mirror of git://sourceware.org/git/glibc.git
6f4527a7dd
This addresses an issue that is present mainly on SMP machines running
threaded code. In a typical indirect call or PLT import stub, the
target address is loaded first. Then the global pointer is loaded into
the PIC register in the delay slot of a branch to the target address.
During lazy binding, the target address is a trampoline which transfers
to _dl_runtime_resolve().
_dl_runtime_resolve() uses the relocation offset stored in the global
pointer and the linkage map stored in the trampoline to find the
relocation. Then, the function descriptor is updated.
In a multi-threaded application, it is possible for the global pointer
to be updated between the load of the target address and the global
pointer. When this happens, the relocation offset has been replaced
by the new global pointer. The function pointer has probably been
updated as well but there is no way to find the address of the function
descriptor and to transfer to the target. So, _dl_runtime_resolve()
typically crashes.
HP-UX addressed this problem by adding an extra pc-relative branch to
the trampoline. The descriptor is initially setup to point to the
branch. The branch then transfers to the trampoline. This allowed
the trampoline code to figure out which descriptor was being used
without any modification to user code. I didn't use this approach
as it is more complex and changes function pointer canonicalization.
The order of loading the target address and global pointer in
indirect calls was not consistent with the order used in import stubs.
In particular, $$dyncall and some inline versions of it loaded the
global pointer first. This was inconsistent with the global pointer
being updated first in dl-machine.h. Assuming the accesses are
ordered, we want elf_machine_fixup_plt() to store the global pointer
first and calls to load it last. Then, the global pointer will be
correct when the target function is entered.
However, just to make things more fun, HP added support for
out-of-order execution of accesses in PA 2.0. The accesses used by
calls are weakly ordered. So, it's possibly under some circumstances
that a function might be entered with the wrong global pointer.
However, HP uses weakly ordered accesses in 64-bit HP-UX, so I assume
that loading the global pointer in the delay slot of the branch must
work consistently.
The basic fix for the race is a combination of modifying user code to
preserve the address of the function descriptor in register %r22 and
setting the least-significant bit in the relocation offset. The
latter was suggested by Carlos as a way to distinguish relocation
offsets from global pointer values. Conventionally, %r22 is used
as the address of the function descriptor in calls to $$dyncall.
So, it wasn't hard to preserve the address in %r22.
I have updated gcc trunk and gcc-9 branch to not clobber %r22 in
$$dyncall and inline indirect calls. I have also modified the import
stubs in binutils trunk and the 2.33 branch to preserve %r22. This
required making the stubs one instruction longer but we save one
relocation. I also modified binutils to align the .plt section on
a 8-byte boundary. This allows descriptors to be updated atomically
with a floting-point store.
With these changes, _dl_runtime_resolve() can fallback to an alternate
mechanism to find the relocation offset when it has been clobbered.
There's just one additional instruction in the fast path. I tested
the fallback function, _dl_fix_reloc_arg(), by changing the branch to
always use the fallback. Old code still runs as it did before.
