lib/48324: ld.elf_so - tty.c memcpy overwrites tcb for tls variant 2

To: lib-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: lib/48324: ld.elf_so - tty.c memcpy overwrites tcb for tls variant 2
From: nathanialsloss%yahoo.com.au@localhost
Date: Fri, 18 Oct 2013 23:05:00 +0000 (UTC)

>Number:         48324
>Category:       lib
>Synopsis:       ld.elf_so - tty.c memcpy overwrites tcb for tls variant 2
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Oct 18 23:05:00 +0000 2013
>Originator:     Nat Sloss
>Release:        NetBSD 6.1.1
>Organization:
>Environment:
NetBSD test 6.1.1_PATCH NetBSD 6.1.1_PATCH (HPMICROSERVER) #1: Fri Sep 27 
19:34:11 EST 2013  build@test:/usr/src/sys/arch/i386/compile/obj/HPMICROSERVER 
i386
>Description:
Hi Ive found that the package I'm building calligra which has an indirect 
dependency on libmpfr (whch is built with TLS support) hangs whilst loading.

Upon further investigation I've found that the tlsinit block over writes the 
tcb for TLS variant 2.  TLS variant 1 is ok because tlsinit is copied to memory 
above the tcb.

From what I've read so far the tls images are copied to memory below the tcb 
but I don't think the should overwrite the tcb.
>How-To-Repeat:
Try loading a programme that uses libmpfr TLS enabled on a machine with TLS 
variant 2 and it should crash or hang.
>Fix:
From what I've read the memory layout for TLS variant 2 should be:
image 2, image 1, tlsinit, tcb.

So the fix would be to apply this patch:

Index: src/libexec/ld.elf_so/tls.c
===================================================================
RCS file: /cvsroot/src/libexec/ld.elf_so/tls.c,v
retrieving revision 1.7
diff -u -r1.7 tls.c
--- src/libexec/ld.elf_so/tls.c 23 Apr 2011 16:40:08 -0000      1.7
+++ src/libexec/ld.elf_so/tls.c 18 Oct 2013 05:08:26 -0000
@@ -142,7 +142,7 @@
 #ifdef __HAVE_TLS_VARIANT_I
                        q = p + obj->tlsoffset;
 #else
-                       q = p - obj->tlsoffset;
+                       q = p - obj->tlsoffset - obj->tlsinitsize;
 #endif
                        memcpy(q, obj->tlsinit, obj->tlsinitsize);
                        tcb->tcb_dtv[obj->tlsindex] = q;

then the image would be before the tcb and would not overwrite it.

I've tested this in gdb and it works well.

I was just wondering if implementing this change to ld.elf_so whether I'd have 
to rebuild the system/packages or only ld.elf_so.

Regards,

Nat.

Follow-Ups:
- Re: lib/48324: ld.elf_so - tty.c memcpy overwrites tcb for tls variant 2
  - From: Nick Hudson

Prev by Date: NetBSD Nightly Trouble Ticket Report
Next by Date: Re: kern/11018 (VIA VT83C572 UHCI USB controller does not work)
Previous by Thread: port-arm/48322: shark eabi userland fails
Next by Thread: Re: lib/48324: ld.elf_so - tty.c memcpy overwrites tcb for tls variant 2
Indexes:

Home | Main Index | Thread Index | Old Index