From patchwork Mon Feb 15 12:00:47 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Szabolcs Nagy X-Patchwork-Id: 42036 X-Patchwork-Delegate: azanella@linux.vnet.ibm.com Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 9208D3950439; Mon, 15 Feb 2021 12:01:13 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 9208D3950439 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1613390473; bh=dSbZNESyxN5bmz3Eefvw1+7y07M7zOdH4Heke5QVGhk=; h=To:Subject:Date:In-Reply-To:References:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: From; b=Q4js7vTFi5DJnv3tP+tadmDFSC6IUmYAetEXfKBjZH4tG+VO1oOLXI8Kq86AW7JtY b/eb41O+wEvSaCLDUIxGew3B1bMM0nLqeALXaTGE7IjDuNSluWtGJ3bULHD8cPCGV4 +NUe9hbPO6w4ebIdLw/wXzDSgnd7G9uoAk5iJQ6I= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2046.outbound.protection.outlook.com [40.107.20.46]) by sourceware.org (Postfix) with ESMTPS id 654773950433 for ; Mon, 15 Feb 2021 12:01:10 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 654773950433 Received: from AM6P191CA0066.EURP191.PROD.OUTLOOK.COM (2603:10a6:209:7f::43) by AM8PR08MB5731.eurprd08.prod.outlook.com (2603:10a6:20b:1c7::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.25; Mon, 15 Feb 2021 12:01:06 +0000 Received: from VE1EUR03FT019.eop-EUR03.prod.protection.outlook.com (2603:10a6:209:7f:cafe::10) by AM6P191CA0066.outlook.office365.com (2603:10a6:209:7f::43) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.27 via Frontend Transport; Mon, 15 Feb 2021 12:01:04 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; sourceware.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;sourceware.org; dmarc=pass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT019.mail.protection.outlook.com (10.152.18.153) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.25 via Frontend Transport; Mon, 15 Feb 2021 12:01:04 +0000 Received: ("Tessian outbound 28c96a6c9d2e:v71"); Mon, 15 Feb 2021 12:01:04 +0000 X-CheckRecipientChecked: true X-CR-MTA-CID: b8dfb3aebd67b90c X-CR-MTA-TID: 64aa7808 Received: from ec21e88e4633.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id B43AEA49-180F-47D9-BF52-F5DC653A8B5F.1; Mon, 15 Feb 2021 12:00:54 +0000 Received: from FRA01-PR2-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id ec21e88e4633.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 15 Feb 2021 12:00:54 