From patchwork Tue Apr 13 08:18:56 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Szabolcs Nagy <szabolcs.nagy@arm.com>
X-Patchwork-Id: 42965
X-Patchwork-Delegate: azanella@linux.vnet.ibm.com
Return-Path: <libc-alpha-bounces@sourceware.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 00F1D3982041;
	Tue, 13 Apr 2021 08:19:27 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 00F1D3982041
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1618301967;
	bh=j3a7ntAWJcBsaPT/L2yOPBxwia8UcYNfp1/OADLIUHc=;
	h=To:Subject:Date:In-Reply-To:References:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
	 From;
	b=jwFmFj5F+R8/Kh3+rNffsR9Ac0UcVdx6xUlkJu4vWgmutGHhVdFQ6dQKKwm0Es9ct
	 6U3c3O+HcPHxVohhBz3n3n74yEYCPWgu+JP0s5+gD97IZcAumZxOm7vRaes4NwWtfq
	 PqUxmzeFqV/yhFGxCiJ0os+Gz7LAqQta8B5ytDqE=
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from EUR05-DB8-obe.outbound.protection.outlook.com
 (mail-db8eur05on2080.outbound.protection.outlook.com [40.107.20.80])
 by sourceware.org (Postfix) with ESMTPS id D8E78393C87E
 for <libc-alpha@sourceware.org>; Tue, 13 Apr 2021 08:19:23 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org D8E78393C87E
Received: from AM6PR01CA0046.eurprd01.prod.exchangelabs.com
 (2603:10a6:20b:e0::23) by AM6PR08MB4801.eurprd08.prod.outlook.com
 (2603:10a6:20b:c1::10) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4020.16; Tue, 13 Apr
 2021 08:19:22 +0000
Received: from AM5EUR03FT049.eop-EUR03.prod.protection.outlook.com
 (2603:10a6:20b:e0:cafe::66) by AM6PR01CA0046.outlook.office365.com
 (2603:10a6:20b:e0::23) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4020.16 via Frontend
 Transport; Tue, 13 Apr 2021 08:19:22 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123)
 smtp.mailfrom=arm.com; sourceware.org; dkim=pass (signature was verified)
 header.d=armh.onmicrosoft.com;sourceware.org; dmarc=pass action=none
 header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates
 63.35.35.123 as permitted sender) receiver=protection.outlook.com;
 client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by
 AM5EUR03FT049.mail.protection.outlook.com (10.152.17.130) with
 Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.4020.17 via Frontend Transport; Tue, 13 Apr 2021 08:19:21 +0000
Received: ("Tessian outbound 34291f7cb530:v90");
 Tue, 13 Apr 2021 08:19:21 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: feafc006e0a5bf2d
X-CR-MTA-TID: 64aa7808
Received: from 4e0af2f3386c.1
 by 64aa7808-outbound-1.mta.getcheckrecipient.com id
 D67BF6C9-5ECF-4518-A3A2-D859259D8118.1;
 Tue, 13 Apr 2021 08:19:03 +0000
Received: from EUR05-VI1-obe.outbound.protection.outlook.com
 by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id
 4e0af2f3386c.1
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384);
 Tue, 13 Apr 2021 08:19:03 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=V1Z710vcSK1yfknkBTiAJyDytYCOFbdT9YFaOryDmDlI+++a5fd78JAny2eqcMlvfZrQDgzbffJ6dofOcFWBPAGvcHz8s/i6H9PeBvvyudSGFa89dUIcjsjEztA7vpSXtz1cqjxNxOH5Y2OGREzNOCwKD6ZEmfErc0BT4LhHIG49/lWwF5ZD31m5tccpIvQc+Zoz0NR4tCD/EnpBTEgEWTbZF9HHN1uql0G2lkZnvH8BCvtDiaGEm3b9y+sIgcuBsidq3AlWLqTHZbZ/d0MFjVyT0+da/tm/NAXNlB2PUIxY81NfBD77U3euaH02I23gu8su4cpnlBMJ1isq/iu7nQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=j3a7ntAWJcBsaPT/L2yOPBxwia8UcYNfp1/OADLIUHc=;
