NetBSD Problem Report #53465
From www@NetBSD.org Mon Jul 23 14:52:51 2018
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 6E2007A103
for <gnats-bugs@gnats.NetBSD.org>; Mon, 23 Jul 2018 14:52:51 +0000 (UTC)
Message-Id: <20180723145249.E0DB07A104@mollari.NetBSD.org>
Date: Mon, 23 Jul 2018 14:52:49 +0000 (UTC)
From: zh_jq@outlook.com
Reply-To: zh_jq@outlook.com
To: gnats-bugs@NetBSD.org
Subject: ld.elf_so crashes when memcpy obj->tlsinit data
X-Send-Pr-Version: www-1.0
>Number: 53465
>Category: bin
>Synopsis: ld.elf_so crashes when memcpy obj->tlsinit data
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: bin-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Jul 23 14:55:00 +0000 2018
>Closed-Date: Wed Nov 28 07:21:04 +0000 2018
>Last-Modified: Wed Nov 28 07:21:04 +0000 2018
>Originator: Zhang Jingqiang
>Release: 8.0
>Organization:
>Environment:
NetBSD localhost 8.0 NetBSD 8.0 (GENERIC) #0: Tue Jul 17 14:59:51 UTC 2018 mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64
>Description:
When run my program, which has the following TLS elf header section:
--
TLS off 0x000000000007de60 vaddr 0x000000000027de60 paddr 0x000000000027de60 align 2**4
filesz 0x0000000000000058 memsz 0x0000000000000388 flags r--
--
Then I got the following backtrace:
--
Program received signal SIGSEGV, Segmentation fault.
0x00007f7f9d60b994 in memcpy () from /usr/libexec/ld.elf_so
(gdb) bt
#0 0x00007f7f9d60b994 in memcpy () from /usr/libexec/ld.elf_so
#1 0x00007f7f9d60a0ff in __memcpy_ichk (len=<optimized out>, src=<optimized out>, dst=<optimized out>)
at /usr/include/ssp/string.h:82
#2 _rtld_tls_allocate_locked () at /usr/src/libexec/ld.elf_so/tls.c:146
#3 0x00007f7f9d60a147 in _rtld_tls_initial_allocation () at /usr/src/libexec/ld.elf_so/tls.c:106
#4 0x00007f7f9d603000 in _rtld (sp=<optimized out>, relocbase=<optimized out>) at /usr/src/libexec/ld.elf_so/rtld.c:708
#5 0x00007f7f9d6007a3 in .rtld_start () from /usr/libexec/ld.elf_so
#6 0x00007f7fff28cfe0 in ?? ()
#7 0x0000000000000000 in ?? ()
--
then I set frame to #2, and got related values:
--
(gdb) print tcb
$23 = (struct tls_tcb *) 0x7118148c3c00
(gdb) print p
$24 = (__uint8_t *) 0x7118148c3c00 ""
(gdb) print obj->tlsoffset
$25 = 912
(gdb) print obj->tlsinitsize
$26 = 88
(gdb) print obj->tlsinit
$27 = (void *) 0x27de60
--
It seems that q has enough space (912 bytes) for tlsinit data (88 bytes)
So this may be an align problem ?
>How-To-Repeat:
I didn't get a light version of the c file to reproduce the problem.
Sorry for not being able to submit the original file.
>Fix:
>Release-Note:
>Audit-Trail:
From: ? ?? <zh_jq@outlook.com>
To: "gnats-bugs@netbsd.org" <gnats-bugs@netbsd.org>
Cc: "netbsd-bugs@netbsd.org" <netbsd-bugs@netbsd.org>
Subject: Re: bin/53465: ld.elf_so crashes when memcpy obj->tlsinit data
Date: Mon, 23 Jul 2018 16:19:05 +0000
Now I have a simple c file to reproduce the problem:
----
#include <stdio.h>
_Thread_local int a =3D 1;
int main(int argc, char *argv[])
{
printf("run ok\n");
return 0;
}
----
Use the following to compile:
gcc -o ld-test -fPIE -pie ../src/_pstatd/ld_test.c
The run ld-test, you will get the crash.
From: Joerg Sonnenberger <joerg@bec.de>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: bin/53465: ld.elf_so crashes when memcpy obj->tlsinit data
Date: Mon, 23 Jul 2018 18:17:37 +0200
On Mon, Jul 23, 2018 at 02:55:00PM +0000, zh_jq@outlook.com wrote:
> >Synopsis: ld.elf_so crashes when memcpy obj->tlsinit data
Without an actual binary to reproduce, this is not really actionable.
Joerg
From: Joerg Sonnenberger <joerg@bec.de>
To: gnats-bugs@NetBSD.org
Cc: gnats-admin@netbsd.org, netbsd-bugs@netbsd.org, zh_jq@outlook.com
Subject: Re: bin/53465: ld.elf_so crashes when memcpy obj->tlsinit data
Date: Mon, 23 Jul 2018 21:37:53 +0200
--ZGiS0Q5IWpPtfppv
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Mon, Jul 23, 2018 at 04:55:01PM +0000, ? ?? wrote:
> The following reply was made to PR bin/53465; it has been noted by GNATS.