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IB8N0bqPVeH+qVtmjpZfwOg1n0XqCtdOTLnr1bpDrNVl7V20zXSgMXG72BHISbPBpNjGeNPdddF65rfji0sJ2goua74HTI5PITd5yi2RuNeK7kXgIlcSo0hY8kJHaJ9ZVbqri4QIfyZbQUtGbW+orlZ0Tl7ILD6yQPR7TAtZOGbW86szZeK5LCPFxx4r+trqFYQ8Oqz7dG0oMdgabGMn9Z/YF6A7lAlCqUDAsKCzpxepy4N4P0BkcFJq1lML2+8w4LaBQv/JqCWIFVKOkvUTDOILZsI7KgROPC5yoauUa6FctxO5bAVTbrsuJb5X0cAbg0qHU85HmE2z2ymqc740VQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dSbZNESyxN5bmz3Eefvw1+7y07M7zOdH4Heke5QVGhk=; b=L6oLkjZgvZVaoFgct9M/WhbRm9Z6em+oPk4/KJ/53n3CSy54Hl13uYYOR9C+9+IkZLqNSmvan2khqC9JWS70s0DOYjoIrJdz2SmCk1uGnWoXVO+nsGXTNcNrv9FDaYaM1ojy3eSlLaDm78glZWDXhWDNNq7ZnsUwBlFhUZNrHl9rLJdk3fIBpSzdVloeypzFecjno/vaJlODA88ee3wBrVH3stCkgefBRfDWX8CW/HEyoIskzyM4VZOyodMT5EtAjn209ollmW5Ei+luVDwBHWDKjoAVDhyIm2//yDuI2d+6TQ9az6UIgpTj/1ruj4q0UzCmnwXm/Nao1d/ONPLNjA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none Authentication-Results-Original: sourceware.org; dkim=none (message not signed) header.d=none;sourceware.org; dmarc=none action=none header.from=arm.com; Received: from PA4PR08MB6320.eurprd08.prod.outlook.com (2603:10a6:102:e5::9) by PR2PR08MB4874.eurprd08.prod.outlook.com (2603:10a6:101:1d::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.38; Mon, 15 Feb 2021 12:00:53 +0000 Received: from PA4PR08MB6320.eurprd08.prod.outlook.com ([fe80::60f0:3773:69b8:e336]) by PA4PR08MB6320.eurprd08.prod.outlook.com ([fe80::60f0:3773:69b8:e336%2]) with mapi id 15.20.3846.042; Mon, 15 Feb 2021 12:00:53 +0000 To: libc-alpha@sourceware.org Subject: [PATCH 07/15] elf: Refactor _dl_update_slotinfo to avoid use after free Date: Mon, 15 Feb 2021 12:00:47 +0000 Message-Id: <3ecdb956cbf6d1b46e36311ffe7f491ce186cdbc.1613390045.git.szabolcs.nagy@arm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: References: X-Originating-IP: [217.140.106.49] X-ClientProxiedBy: LO2P265CA0296.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:a5::20) To PA4PR08MB6320.eurprd08.prod.outlook.com (2603:10a6:102:e5::9) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.localdomain (217.140.106.49) by LO2P265CA0296.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:a5::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.38 via Frontend Transport; Mon, 15 Feb 2021 12:00:52 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: 1eb54b86-9043-4829-1620-08d8d1a95f1c X-MS-TrafficTypeDiagnostic: PR2PR08MB4874:|AM8PR08MB5731: X-Microsoft-Antispam-PRVS: x-checkrecipientrouted: true NoDisclaimer: true X-MS-Oob-TLC-OOBClassifiers: OLM:9508;OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Untrusted: BCL:0; X-Microsoft-Antispam-Message-Info-Original: VgYv8Cf0DZt28LCZZJtOWh0MKNdi68dpwCyQ8Kvqaa9c1ikgE32zqyX9iZgHdTUXeMdyB8S2STzdNYCdtgc+RKRfaAwBSzRokEoG1+CaANqUVBTtt46y8M71tstzOIOCCS/ODh9lFf6fTk+U1UXeX8CYGF2gYSlohXO1sU6LQ0W5aluIyzQtPX3P5aOS5RfD4eomjEnWOnDWpKMvVVupAPuopL3OnZUAbAvt58RySkUPD2PgHEllvfClOminQgY20lOK8H7E0c3eMBIqpjs1g9lTAPZ5FIgu79kT3kgL5pHxyRugK8pYKU2ete9GFZe9pDgx6nzxUVgjSSwie4XDaOGSzIWcrJSVAQh/saawXWBfp3Dg7zyE0gtdJBWQlaIfpgbyScbtLnCMzui+KA8uGsV0EwjuaqKssPK/ixsaUv/uNVvFSk5V19nizvBSqoPPG1g9gUrrWOGFnNkeLVaPfKypJ4vLVBFrsbHVhDUQw1zIoE9pYXmyL5I5SLhf2+qlnZ5Xv5XJ3uMPvvunhZzs+SzAFDiTNkGrRXbVS0987QcaX6sqJdyHNFD9/1hyeEw50aqeeIr63R9mNspS58czjg== X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PA4PR08MB6320.