Fix TLS corruption during dlopen()/dlclose() sequences (RHEL-17468)
Resolves: RHEL-17468
This commit is contained in:
parent
02cfe04e36
commit
2a2d048539
47
glibc-RHEL-17468-1.patch
Normal file
47
glibc-RHEL-17468-1.patch
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
commit 3921c5b40f293c57cb326f58713c924b0662ef59
|
||||||
|
Author: Hector Martin <marcan@marcan.st>
|
||||||
|
Date: Tue Nov 28 15:23:07 2023 +0900
|
||||||
|
|
||||||
|
elf: Fix TLS modid reuse generation assignment (BZ 29039)
|
||||||
|
|
||||||
|
_dl_assign_tls_modid() assigns a slotinfo entry for a new module, but
|
||||||
|
does *not* do anything to the generation counter. The first time this
|
||||||
|
happens, the generation is zero and map_generation() returns the current
|
||||||
|
generation to be used during relocation processing. However, if
|
||||||
|
a slotinfo entry is later reused, it will already have a generation
|
||||||
|
assigned. If this generation has fallen behind the current global max
|
||||||
|
generation, then this causes an obsolete generation to be assigned
|
||||||
|
during relocation processing, as map_generation() returns this
|
||||||
|
generation if nonzero. _dl_add_to_slotinfo() eventually resets the
|
||||||
|
generation, but by then it is too late. This causes DTV updates to be
|
||||||
|
skipped, leading to NULL or broken TLS slot pointers and segfaults.
|
||||||
|
|
||||||
|
Fix this by resetting the generation to zero in _dl_assign_tls_modid(),
|
||||||
|
so it behaves the same as the first time a slot is assigned.
|
||||||
|
_dl_add_to_slotinfo() will still assign the correct static generation
|
||||||
|
later during module load, but relocation processing will no longer use
|
||||||
|
an obsolete generation.
|
||||||
|
|
||||||
|
Note that slotinfo entry (aka modid) reuse typically happens after a
|
||||||
|
dlclose and only TLS access via dynamic tlsdesc is affected. Because
|
||||||
|
tlsdesc is optimized to use the optional part of static TLS, dynamic
|
||||||
|
tlsdesc can be avoided by increasing the glibc.rtld.optional_static_tls
|
||||||
|
tunable to a large enough value, or by LD_PRELOAD-ing the affected
|
||||||
|
modules.
|
||||||
|
|
||||||
|
Fixes bug 29039.
|
||||||
|
|
||||||
|
Reviewed-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
|
||||||
|
|
||||||
|
diff --git a/elf/dl-tls.c b/elf/dl-tls.c
|
||||||
|
index a21276732968d88b..c8104078b2aa0aa2 100644
|
||||||
|
--- a/elf/dl-tls.c
|
||||||
|
+++ b/elf/dl-tls.c
|
||||||
|
@@ -156,6 +156,7 @@ _dl_assign_tls_modid (struct link_map *l)
|
||||||
|
{
|
||||||
|
/* Mark the entry as used, so any dependency see it. */
|
||||||
|
atomic_store_relaxed (&runp->slotinfo[result - disp].map, l);
|
||||||
|
+ atomic_store_relaxed (&runp->slotinfo[result - disp].gen, 0);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
198
glibc-RHEL-17468-2.patch
Normal file
198
glibc-RHEL-17468-2.patch
Normal file
@ -0,0 +1,198 @@
|
|||||||
|
commit 980450f12685326729d63ff72e93a996113bf073
|
||||||
|
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
|
||||||
|
Date: Wed Nov 29 11:31:37 2023 +0000
|
||||||
|
|
||||||
|
elf: Add TLS modid reuse test for bug 29039
|
||||||
|
|
||||||
|
This is a minimal regression test for bug 29039 which only affects
|
||||||
|
targets with TLSDESC and a reproducer requires that
|
||||||
|
|
||||||
|
1) Have modid gaps (closed modules) with old generation.
|
||||||
|
2) Update a DTV to a newer generation (needs a newer dlopen).
