bin/53465: ld.elf_so crashes when memcpy obj->tlsinit data

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/53465: ld.elf_so crashes when memcpy obj->tlsinit data
From: zh_jq%outlook.com@localhost
Date: Mon, 23 Jul 2018 14:55:00 +0000 (UTC)

>Number:         53465
>Category:       bin
>Synopsis:       ld.elf_so crashes when memcpy obj->tlsinit data
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jul 23 14:55:00 +0000 2018
>Originator:     Zhang Jingqiang
>Release:        8.0
>Organization:
>Environment:
NetBSD localhost 8.0 NetBSD 8.0 (GENERIC) #0: Tue Jul 17 14:59:51 UTC 2018  mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/amd64/compile/GENERIC amd64
>Description:
When run my program, which has the following TLS elf header section:
--
TLS off    0x000000000007de60 vaddr 0x000000000027de60 paddr 0x000000000027de60 align 2**4
    filesz 0x0000000000000058 memsz 0x0000000000000388 flags r--
--
Then I got the following backtrace:
--
Program received signal SIGSEGV, Segmentation fault.
0x00007f7f9d60b994 in memcpy () from /usr/libexec/ld.elf_so
(gdb) bt
#0  0x00007f7f9d60b994 in memcpy () from /usr/libexec/ld.elf_so
#1  0x00007f7f9d60a0ff in __memcpy_ichk (len=<optimized out>, src=<optimized out>, dst=<optimized out>)
    at /usr/include/ssp/string.h:82
#2  _rtld_tls_allocate_locked () at /usr/src/libexec/ld.elf_so/tls.c:146
#3  0x00007f7f9d60a147 in _rtld_tls_initial_allocation () at /usr/src/libexec/ld.elf_so/tls.c:106
#4  0x00007f7f9d603000 in _rtld (sp=<optimized out>, relocbase=<optimized out>) at /usr/src/libexec/ld.elf_so/rtld.c:708
#5  0x00007f7f9d6007a3 in .rtld_start () from /usr/libexec/ld.elf_so
#6  0x00007f7fff28cfe0 in ?? ()
#7  0x0000000000000000 in ?? ()
--
then I set frame to #2, and got related values:
--
(gdb) print tcb
$23 = (struct tls_tcb *) 0x7118148c3c00
(gdb) print p
$24 = (__uint8_t *) 0x7118148c3c00 ""
(gdb) print obj->tlsoffset
$25 = 912
(gdb) print obj->tlsinitsize
$26 = 88
(gdb) print obj->tlsinit
$27 = (void *) 0x27de60
--
It seems that q has enough space (912 bytes) for tlsinit data (88 bytes)
So this may be an align problem ?
>How-To-Repeat:
I didn't get a light version of the c file to reproduce the problem.
Sorry for not being able to submit the original file.
>Fix:

Prev by Date: Re: port-amd64/53464: pkgin: vte-0.38.4nb2 has no associated repository
Next by Date: Re: bin/53463: ping responds late to SIGINT
Previous by Thread: port-amd64/53464: pkgin: vte-0.38.4nb2 has no associated repository
Next by Thread: Re: bin/53465: ld.elf_so crashes when memcpy obj->tlsinit data
Indexes:

Home | Main Index | Thread Index | Old Index