 b=TmDUCTHC1ddQTl2opDpUBs4LwzHdsQ+0zYAqxgpqklFVsBKFDqEoiWhLVo971dmj18cKGHfnpxMFrexc3JRi6lfVYgQYoM+QBcdqsSHA/vWHawNt9XilTJoZzJz3Nm1BHo1b26XYH7hMIpuz5Tj5Pj+OaFq2QhmvC2O6Ovtc7oFP6Jql6eK3P2iUmvq++iGlvR4ix04E/KXYNJthDSls9LJHLqZd4VrXhUaioe3OIoQ42H3A32SHVzHm3nZmJMvGtlvtEcGq4lcLLuzdf1URhkUx44wZ0e0kcAPWY7jsaY3gry8tz4UxNtJrg06wqiTUV94gnpcw5/mdgwD3m9ak5Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass
 header.d=arm.com; arc=none
Authentication-Results-Original: sourceware.org; dkim=none (message not
 signed) header.d=none;sourceware.org; dmarc=none action=none
 header.from=arm.com;
Received: from PA4PR08MB6320.eurprd08.prod.outlook.com (2603:10a6:102:e5::9)
 by PAXPR08MB6558.eurprd08.prod.outlook.com (2603:10a6:102:151::10) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4020.22; Tue, 13 Apr
 2021 08:19:02 +0000
Received: from PA4PR08MB6320.eurprd08.prod.outlook.com
 ([fe80::c99f:671d:bb2c:f20b]) by PA4PR08MB6320.eurprd08.prod.outlook.com
 ([fe80::c99f:671d:bb2c:f20b%7]) with mapi id 15.20.4020.022; Tue, 13 Apr 2021
 08:19:02 +0000
To: libc-alpha@sourceware.org
Subject: [PATCH v2 04/14] elf: Refactor _dl_update_slotinfo to avoid use after
 free
Date: Tue, 13 Apr 2021 09:18:56 +0100
Message-Id: 
 <3237824fb057632817a8de508d1fcb1f2e6f5c7e.1618301209.git.szabolcs.nagy@arm.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <cover.1618301209.git.szabolcs.nagy@arm.com>
References: <cover.1618301209.git.szabolcs.nagy@arm.com>
X-Originating-IP: [217.140.106.55]
X-ClientProxiedBy: LO2P265CA0116.GBRP265.PROD.OUTLOOK.COM
 (2603:10a6:600:c::32) To PA4PR08MB6320.eurprd08.prod.outlook.com
 (2603:10a6:102:e5::9)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from localhost.localdomain (217.140.106.55) by
 LO2P265CA0116.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:c::32) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.4020.21 via Frontend Transport; Tue, 13 Apr 2021 08:19:02 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 2d1392fc-8721-483e-ffbf-08d8fe54d766
X-MS-TrafficTypeDiagnostic: PAXPR08MB6558:|AM6PR08MB4801:
X-Microsoft-Antispam-PRVS: 
 <AM6PR08MB4801118D5E22FBB6A8AF8743ED4F9@AM6PR08MB4801.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
NoDisclaimer: true
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: 
 XEP625vaFWFr6XAHotsAmfGEGvOWvbP4I7t88KDrkWf63AvAZ4LhuDo6KLIT5ppiRFdb87oAogaLTrX/d48QmGtk1c1ECmfCvK3mygSwmQBh18MQ3i8Oka0od5FpHPhm+fXLOX4pQNEcEc5JBG+ZwSi2KjKSH7a3OJE/IlRu7Xk1PUmF/43+mAYoNEkMkxPk3zi/0WpjY/zv3RsPHCXfFJRWt2+TCYibzvQJbxdeb6kfSJZLhls74djiZaW2QK8yb+teJOFlZX0NmU46K/uTsx95RJ8MuEh3LCujlFbIYdoiNQRVaHwj+/1Tm9ypGlmYWgGL6expgOTxRRdT3lRmMyD9lT+ZdWdmCXaXwJrIhiiZcSY9feLDC0KMknTGX3WViFUP5nJKBn8lSE063yYW3iNA9eNfeXERh0SAFwaWFKV8NZ8lC1RZ3EtxS5kd0sQInIZf34UHLoqYIs8IyR7uvL78MXo43GULrZ+NJu1F9Iqf1HNv8HI61E5cCSCJ9cYPuFQc5humjzIAlQH2iE4NXzuQIMqz5j/r1Zxm8tSRow0vYsneT6I/YOq0k1u1ykNK6nV6OjeZ1wU8PL07OZC+W2p7Hd9lelzB4DSgRpxq+WBwQ23sLSEs1EdfiGABhO8ZLYfN+o8NSf7wP9jKThaJXamfJI3CzTWQ9UEzKX7dlbxYHZjnjvusrGoYpLC4XcO4
