NetBSD Problem Report #53465

From www@NetBSD.org  Mon Jul 23 14:52:51 2018
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 6E2007A103
	for <gnats-bugs@gnats.NetBSD.org>; Mon, 23 Jul 2018 14:52:51 +0000 (UTC)
Message-Id: <20180723145249.E0DB07A104@mollari.NetBSD.org>
Date: Mon, 23 Jul 2018 14:52:49 +0000 (UTC)
From: zh_jq@outlook.com
Reply-To: zh_jq@outlook.com
To: gnats-bugs@NetBSD.org
Subject: ld.elf_so crashes when memcpy obj->tlsinit data
X-Send-Pr-Version: www-1.0

>Number:         53465
>Category:       bin
>Synopsis:       ld.elf_so crashes when memcpy obj->tlsinit data
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    bin-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jul 23 14:55:00 +0000 2018
>Closed-Date:    Wed Nov 28 07:21:04 +0000 2018
>Last-Modified:  Wed Nov 28 07:21:04 +0000 2018
>Originator:     Zhang Jingqiang
>Release:        8.0
>Organization:
>Environment:
NetBSD localhost 8.0 NetBSD 8.0 (GENERIC) #0: Tue Jul 17 14:59:51 UTC 2018  mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64
>Description:
When run my program, which has the following TLS elf header section:
--
TLS off    0x000000000007de60 vaddr 0x000000000027de60 paddr 0x000000000027de60 align 2**4
    filesz 0x0000000000000058 memsz 0x0000000000000388 flags r--
--
Then I got the following backtrace:
--
Program received signal SIGSEGV, Segmentation fault.
0x00007f7f9d60b994 in memcpy () from /usr/libexec/ld.elf_so
(gdb) bt
#0  0x00007f7f9d60b994 in memcpy () from /usr/libexec/ld.elf_so
#1  0x00007f7f9d60a0ff in __memcpy_ichk (len=<optimized out>, src=<optimized out>, dst=<optimized out>)
    at /usr/include/ssp/string.h:82
#2  _rtld_tls_allocate_locked () at /usr/src/libexec/ld.elf_so/tls.c:146
#3  0x00007f7f9d60a147 in _rtld_tls_initial_allocation () at /usr/src/libexec/ld.elf_so/tls.c:106
#4  0x00007f7f9d603000 in _rtld (sp=<optimized out>, relocbase=<optimized out>) at /usr/src/libexec/ld.elf_so/rtld.c:708
#5  0x00007f7f9d6007a3 in .rtld_start () from /usr/libexec/ld.elf_so
#6  0x00007f7fff28cfe0 in ?? ()
#7  0x0000000000000000 in ?? ()
--
then I set frame to #2, and got related values:
--
(gdb) print tcb
$23 = (struct tls_tcb *) 0x7118148c3c00
(gdb) print p
$24 = (__uint8_t *) 0x7118148c3c00 ""
(gdb) print obj->tlsoffset
$25 = 912
(gdb) print obj->tlsinitsize
$26 = 88
(gdb) print obj->tlsinit
$27 = (void *) 0x27de60
--
It seems that q has enough space (912 bytes) for tlsinit data (88 bytes)
So this may be an align problem ?
>How-To-Repeat:
I didn't get a light version of the c file to reproduce the problem.
Sorry for not being able to submit the original file.
>Fix:

>Release-Note:

>Audit-Trail:
From: ? ?? <zh_jq@outlook.com>
To: "gnats-bugs@netbsd.org" <gnats-bugs@netbsd.org>
Cc: "netbsd-bugs@netbsd.org" <netbsd-bugs@netbsd.org>
Subject: Re: bin/53465: ld.elf_so crashes when memcpy obj->tlsinit data
Date: Mon, 23 Jul 2018 16:19:05 +0000

 Now I have a simple c file to reproduce the problem:
 ----
 #include <stdio.h>

 _Thread_local int a =3D 1;

 int main(int argc, char *argv[])
 {
         printf("run ok\n");
         return 0;
 }
 ----
 Use the following to compile:
 gcc -o ld-test -fPIE -pie ../src/_pstatd/ld_test.c
 The run ld-test, you will get the crash.


From: Joerg Sonnenberger <joerg@bec.de>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: bin/53465: ld.elf_so crashes when memcpy obj->tlsinit data
Date: Mon, 23 Jul 2018 18:17:37 +0200

 On Mon, Jul 23, 2018 at 02:55:00PM +0000, zh_jq@outlook.com wrote:
 > >Synopsis:       ld.elf_so crashes when memcpy obj->tlsinit data

 Without an actual binary to reproduce, this is not really actionable.

 Joerg

From: Joerg Sonnenberger <joerg@bec.de>
To: gnats-bugs@NetBSD.org
Cc: gnats-admin@netbsd.org, netbsd-bugs@netbsd.org, zh_jq@outlook.com
Subject: Re: bin/53465: ld.elf_so crashes when memcpy obj->tlsinit data
Date: Mon, 23 Jul 2018 21:37:53 +0200

 --ZGiS0Q5IWpPtfppv
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline

 On Mon, Jul 23, 2018 at 04:55:01PM +0000, ? ?? wrote:
 > The following reply was made to PR bin/53465; it has been noted by GNATS.
 > 
 > From: ? ?? <zh_jq@outlook.com>
 > To: "gnats-bugs@netbsd.org" <gnats-bugs@netbsd.org>
 > Cc: "netbsd-bugs@netbsd.org" <netbsd-bugs@netbsd.org>
 > Subject: Re: bin/53465: ld.elf_so crashes when memcpy obj->tlsinit data
 > Date: Mon, 23 Jul 2018 16:19:05 +0000
 > 
 >  Now I have a simple c file to reproduce the problem:
 >  ----
 >  #include <stdio.h>
 >  
 >  _Thread_local int a =3D 1;
 >  
 >  int main(int argc, char *argv[])
 >  {
 >          printf("run ok\n");
 >          return 0;
 >  }
 >  ----
 >  Use the following to compile:
 >  gcc -o ld-test -fPIE -pie ../src/_pstatd/ld_test.c
 >  The run ld-test, you will get the crash.