>
> From: ? ?? <zh_jq@outlook.com>
> To: "gnats-bugs@netbsd.org" <gnats-bugs@netbsd.org>
> Cc: "netbsd-bugs@netbsd.org" <netbsd-bugs@netbsd.org>
> Subject: Re: bin/53465: ld.elf_so crashes when memcpy obj->tlsinit data
> Date: Mon, 23 Jul 2018 16:19:05 +0000
>
> Now I have a simple c file to reproduce the problem:
> ----
> #include <stdio.h>
>
> _Thread_local int a =3D 1;
>
> int main(int argc, char *argv[])
> {
> printf("run ok\n");
> return 0;
> }
> ----
> Use the following to compile:
> gcc -o ld-test -fPIE -pie ../src/_pstatd/ld_test.c
> The run ld-test, you will get the crash.
Ah, PIE. Yes, that explains it. Missing relocbase. Attached patch covers
that.
Joerg
--ZGiS0Q5IWpPtfppv
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="tls-pie.diff"
diff -r 38c5563055d2 libexec/ld.elf_so/headers.c
--- a/libexec/ld.elf_so/headers.c Fri Jul 20 07:12:50 2018 +0000
+++ b/libexec/ld.elf_so/headers.c Mon Jul 23 21:37:34 2018 +0200
@@ -449,7 +449,8 @@
obj->tlssize = ph->p_memsz;
obj->tlsalign = ph->p_align;
obj->tlsinitsize = ph->p_filesz;
- obj->tlsinit = (void *)(uintptr_t)ph->p_vaddr;
+ obj->tlsinit = (void *)(obj->relocbase +
+ (uintptr_t)ph->p_vaddr);
dbg(("headers: %s %p phsize %" PRImemsz,
"PT_TLS", (void *)(uintptr_t)vaddr,
ph->p_memsz));
--ZGiS0Q5IWpPtfppv--
From: ? ?? <zh_jq@outlook.com>
To: "gnats-bugs@netbsd.org" <gnats-bugs@netbsd.org>
Cc:
Subject: Re: bin/53465
Date: Mon, 23 Jul 2018 16:09:41 +0000
Now I have a simple c file to reproduce the problem:
----
#include <stdio.h>
_Thread_local int a =3D 1;
int main(int argc, char *argv[])
{
printf("run ok\n");
return 0;
}
----
Use the following to compile:
gcc -o ld-test -fPIE -pie ../src/_pstatd/ld_test.c
The run ld-test, you will get the crash.
From: ? ?? <zh_jq@outlook.com>
To: "gnats-bugs@netbsd.org" <gnats-bugs@netbsd.org>
Cc:
Subject: Subject: Re: bin/53465
Date: Mon, 23 Jul 2018 16:03:54 +0000
Now I have a simple c file to reproduce the problem:
----
#include <stdio.h>
_Thread_local int a =3D 1;
int main(int argc, char *argv[])
{
printf("run ok\n");
return 0;
}
----
Use the following to compile:
gcc -o ld-test -fPIE -pie ../src/_pstatd/ld_test.c
The run ld-test, you will get the crash.
State-Changed-From-To: open->feedback
State-Changed-By: leot@NetBSD.org
State-Changed-When: Tue, 24 Jul 2018 08:30:53 +0000
State-Changed-Why:
Feedback requested
From: ? ?? <zh_jq@outlook.com>
To: "gnats-bugs@netbsd.org" <gnats-bugs@netbsd.org>
Cc: "netbsd-bugs@netbsd.org" <netbsd-bugs@netbsd.org>, "leot@netbsd.org"
<leot@netbsd.org>, "joerg@bec.de" <joerg@bec.de>
Subject: Re: bin/53465: ld.elf_so crashes when memcpy obj->tlsinit data
Date: Tue, 24 Jul 2018 09:03:40 +0000
I don't know how to compile ld.elf_so to test that patch
as I only have files extracted from src.tgz (build.sh report file missing=20
errors),
and it's not possible for me to cvs get all src code because
of the very low speed while connecting to any of *netbsd sites,
even with the nycdn ones.
So I prefer some binary update.
Anyhow this can be closed if you have tested the previous c code.
Thanks
From: "Joerg Sonnenberger" <joerg@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/53465 CVS commit: src/libexec/ld.elf_so
Date: Tue, 24 Jul 2018 13:48:49 +0000
Module Name: src
Committed By: joerg
Date: Tue Jul 24 13:48:48 UTC 2018
Modified Files:
src/libexec/ld.elf_so: headers.c
Log Message:
Apply relocbase for tlsinit of the executable itself. Fixes PIE where
relocbase typically is not zero.
PR bin/53465
To generate a diff of this commit:
cvs rdiff -u -r1.63 -r1.64 src/libexec/ld.elf_so/headers.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/53465 CVS commit: [netbsd-8] src/libexec/ld.elf_so
Date: Thu, 26 Jul 2018 23:45:09 +0000
Module Name: src
Committed By: snj
Date: Thu Jul 26 23:45:09 UTC 2018
Modified Files:
src/libexec/ld.elf_so [netbsd-8]: headers.c
Log Message:
Pull up following revision(s) (requested by joerg in ticket #940):
libexec/ld.elf_so/headers.c: revision 1.64
Apply relocbase for tlsinit of the executable itself. Fixes PIE where
relocbase typically is not zero.
PR bin/53465
To generate a diff of this commit:
cvs rdiff -u -r1.61.8.1 -r1.61.8.2 src/libexec/ld.elf_so/headers.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: feedback->closed
State-Changed-By: maya@NetBSD.org
State-Changed-When: Wed, 28 Nov 2018 07:21:04 +0000
State-Changed-Why:
Author cannot test due to connectivity issues, but his test case passes now. Fix was pulled up to -8.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.