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en;
 SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PA4PR08MB6320.eurprd08.prod.outlook.com;
 PTR:; CAT:NONE;
 SFS:(4636009)(366004)(376002)(136003)(39860400002)(346002)(396003)(26005)(69590400012)(66556008)(44832011)(316002)(66476007)(6512007)(16526019)(38100700002)(8676002)(66946007)(38350700002)(52116002)(186003)(478600001)(2616005)(86362001)(2906002)(6666004)(5660300002)(6486002)(956004)(6506007)(6916009)(83380400001)(36756003)(8936002);
 DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: 
 smZ5/h1uuVMLNUlWZVqxW1CrFptTz9kiog6I9Ya+KS4BSOMROWlICt5/zFIJVxVatWnN80+LB/9hP5rcZCCD/AiwIB3litZXcUixPI4UHifVUuogzJWDkDwC9snA450yyvcxWIaoOzITAkZqSQ2ma+bDXWzVnLR3aBM7fpsPQPMdDVXGzzVrtb49KcqlHdda/BCtw7yunj+H6GvnkIYjS6jJZIqRpbQal4spkUiTr8zW1uiUp/pNmSArMQqRnq8+9o46Ysj6Z3wiqBU4M2fTGiZ6BxewpWp/wm1gq7g4L9lNCpHxfOWtPYYatbLv1HzL1Noviyz3sr86kmgAySCvV/1SalIP1cHupt3Iqjp2HeS1jJSBQtOZN201Eahlt2wAxujot5rhDoQmZxGcwf3jYmotCoj0WQ0nju/qeKrFEMaAqBGmRExb2lidF3CIRrm+/CdLCw8MysSvsFSq0NWjRNahK5GlKQ1HZ1jJtYWbZu3YEfz+ROwLMvStRqW7a6u5byL8FgW6lqwlejj7OtnwQxPca6PM5EQ2UpMESNpsLIJmS/hLw12T7ybkcgIfOb8QKi1n0J95a+ifJEqmwLySUHvz2UiHAJiW5y3h4f/rfscGdViafXepRRxbpsUba/Kp48tBlF//n2pZJaJssKpPxLvh7rZEpPDjCnLeAkpbJWZTfUlzdIeSOJ+fEQs80jxT3hEjM+MJgWyDNXto4aE1R6veLVFpgmV1odnLpZRXah6QQGN7hZNv2rFIvvZtMV8F4Eb3ElWvQTqU21g7h7p+pP37bAiZ0H2z+D4GHwazV9+XFSKB4wQAbDfkLYGB0e1BLPgavai6Rj9m5A6pMqOJF2aivXp8GZSLjCMlSOlxN05Yjjy1pWVDP3S58Xt2clE964JfYWqIh3VU8ELEK0F4+iOm8eW4eT8QgNkRTyZoFqx3iCLmM/exBlWn2Od4/7gW90mJIx4A5T/az9wmhC4SbUgTzEkyGr+/WPvxlmY6YYosuH9Udj7Ecv8rQHP7Is2DkGwX1h5CHYLGrgn7pmayLGARlLK7tnRmcaurixkTbnvMeQgLB+psoQzY0bYdoKpxbQk8rcamiAJuQv2MlGyHc8jBOBcT5LuymvzZHzObgttLkD1YWq3bkxfs5Sm4pn06S+6p8pKUyLwS3jCMT4thp9fyhlDmLv78+PMhYzAIlgTLs8OMrAPLGx/G55P3VBb0hpd/KqtSJPi/mrAiig1mMYPJr/AGPskCM5I3RD8GhnGPchSV/iZqK0z9iztaWJuEZddSAsdsLnj2MxoE9JmHCS3m9A9pTiLD1liftRLjelvvogz57C1rYYdtG9ttS8gN
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR08MB6558
Original-Authentication-Results: sourceware.org;
 dkim=none (message not signed)
 header.d=none; sourceware.org;
 dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: 
 AM5EUR03FT049.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: 
 85703e03-ccd3-4253-becb-08d8fe54cbda
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
 xLPatE71G6+a2i3N5opRD9Ci0YcIwearrji6QpA+K9RCTYdSL+4xFPPrAI6fjWeMxiY2AjMuGu3g/fH8NLB7V8aHkHw8rBonuoP/Y3JW7Ddqdj7C0znay4PEXekgb1jJJYkah3eKsywoW6wj/mok/xsOefAZQMs6KfPPwes+7+s9v7YpbZYprpfIdGgyRFtX8pG6LvPdnRvxmeLiTnIs9S3rvNoyD7PnrVRat4CsKAnr87pfw0rhK7gksKRExImNRtURzZzcaUmjGrOxPm+ITAs2ntLfcSy0ij/YOXvm6hYFIjmeR28v3RPzm9veOV9X0ecrMIh7euKbIMd/RibDc+q2QpCCNrY2R7Kbgwf4GYDvTY+fCKZZeSfi9XJJW/OxjOTY9VecbO3JlXC92Zjb/h5mCUSv//CMs8t/rjUeALwFM3KfF8caUdurUiajapjLwVDy+b1FTYPvUej21wdeP7oX/CJ8roF3yV+a1mqJb9IxPkOH9vYeVop7V471eyqZjCSVnI4jFubCKqe8DfW1zX0cLTbk1nqoTDtkpvAyrD+e4Tw1+7bVTfZtEY6zVvvQMV1gloQmNxDF85J/QVnzan6dC3/PtdIzKzSIapoG1tuu+aVT9poe8VrwrAvCHznzZVAFTTSBMrxPBBl86mNa5HxWYF6nIBi7lcQyxwezzgGHqBpr2zUbncuCjIYPs8XF
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:;
 IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com;
 PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE;
 SFS:(4636009)(396003)(136003)(346002)(376002)(39860400002)(46966006)(36840700001)(86362001)(36756003)(70586007)(82740400003)(47076005)(36860700001)(478600001)(81166007)(83380400001)(6916009)(956004)(26005)(70206006)(82310400003)(316002)(6666004)(5660300002)(69590400012)(8936002)(44832011)(8676002)(6506007)(356005)(186003)(2906002)(336012)(2616005)(6512007)(16526019)(6486002);
 DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Apr 2021 08:19:21.6885 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 2d1392fc-8721-483e-ffbf-08d8fe54d766
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123];
 Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: 
 AM5EUR03FT049.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB4801
X-Spam-Status: No, score=-14.2 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, GIT_PATCH_0, MSGID_FROM_MTA_HEADER, RCVD_IN_DNSWL_LOW,
 RCVD_IN_MSPIKE_H2, SPF_HELO_PASS, SPF_PASS, TXREP,
 UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-Patchwork-Original-From: Szabolcs Nagy via Libc-alpha
 <libc-alpha@sourceware.org>
From: Szabolcs Nagy <szabolcs.nagy@arm.com>
Reply-To: Szabolcs Nagy <szabolcs.nagy@arm.com>
Errors-To: libc-alpha-bounces@sourceware.org
Sender: "Libc-alpha" <libc-alpha-bounces@sourceware.org>

map is not valid to access here because it can be freed by a concurrent
dlclose: during tls access (via __tls_get_addr) _dl_update_slotinfo is
called without holding dlopen locks. So don't check the modid of map.

The map == 0 and map != 0 code paths can be shared (avoiding the dtv
resize in case of map == 0 is just an optimization: larger dtv than
necessary would be fine too).
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
---
v2:
- commit message update
---
 elf/dl-tls.c | 21 +++++----------------
 1 file changed, 5 insertions(+), 16 deletions(-)

diff --git a/elf/dl-tls.c b/elf/dl-tls.c
index 24d00c14ef..f8b32b3ecb 100644
--- a/elf/dl-tls.c
+++ b/elf/dl-tls.c
@@ -743,6 +743,8 @@ _dl_update_slotinfo (unsigned long int req_modid)
 	{
 	  for (size_t cnt = total == 0 ? 1 : 0; cnt < listp->len; ++cnt)
 	    {
+	      size_t modid = total + cnt;
+
 	      size_t gen = listp->slotinfo[cnt].gen;
 
 	      if (gen > new_gen)
@@ -758,25 +760,12 @@ _dl_update_slotinfo (unsigned long int req_modid)
 
 	      /* If there is no map this means the entry is empty.  */
 	      struct link_map *map = listp->slotinfo[cnt].map;
-	      if (map == NULL)
-		{
-		  if (dtv[-1].counter >= total + cnt)
-		    {
-		      /* If this modid was used at some point the memory
-			 might still be allocated.  */
-		      free (dtv[total + cnt].pointer.to_free);
-		      dtv[total + cnt].pointer.val = TLS_DTV_UNALLOCATED;
-		      dtv[total + cnt].pointer.to_free = NULL;
-		    }
-
-		  continue;
-		}
-
 	      /* Check whether the current dtv array is large enough.  */
-	      size_t modid = map->l_tls_modid;
-	      assert (total + cnt == modid);
 	      if (dtv[-1].counter < modid)
 		{
+		  if (map == NULL)
+		    continue;
+
 		  /* Resize the dtv.  */
 		  dtv = _dl_resize_dtv (dtv);