|
||||||
|
3) But do not update the closed gap entry in that DTV.
|
||||||
|
4) Reuse the modid gap for a new module (another dlopen).
|
||||||
|
5) Use dynamic TLSDESC in that new module with old generation (bug).
|
||||||
|
6) Access TLS via this TLSDESC and the now outdated DTV.
|
||||||
|
|
||||||
|
However step (3) in practice rarely happens: during DTV update the
|
||||||
|
entries for closed modids are initialized to "unallocated" and then
|
||||||
|
dynamic TLSDESC calls __tls_get_addr independently of its generation.
|
||||||
|
The only exception to this is DTV setup at thread creation (gaps are
|
||||||
|
initialized to NULL instead of unallocated) or DTV resize where the
|
||||||
|
gap entries are outside the previous DTV array (again NULL instead
|
||||||
|
of unallocated, and this requires loading > DTV_SURPLUS modules).
|
||||||
|
|
||||||
|
So the bug can only cause NULL (+ offset) dereference, not use after
|
||||||
|
free. And the easiest way to get (3) is via thread creation.
|
||||||
|
|
||||||
|
Note that step (5) requires that the newly loaded module has larger
|
||||||
|
TLS than the remaining optional static TLS. And for (6) there cannot
|
||||||
|
be other TLS access or dlopen in the thread that updates the DTV.
|
||||||
|
|
||||||
|
Tested on aarch64-linux-gnu.
|
||||||
|
|
||||||
|
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
|
||||||
|
|
||||||
|
Conflicts:
|
||||||
|
elf/Makefile
|
||||||
|
(Add $(libdl), Resolve test case ordering conflict.)
|
||||||
|
|
||||||
|
diff --git a/elf/Makefile b/elf/Makefile
|
||||||
|
index ebf46a297d241d8f..b8fdee7c0d37137e 100644
|
||||||
|
--- a/elf/Makefile
|
||||||
|
+++ b/elf/Makefile
|
||||||
|
@@ -416,6 +416,7 @@ tests += \
|
||||||
|
tst-tls-ie \
|
||||||
|
tst-tls-ie-dlmopen \
|
||||||
|
tst-tls-manydynamic \
|
||||||
|
+ tst-tlsgap \
|
||||||
|
tst-unique1 \
|
||||||
|
tst-unique2 \
|
||||||
|
unload3 \
|
||||||
|
@@ -759,6 +760,9 @@ modules-names = \
|
||||||
|
tst-tls20mod-bad \
|
||||||
|
tst-tls21mod \
|
||||||
|
tst-tlsalign-lib \
|
||||||
|
+ tst-tlsgap-mod0 \
|
||||||
|
+ tst-tlsgap-mod1 \
|
||||||
|
+ tst-tlsgap-mod2 \
|
||||||
|
tst-tls-ie-mod0 \
|
||||||
|
tst-tls-ie-mod1 \
|
||||||
|
tst-tls-ie-mod2 \
|
||||||
|
@@ -2731,3 +2735,14 @@ $(objpfx)tst-nodeps2-mod.so: $(common-objpfx)libc.so \
|
||||||
|
$(objpfx)tst-nodeps2: $(libdl)
|
||||||
|
$(objpfx)tst-nodeps2.out: \
|
||||||
|
$(objpfx)tst-nodeps1-mod.so $(objpfx)tst-nodeps2-mod.so
|
||||||
|
+
|
||||||
|
+$(objpfx)tst-tlsgap: $(libdl) $(shared-thread-library)
|
||||||
|
+$(objpfx)tst-tlsgap.out: \
|
||||||
|
+ $(objpfx)tst-tlsgap-mod0.so \
|
||||||
|
+ $(objpfx)tst-tlsgap-mod1.so \
|
||||||
|
+ $(objpfx)tst-tlsgap-mod2.so
|
||||||
|
+ifeq (yes,$(have-mtls-dialect-gnu2))
|
||||||
|
+CFLAGS-tst-tlsgap-mod0.c += -mtls-dialect=gnu2
|
||||||
|
+CFLAGS-tst-tlsgap-mod1.c += -mtls-dialect=gnu2
|
||||||
|
+CFLAGS-tst-tlsgap-mod2.c += -mtls-dialect=gnu2
|
||||||
|
+endif
|
||||||
|
diff --git a/elf/tst-tlsgap-mod0.c b/elf/tst-tlsgap-mod0.c
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000000000..1478b0beac5faf98
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/elf/tst-tlsgap-mod0.c
|
||||||
|
@@ -0,0 +1,2 @@
|
||||||
|
+int __thread tls0;
|
||||||
|
+int *f0(void) { return &tls0; }
|
||||||
|
diff --git a/elf/tst-tlsgap-mod1.c b/elf/tst-tlsgap-mod1.c