Fixes bug 23296.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| aarch64 | ||
| alpha | ||
| arm | ||
| bits | ||
| csky | ||
| generic | ||
| hppa | ||
| i386 | ||
| ia64 | ||
| include | ||
| m68k | ||
| microblaze | ||
| mips | ||
| net | ||
| netash | ||
| netatalk | ||
| netax25 | ||
| neteconet | ||
| netinet | ||
| netipx | ||
| netiucv | ||
| netpacket | ||
| netrom | ||
| netrose | ||
| nfs | ||
| nios2 | ||
| powerpc | ||
| riscv | ||
| s390 | ||
| scsi | ||
| sh | ||
| sparc | ||
| sys | ||
| wordsize-64 | ||
| x86 | ||
| x86_64 | ||
| Implies | ||
| Makefile | ||
| Versions | ||
| _G_config.h | ||
| _exit.c | ||
| a.out.h | ||
| accept.c | ||
| accept4.c | ||
| access.c | ||
| adjtime.c | ||
| aio_misc.h | ||
| aio_sigqueue.c | ||
| alphasort64.c | ||
| arch-fork.h | ||
| bind.c | ||
| check_native.c | ||
| check_pf.c | ||
| clock.c | ||
| clock_getcpuclockid.c | ||
| clock_getres.c | ||
| clock_gettime.c | ||
| clock_nanosleep.c | ||
| clock_settime.c | ||
| close.c | ||
| close_nocancel.c | ||
| cmsg_nxthdr.c | ||
| configure | ||
| configure.ac | ||
| connect.c | ||
| copy_file_range.c | ||
| creat.c | ||
| creat64.c | ||
| createthread.c | ||
| default-sched.h | ||
| device-nrs.h | ||
| dl-brk.c | ||
| dl-execstack.c | ||
| dl-fxstatat64.c | ||
| dl-getcwd.c | ||
| dl-librecon.h | ||
| dl-openat64.c | ||
| dl-opendir.c | ||
| dl-origin.c | ||
| dl-osinfo.h | ||
| dl-sbrk.c | ||
| dl-sysdep.c | ||
| dl-sysdep.h | ||
| dl-vdso.c | ||
| dl-vdso.h | ||
| dl-writev.h | ||
| epoll_pwait.c | ||
| epoll_wait.c | ||
| errqueue.h | ||
| eventfd_read.c | ||
| eventfd_write.c | ||
| exit-thread.h | ||
| faccessat.c | ||
| fallocate.c | ||
| fallocate64.c | ||
| fatal-prepare.h | ||
| fchmodat.c | ||
| fcntl.c | ||
| fcntl64.c | ||
| fcntl_nocancel.c | ||
| fd_to_filename.h | ||
| fdatasync.c | ||
| fexecve.c | ||
| filter-nr-syscalls.awk | ||
| fips-private.h | ||
| fpathconf.c | ||
| fstatfs64.c | ||
| fstatvfs.c | ||
| fstatvfs64.c | ||
| fsync.c | ||
| ftime.c | ||
| ftruncate.c | ||
| ftruncate64.c | ||
| futex-internal.h | ||
| futimens.c | ||
| futimes.c | ||
| futimesat.c | ||
| fxstat.c | ||
| fxstat64.c | ||
| fxstatat.c | ||
| fxstatat64.c | ||
| gai_sigqueue.c | ||
| gen-syscall-h.awk | ||
| gentempfd.c | ||
| getclktck.c | ||
| getcpu.c | ||
| getcwd.c | ||
| getdents.c | ||
| getdents64.c | ||
| getdirentries.c | ||
| getdirentries64.c | ||
| getdtsz.c | ||
| getentropy.c | ||
| gethostid.c | ||
| getipv4sourcefilter.c | ||
| getloadavg.c | ||
| getlogin.c | ||
| getlogin_r.c | ||
| getpagesize.c | ||
| getpeername.c | ||
| getpriority.c | ||
| getpt.c | ||
| getrandom.c | ||
| getrlimit.c | ||
| getrlimit64.c | ||
| getsockname.c | ||
| getsockopt.c | ||
| getsourcefilter.c | ||
| getsourcefilter.h | ||
| getsysstats.c | ||
| gettimeofday.c | ||
| glob-lstat-compat.c | ||
| glob.c | ||
| glob64-lstat-compat.c | ||
| glob64.c | ||
| globfree.c | ||
| globfree64.c | ||
| grantpt.c | ||
| if_index.c | ||
| ifaddrs.c | ||
| ifreq.c | ||
