NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

lib/48324: ld.elf_so - tty.c memcpy overwrites tcb for tls variant 2

>Number:         48324
>Category:       lib
>Synopsis:       ld.elf_so - tty.c memcpy overwrites tcb for tls variant 2
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Oct 18 23:05:00 +0000 2013
>Originator:     Nat Sloss
>Release:        NetBSD 6.1.1
NetBSD test 6.1.1_PATCH NetBSD 6.1.1_PATCH (HPMICROSERVER) #1: Fri Sep 27 
19:34:11 EST 2013  build@test:/usr/src/sys/arch/i386/compile/obj/HPMICROSERVER 
Hi Ive found that the package I'm building calligra which has an indirect 
dependency on libmpfr (whch is built with TLS support) hangs whilst loading.

Upon further investigation I've found that the tlsinit block over writes the 
tcb for TLS variant 2.  TLS variant 1 is ok because tlsinit is copied to memory 
above the tcb.

From what I've read so far the tls images are copied to memory below the tcb 
but I don't think the should overwrite the tcb.
Try loading a programme that uses libmpfr TLS enabled on a machine with TLS 
variant 2 and it should crash or hang.
From what I've read the memory layout for TLS variant 2 should be:
image 2, image 1, tlsinit, tcb.

So the fix would be to apply this patch:

Index: src/libexec/ld.elf_so/tls.c
RCS file: /cvsroot/src/libexec/ld.elf_so/tls.c,v
retrieving revision 1.7
diff -u -r1.7 tls.c
--- src/libexec/ld.elf_so/tls.c 23 Apr 2011 16:40:08 -0000      1.7
+++ src/libexec/ld.elf_so/tls.c 18 Oct 2013 05:08:26 -0000
@@ -142,7 +142,7 @@
                        q = p + obj->tlsoffset;
-                       q = p - obj->tlsoffset;
+                       q = p - obj->tlsoffset - obj->tlsinitsize;
                        memcpy(q, obj->tlsinit, obj->tlsinitsize);
                        tcb->tcb_dtv[obj->tlsindex] = q;

then the image would be before the tcb and would not overwrite it.

I've tested this in gdb and it works well.

I was just wondering if implementing this change to ld.elf_so whether I'd have 
to rebuild the system/packages or only ld.elf_so.



Home | Main Index | Thread Index | Old Index