 Ah, PIE. Yes, that explains it. Missing relocbase. Attached patch covers
 that.

 Joerg

 --ZGiS0Q5IWpPtfppv
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename="tls-pie.diff"

 diff -r 38c5563055d2 libexec/ld.elf_so/headers.c
 --- a/libexec/ld.elf_so/headers.c	Fri Jul 20 07:12:50 2018 +0000
 +++ b/libexec/ld.elf_so/headers.c	Mon Jul 23 21:37:34 2018 +0200
 @@ -449,7 +449,8 @@
  			obj->tlssize = ph->p_memsz;
  			obj->tlsalign = ph->p_align;
  			obj->tlsinitsize = ph->p_filesz;
 -			obj->tlsinit = (void *)(uintptr_t)ph->p_vaddr;
 +			obj->tlsinit = (void *)(obj->relocbase +
 +			    (uintptr_t)ph->p_vaddr);
  			dbg(("headers: %s %p phsize %" PRImemsz,
  			    "PT_TLS", (void *)(uintptr_t)vaddr,
  			     ph->p_memsz));

 --ZGiS0Q5IWpPtfppv--

From: ? ?? <zh_jq@outlook.com>
To: "gnats-bugs@netbsd.org" <gnats-bugs@netbsd.org>
Cc: 
Subject: Re: bin/53465
Date: Mon, 23 Jul 2018 16:09:41 +0000

 Now I have a simple c file to reproduce the problem:
 ----
 #include <stdio.h>

 _Thread_local int a =3D 1;

 int main(int argc, char *argv[])
 {
         printf("run ok\n");
         return 0;
 }
 ----
 Use the following to compile:
 gcc -o ld-test -fPIE -pie ../src/_pstatd/ld_test.c
 The run ld-test, you will get the crash.


From: ? ?? <zh_jq@outlook.com>
To: "gnats-bugs@netbsd.org" <gnats-bugs@netbsd.org>
Cc: 
Subject: Subject: Re: bin/53465
Date: Mon, 23 Jul 2018 16:03:54 +0000

 Now I have a simple c file to reproduce the problem:
 ----
 #include <stdio.h>

 _Thread_local int a =3D 1;

 int main(int argc, char *argv[])
 {
         printf("run ok\n");
         return 0;
 }
 ----
 Use the following to compile:
 gcc -o ld-test -fPIE -pie ../src/_pstatd/ld_test.c
 The run ld-test, you will get the crash.


State-Changed-From-To: open->feedback
State-Changed-By: leot@NetBSD.org
State-Changed-When: Tue, 24 Jul 2018 08:30:53 +0000
State-Changed-Why:
Feedback requested


From: ? ?? <zh_jq@outlook.com>
To: "gnats-bugs@netbsd.org" <gnats-bugs@netbsd.org>
Cc: "netbsd-bugs@netbsd.org" <netbsd-bugs@netbsd.org>, "leot@netbsd.org"
	<leot@netbsd.org>, "joerg@bec.de" <joerg@bec.de>
Subject: Re: bin/53465: ld.elf_so crashes when memcpy obj->tlsinit data
Date: Tue, 24 Jul 2018 09:03:40 +0000

 I don't know how to compile ld.elf_so to test that patch
 as I only have files extracted from src.tgz (build.sh report file missing=20
 errors),
 and it's not possible for me to cvs get all src code because
 of the very low speed while connecting to any of *netbsd sites,
 even with the nycdn ones.
 So I prefer some  binary update.
 Anyhow this can be closed if you have tested the previous c code.
 Thanks


From: "Joerg Sonnenberger" <joerg@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/53465 CVS commit: src/libexec/ld.elf_so
Date: Tue, 24 Jul 2018 13:48:49 +0000

 Module Name:	src
 Committed By:	joerg
 Date:		Tue Jul 24 13:48:48 UTC 2018

 Modified Files:
 	src/libexec/ld.elf_so: headers.c

 Log Message:
 Apply relocbase for tlsinit of the executable itself. Fixes PIE where
 relocbase typically is not zero.

 PR bin/53465


 To generate a diff of this commit:
 cvs rdiff -u -r1.63 -r1.64 src/libexec/ld.elf_so/headers.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/53465 CVS commit: [netbsd-8] src/libexec/ld.elf_so
Date: Thu, 26 Jul 2018 23:45:09 +0000

 Module Name:	src
 Committed By:	snj
 Date:		Thu Jul 26 23:45:09 UTC 2018

 Modified Files:
 	src/libexec/ld.elf_so [netbsd-8]: headers.c

 Log Message:
 Pull up following revision(s) (requested by joerg in ticket #940):
 	libexec/ld.elf_so/headers.c: revision 1.64
 Apply relocbase for tlsinit of the executable itself. Fixes PIE where
 relocbase typically is not zero.
 PR bin/53465


 To generate a diff of this commit:
 cvs rdiff -u -r1.61.8.1 -r1.61.8.2 src/libexec/ld.elf_so/headers.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: feedback->closed
State-Changed-By: maya@NetBSD.org
State-Changed-When: Wed, 28 Nov 2018 07:21:04 +0000
State-Changed-Why:
Author cannot test due to connectivity issues, but his test case passes now. Fix was pulled up to -8.


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.