH (HPMICROSERVER) #1: Fri Sep 27
19:34:11 EST 2013 build@test:/usr/src/sys/arch/i386/compile/obj/HPMICROSERVER
Hi Ive found that the package I'm building calligra which has an indirect
dependency on libmpfr (whch is built with TLS support) hangs whilst loading.
Upon further investigation I've found that the tlsinit block over writes the
tcb for TLS variant 2. TLS variant 1 is ok because tlsinit is copied to memory
above the tcb.
From what I've read so far the tls images are copied to memory below the tcb
but I don't think the should overwrite the tcb.
Try loading a programme that uses libmpfr TLS enabled on a machine with TLS
variant 2 and it should crash or hang.
From what I've read the memory layout for TLS variant 2 should be:
image 2, image 1, tlsinit, tcb.
So the fix would be to apply this patch:
RCS file: /cvsroot/src/libexec/ld.elf_so/tls.c,v
retrieving revision 1.7
diff -u -r1.7 tls.c
--- src/libexec/ld.elf_so/tls.c 23 Apr 2011 16:40:08 -0000 1.7
+++ src/libexec/ld.elf_so/tls.c 18 Oct 2013 05:08:26 -0000
@@ -142,7 +142,7 @@
q = p + obj->tlsoffset;
- q = p - obj->tlsoffset;
+ q = p - obj->tlsoffset - obj->tlsinitsize;
memcpy(q, obj->tlsinit, obj->tlsinitsize);
tcb->tcb_dtv[obj->tlsindex] = q;
then the image would be before the tcb and would not overwrite it.
I've tested this in gdb and it works well.
I was just wondering if implementing this change to ld.elf_so whether I'd have
to rebuild the system/packages or only ld.elf_so.
Main Index |
Thread Index |