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000000000..b10fc3702c43e478
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/elf/tst-tlsgap-mod1.c
|
||||||
|
@@ -0,0 +1,2 @@
|
||||||
|
+int __thread tls1[100]; /* Size > glibc.rtld.optional_static_tls / 2. */
|
||||||
|
+int *f1(void) { return tls1; }
|
||||||
|
diff --git a/elf/tst-tlsgap-mod2.c b/elf/tst-tlsgap-mod2.c
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000000000..166c27d7f3fac252
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/elf/tst-tlsgap-mod2.c
|
||||||
|
@@ -0,0 +1,2 @@
|
||||||
|
+int __thread tls2;
|
||||||
|
+int *f2(void) { return &tls2; }
|
||||||
|
diff --git a/elf/tst-tlsgap.c b/elf/tst-tlsgap.c
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000000000..49328850769c5609
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/elf/tst-tlsgap.c
|
||||||
|
@@ -0,0 +1,92 @@
|
||||||
|
+/* TLS modid gap reuse regression test for bug 29039.
|
||||||
|
+ Copyright (C) 2023 Free Software Foundation, Inc.
|
||||||
|
+ This file is part of the GNU C Library.
|
||||||
|
+
|
||||||
|
+ The GNU C Library is free software; you can redistribute it and/or
|
||||||
|
+ modify it under the terms of the GNU Lesser General Public
|
||||||
|
+ License as published by the Free Software Foundation; either
|
||||||
|
+ version 2.1 of the License, or (at your option) any later version.
|
||||||
|
+
|
||||||
|
+ The GNU C Library is distributed in the hope that it will be useful,
|
||||||
|
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
|
+ Lesser General Public License for more details.
|
||||||
|
+
|
||||||
|
+ You should have received a copy of the GNU Lesser General Public
|
||||||
|
+ License along with the GNU C Library; if not, see
|
||||||
|
+ <http://www.gnu.org/licenses/>. */
|
||||||
|
+
|
||||||
|
+#include <stdio.h>
|
||||||
|
+#include <dlfcn.h>
|
||||||
|
+#include <pthread.h>
|
||||||
|
+#include <support/xdlfcn.h>
|
||||||
|
+#include <support/xthread.h>
|
||||||
|
+#include <support/check.h>
|
||||||
|
+
|
||||||
|
+static void *mod[3];
|
||||||
|
+#define MOD(i) "tst-tlsgap-mod" #i ".so"
|
||||||
|
+static const char *modname[3] = { MOD(0), MOD(1), MOD(2) };
|
||||||
|
+#undef MOD
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+open_mod (int i)
|
||||||
|
+{
|
||||||
|
+ mod[i] = xdlopen (modname[i], RTLD_LAZY);
|
||||||
|
+ printf ("open %s\n", modname[i]);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+close_mod (int i)
|
||||||
|
+{
|
||||||
|
+ xdlclose (mod[i]);
|
||||||
|
+ mod[i] = NULL;
|
||||||
|
+ printf ("close %s\n", modname[i]);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+access_mod (int i, const char *sym)
|
||||||
|
+{
|
||||||
|
+ int *(*f) (void) = xdlsym (mod[i], sym);
|
||||||
|
+ int *p = f ();
|
||||||
|
+ printf ("access %s: %s() = %p\n", modname[i], sym, p);
|
||||||
|
+ TEST_VERIFY_EXIT (p != NULL);
|
||||||
|
+ ++*p;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void *
|
||||||
|
+start (void *arg)
|
||||||
|
+{
|
||||||
|
+ /* The DTV generation is at the last dlopen of mod0 and the
|
||||||
|
+ entry for mod1 is NULL. */
|
||||||
|
+
|
||||||
|
+ open_mod (1); /* Reuse modid of mod1. Uses dynamic TLS. */
|
||||||
|
+
|
||||||
|
+ /* DTV is unchanged: dlopen only updates the DTV to the latest
|
||||||
|
+ generation if static TLS is allocated for a loaded module.