| internal-signals.h | ||
| internal_statvfs.c | ||
| internal_statvfs.h | ||
| internal_statvfs64.c | ||
| ipc_ops.h | ||
| ipc_priv.h | ||
| kernel-features.h | ||
| kernel-posix-cpu-timers.h | ||
| kernel-posix-timers.h | ||
| kernel_sigaction.h | ||
| kernel_stat.h | ||
| kernel_termios.h | ||
| ldd-rewrite.sed | ||
| lddlibc4.c | ||
| ldsodefs.h | ||
| libc_fatal.c | ||
| linux_fsinfo.h | ||
| listen.c | ||
| local-setxid.h | ||
| lowlevellock-futex.h | ||
| lseek.c | ||
| lseek64.c | ||
| lutimes.c | ||
| lxstat.c | ||
| lxstat64.c | ||
| malloc-sysdep.h | ||
| mlock2.c | ||
| mmap.c | ||
| mmap64.c | ||
| mmap_internal.h | ||
| mq_close.c | ||
| mq_getattr.c | ||
| mq_notify.c | ||
| mq_open.c | ||
| mq_receive.c | ||
| mq_send.c | ||
| mq_timedreceive.c | ||
| mq_timedsend.c | ||
| mq_unlink.c | ||
| msgctl.c | ||
| msgget.c | ||
| msgrcv.c | ||
| msgsnd.c | ||
| msync.c | ||
| nanosleep.c | ||
| nanosleep_nocancel.c | ||
| netlink_assert_response.c | ||
| netlinkaccess.h | ||
| nice.c | ||
| not-cancel.h | ||
| not-errno.h | ||
| nscd_setup_thread.c | ||
| ntp_gettime.c | ||
| ntp_gettimex.c | ||
| olddirent.h | ||
| oldglob.c | ||
| open.c | ||
| open64.c | ||
| open64_nocancel.c | ||
| open_by_handle_at.c | ||
| open_nocancel.c | ||
| openat.c | ||
| openat64.c | ||
| openat64_nocancel.c | ||
| openat_nocancel.c | ||
| opensock.c | ||
| pathconf.c | ||
| pathconf.h | ||
| paths.h | ||
| pause.c | ||
| pause_nocancel.c | ||
| personality.c | ||
| pkey_get.c | ||
| pkey_mprotect.c | ||
| pkey_set.c | ||
| poll.c | ||
| posix_fadvise.c | ||
| posix_fadvise64.c | ||
| posix_fallocate.c | ||
| posix_fallocate64.c | ||
| posix_madvise.c | ||
| ppoll.c | ||
| pread.c | ||
| pread64.c | ||
| pread64_nocancel.c | ||
| preadv.c | ||
| preadv2.c | ||
| preadv64.c | ||
| preadv64v2.c | ||
| prlimit.c | ||
| prof-freq.c | ||
| profil.c | ||
| pselect.c | ||
| pt-raise.c | ||
| pthread-pids.h | ||
| pthread_getaffinity.c | ||
| pthread_getcpuclockid.c | ||
| pthread_getname.c | ||
| pthread_kill.c | ||
| pthread_setaffinity.c | ||
| pthread_setname.c | ||
| pthread_sigmask.c | ||
| pthread_sigqueue.c | ||
| ptrace.c | ||
| ptsname.c | ||
| pwrite.c | ||
| pwrite64.c | ||
| pwritev.c | ||
| pwritev2.c | ||
| pwritev64.c | ||
| pwritev64v2.c | ||
| raise.c | ||
| read.c | ||
| read_nocancel.c | ||
| readahead.c | ||
| readdir.c | ||
| readdir64.c | ||
| readdir64_r.c | ||
| readdir_r.c | ||
| readonly-area.c | ||
| readv.c | ||
| reboot.c | ||
| recv.c | ||
| recvfrom.c | ||
| recvmmsg.c | ||
| recvmsg.c | ||
| remove.c | ||
| rename.c | ||
| renameat.c | ||
| renameat2.c | ||
| sa_len.c | ||
| safe-fatal.h | ||
| scandir64.c | ||
| sched_getaffinity.c | ||
| sched_getcpu.c | ||
| sched_setaffinity.c | ||
| segfault.c | ||
| select.c | ||
| semctl.c | ||
| semget.c | ||
| semop.c | ||
| semtimedop.c | ||
| send.c | ||
| sendmmsg.c | ||
| sendmsg.c | ||
| sendto.c | ||
| setegid.c | ||
| seteuid.c | ||
| setgid.c | ||
| setgroups.c | ||
| sethostid.c | ||