|
||||||
|
+
|
||||||
|
+ With bug 29039, the TLSDESC relocation in mod1 uses the old
|
||||||
|
+ dlclose generation of mod1 instead of the new dlopen one so
|
||||||
|
+ DTV is not updated on TLS access. */
|
||||||
|
+
|
||||||
|
+ access_mod (1, "f1");
|
||||||
|
+
|
||||||
|
+ return arg;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int
|
||||||
|
+do_test (void)
|
||||||
|
+{
|
||||||
|
+ open_mod (0);
|
||||||
|
+ open_mod (1);
|
||||||
|
+ open_mod (2);
|
||||||
|
+ close_mod (0);
|
||||||
|
+ close_mod (1); /* Create modid gap at mod1. */
|
||||||
|
+ open_mod (0); /* Reuse modid of mod0, bump generation count. */
|
||||||
|
+
|
||||||
|
+ /* Create a thread where DTV of mod1 is NULL. */
|
||||||
|
+ pthread_t t = xpthread_create (NULL, start, NULL);
|
||||||
|
+ xpthread_join (t);
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#include <support/test-driver.c>
|
@ -1,6 +1,6 @@
|
|||||||
%define glibcsrcdir glibc-2.28
|
%define glibcsrcdir glibc-2.28
|
||||||
%define glibcversion 2.28
|
%define glibcversion 2.28
|
||||||
%define glibcrelease 246%{?dist}
|
%define glibcrelease 247%{?dist}
|
||||||
# Pre-release tarballs are pulled in from git using a command that is
|
# Pre-release tarballs are pulled in from git using a command that is
|
||||||
# effectively:
|
# effectively:
|
||||||
#
|
#
|
||||||
@ -1175,6 +1175,8 @@ Patch987: glibc-RHEL-15696-107.patch
|
|||||||
Patch988: glibc-RHEL-15696-108.patch
|
Patch988: glibc-RHEL-15696-108.patch
|
||||||
Patch989: glibc-RHEL-15696-109.patch
|
Patch989: glibc-RHEL-15696-109.patch
|
||||||
Patch990: glibc-RHEL-15696-110.patch
|
Patch990: glibc-RHEL-15696-110.patch
|
||||||
|
Patch991: glibc-RHEL-17468-1.patch
|
||||||
|
Patch992: glibc-RHEL-17468-2.patch
|
||||||
|
|
||||||
##############################################################################
|
##############################################################################
|
||||||
# Continued list of core "glibc" package information:
|
# Continued list of core "glibc" package information:
|
||||||
@ -3006,6 +3008,9 @@ fi
|
|||||||
%files -f compat-libpthread-nonshared.filelist -n compat-libpthread-nonshared
|
%files -f compat-libpthread-nonshared.filelist -n compat-libpthread-nonshared
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Dec 21 2023 Carlos O'Donell <carlos@redhat.com> - 2.28-247
|
||||||
|
- Fix TLS corruption during dlopen()/dlclose() sequences (RHEL-17468)
|
||||||
|
|
||||||
* Thu Dec 14 2023 DJ Delorie <dj@redhat.com> - 2.28-246
|
* Thu Dec 14 2023 DJ Delorie <dj@redhat.com> - 2.28-246
|
||||||
- Include CentOS Hyperscaler SIG patches backported by Intel (RHEL-15696)
|
- Include CentOS Hyperscaler SIG patches backported by Intel (RHEL-15696)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user