| setipv4sourcefilter.c | ||
| setregid.c | ||
| setresgid.c | ||
| setresuid.c | ||
| setreuid.c | ||
| setrlimit.c | ||
| setrlimit64.c | ||
| setsockopt.c | ||
| setsourcefilter.c | ||
| setuid.c | ||
| shlib-versions | ||
| shm-directory.c | ||
| shmat.c | ||
| shmctl.c | ||
| shmdt.c | ||
| shmget.c | ||
| shutdown.c | ||
| sigaction.c | ||
| siglist.h | ||
| signal.c | ||
| signalfd.c | ||
| sigpending.c | ||
| sigprocmask.c | ||
| sigqueue.c | ||
| sigreturn.c | ||
| sigset-cvt-mask.h | ||
| sigsetops.h | ||
| sigstack.c | ||
| sigsuspend.c | ||
| sigtimedwait.c | ||
| sigwait.c | ||
| sigwaitinfo.c | ||
| single-thread.h | ||
| sizes.h | ||
| socket.c | ||
| socketcall.h | ||
| socketpair.c | ||
| spawni.c | ||
| speed.c | ||
| splice.c | ||
| statfs64.c | ||
| statvfs.c | ||
| statvfs64.c | ||
| statx.c | ||
| statx_cp.c | ||
| statx_cp.h | ||
| sync_file_range.c | ||
| syscall-names.list | ||
| syscalls.list | ||
| sysconf.c | ||
| sysctl.c | ||
| sysctl.mk | ||
| sysdep-cancel.h | ||
| sysdep-vdso.h | ||
| sysdep.h | ||
| syslog.c | ||
| tcdrain.c | ||
| tcflow.c | ||
| tcflush.c | ||
| tcgetattr.c | ||
| tcgetpgrp.c | ||
| tcsendbrk.c | ||
| tcsetattr.c | ||
| tcsetpgrp.c | ||
| tee.c | ||
| termio.h | ||
| test-errno-linux.c | ||
| time.c | ||
| timer_create.c | ||
| timer_delete.c | ||
| timer_getoverr.c | ||
| timer_gettime.c | ||
| timer_routines.c | ||
| timer_settime.c | ||
| times.c | ||
| timespec_get.c | ||
| truncate.c | ||
| truncate64.c | ||
| tst-affinity-pid.c | ||
| tst-affinity-static.c | ||
| tst-affinity.c | ||
| tst-align-clone.c | ||
| tst-clone.c | ||
| tst-clone2.c | ||
| tst-clone3.c | ||
| tst-fallocate-common.c | ||
| tst-fallocate.c | ||
| tst-fallocate64.c | ||
| tst-fanotify.c | ||
| tst-getdents64.c | ||
| tst-getpid1.c | ||
| tst-gettid-kill.c | ||
| tst-gettid.c | ||
| tst-memfd_create.c | ||
| tst-mlock2.c | ||
| tst-mman-consts.py | ||
| tst-ofdlocks-compat.c | ||
| tst-ofdlocks.c | ||
| tst-personality.c | ||
| tst-pkey.c | ||
| tst-quota.c | ||
| tst-readdir64-compat.c | ||
| tst-rlimit-infinity.c | ||
| tst-setgetname.c | ||
| tst-signal-numbers.py | ||
| tst-skeleton-affinity.c | ||
| tst-skeleton-thread-affinity.c | ||
| tst-socket-consts.py | ||
| tst-sync_file_range.c | ||
| tst-syscall-list.sh | ||
| tst-sysconf-iov_max-uapi.c | ||
| tst-sysconf-iov_max.c | ||
| tst-tgkill.c | ||
| tst-thread-affinity-pthread.c | ||
| tst-thread-affinity-pthread2.c | ||
| tst-thread-affinity-sched.c | ||
| tst-ttyname.c | ||
| ttyname.c | ||
| ttyname.h | ||
| ttyname_r.c | ||
| ualarm.c | ||
| umount.c | ||
| umount2.S | ||
| unlockpt.c | ||
| updwtmp.c | ||
| ustat.c | ||
| utimensat.c | ||
| utimes.c | ||
| utmp_file.c | ||
| versionsort64.c | ||
| vfork.c | ||
| vmsplice.c | ||
| wait.c | ||
| wait3.c | ||
| waitid.c | ||
| waitpid.c | ||
| waitpid_nocancel.c | ||
| write.c | ||
| write_nocancel.c | ||
| writev.c | ||
| xmknod.c | ||
| xmknodat.c | ||
| xstat.c | ||
| xstat64.c | ||
| xstatconv.c | ||
| xstatconv.h | ||