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(136003)(346002)(366004)(39850400004)(376002)(2616005)(16526019)(6506007)(6486002)(83380400001)(956004)(66946007)(2906002)(26005)(186003)(44832011)(69590400012)(8676002)(6512007)(66476007)(478600001)(5660300002)(52116002)(36756003)(66556008)(6666004)(316002)(6916009)(8936002)(86362001); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData: WJopnhshQa7Nk+xQ8UVURrLdsl2xe21N2RI4Vtybf+10seALKehJncA6I0u/488iTNd1hxM0uN24x09MMtHa4dxmbzqUdkeOiKtCcSoIzwUMez134zyVrrRdHATYhhL7EDfFmEbNCkI/AeSATpnHWTxy+NSK+rE71Mg04rI1jH8xN1cWYvrT+VEiBQPQQxz6TFpBHPFIXt2QkEFMGkUtUeD+xn2+0YBURgQU/2uIIe2TyKEPxTA7gp/GcIhNLYS5ldTcQQA2XxgKuBoDiHIe1sbW/uTzGT9gF/bhVBS8UeQPxKyJgfgm+c8gVCxF+QfHopTR9vjd3/4DXOyDSTeapE9mLkjnc/RmPa0rhmfqYfTF6DJZyZB5qLrnLNq4BEdNYHNySFf5iFV4B7JOuIGRA4EFWqoFnpn2ydtbwE3rp1ODAkC3NqMqNvJA66eH5dhObmlW4Yosaef3/ONUKQ7Y8MyczJuSORg4X+hPn+nZ0K+Pq+5BMNODsGCiEIWWQDXw3KhK4ebBDQQ75CCj/TmJTO9puGn2Vay25AfKGbRX5al+Gc59JhggZ0Qa5ZX7Cy2T7AATWy5aWG5/JYNg+8VY9PgYDMvcvLc+ErvUzAEbdR5GxsU5zecZnjh5aHbkn5jUf81SwDFgkXSWOVqYmfy/Ivt7n7TWNM8IAf189lljGs2DMSpJaOrQUgVraw2oLTLcBn5OkOtOQjnisJ998VsdOxbA28u58QX+jLO72xwjHiKF3sOuZN+9t7z+gGUDnIdu6lFMUCyQZYjczymm7k1ZjdGX5vVrENmFfhHqQyIKpfUbawYODeMd1eywZIdCbK74ANwypUkyHiiWzeSQy34CJQYOiTTUAMlDJ31Qk0sgSWOuOuFUNLjsdayFLgi9Wa5IS/SYng2g8Q9u5yPFAWYaJBQmPohAvZJm1iFiwcfm5KEf4vLbCQfGT67I5lSNBGpQFg8lCzPKbw+IoNXK4czdfPpP6zv4L2mj3M4V8tjvbSKpyN/yEozBZSRdkpPMdhf7pOvRbdqxBLQT1YUGTB7dlEUgndZmhaDGEXeGJ6ZvYunOcg+wMhE5jqetyGDG/BKVYdRHJ4NwbXMrqWPNE6fp9VpJdPDvXvYoGhrqlIB1/CJDoG8ovL5G0vkg2ELGl9m3bvrWFE0IOYO23B/PA3jEDb1yEomT+/yYi287fRGL8vpYMPL7qeHu8i5p6uKv7ZuRQesoA6N0O+tRXw46gvnWAK2rKgsdU351k15lUWK20ISvegysnpHR5co5FVFpRGtxZ5z4nY92CD+sLA6xDdGXW986jYLmjkvVp8joCjShq4GDV/YLuJt3+ubI6aEUNnEs X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR2PR08MB4874 Original-Authentication-Results: sourceware.org; dkim=none (message not signed) header.d=none; sourceware.org; dmarc=none action=none header.from=arm.com; X-EOPAttributedMessage: 0 X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT019.eop-EUR03.prod.protection.outlook.com X-MS-Office365-Filtering-Correlation-Id-Prvs: 7fb693e2-e384-440e-97eb-08d8d1a95813 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: mb8qCo92pbPAZVFhiVjx1WMBniVS73l3O0OsRd3rkHzyddjBMR1kgHmKmg5C81eI2cIveWOLzomR0rzZ+bb57Ts1TYmOGkvas95ebFeXfwfEbG0wjpmEXejUiiBJ8xBwJ0CrlxyNSQg2bUehgiZSNzo4f64HHNa7MgEl5MjhFF/BsA+lFs5uVhqKCBChY6iJXiNkGiLj+or7/c/7mvBkCXoiWVOLK5NECm6RvSkFZpfoXK5/DlCDeI2VXnrv0CfWHeo/CoX7vQ8K2gWmx2udNUfRN0HV6mX8F9Xbp2kxyB/D4WhvaCpVWqG0S9MWWVHisK+OfTU06mohobf/GQ+2zwxl+H00rCFVA6F16NGmp6CeCa02+rM6sicEZLPESWtFQiP9C9E496cYe6tCKE3hmT+Gm6RxQmRCyUClToGif8X3+rAfGTMqEjH4JvMp8MjJrAsTcgNwcqw+rl9+9stNJDgSB4+uAyDfrohSbGeOFocGKc2g5waotgNzWrvgqFr1JsjXXXfTvnxotRElzc2uUb6WBaMxryC3siHcrJmU4LgV7gh6Ulfd6ZxZZ1rRwt6Qf+g4sy6P4fAPm/e8W2H1ixi4wM1auSh4bmZssJ87BdIjD0tZZnNaWjJcQTjdz1OaxJD3ppYHEIRyiKSMzdPb77IuReZXu+7X1fm7elme0+I5HE4yqaCYqw+svLQtn91X X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(376002)(346002)(136003)(39850400004)(396003)(46966006)(36840700001)(2616005)(336012)(186003)(26005)(83380400001)(956004)(6486002)(6506007)(16526019)(44832011)(36756003)(316002)(8936002)(86362001)(6666004)(36860700001)(82310400003)(69590400012)(8676002)(356005)(5660300002)(82740400003)(81166007)(2906002)(6916009)(47076005)(478600001)(70206006)(6512007)(70586007); DIR:OUT; SFP:1101; X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Feb 2021 12:01:04.6956 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 1eb54b86-9043-4829-1620-08d8d1a95f1c X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-AuthSource: VE1EUR03FT019.eop-EUR03.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8PR08MB5731 X-Spam-Status: No, score=-13.9 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, GIT_PATCH_0, MSGID_FROM_MTA_HEADER, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_PASS, SPF_PASS, TXREP, UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Szabolcs Nagy via Libc-alpha From: Szabolcs Nagy Reply-To: Szabolcs Nagy Errors-To: libc-alpha-bounces@sourceware.org Sender: "Libc-alpha" map is not valid to access here because it can be freed by a concurrent dlclose, so don't check the modid. The map == 0 and map != 0 code paths can be shared (avoiding the dtv resize in case of map == 0 is just an optimization: larger dtv than necessary would be fine too). Reviewed-by: Adhemerval Zanella --- elf/dl-tls.c | 21 +++++---------------- 1 file changed, 5 insertions(+), 16 deletions(-) diff --git a/elf/dl-tls.c b/elf/dl-tls.c index 24d00c14ef..f8b32b3ecb 100644 --- a/elf/dl-tls.c +++ b/elf/dl-tls.c @@ -743,6 +743,8 @@ _dl_update_slotinfo (unsigned long int req_modid) { for (size_t cnt = total == 0 ? 1 : 0; cnt < listp->len; ++cnt) { + size_t modid = total + cnt; + size_t gen = listp->slotinfo[cnt].gen; if (gen > new_gen) @@ -758,25 +760,12 @@ _dl_update_slotinfo (unsigned long int req_modid) /* If there is no map this means the entry is empty. */ struct link_map *map = listp->slotinfo[cnt].map; - if (map == NULL) - { - if (dtv[-1].counter >= total + cnt) - { - /* If this modid was used at some point the memory - might still be allocated. */ - free (dtv[total + cnt].pointer.to_free); - dtv[total + cnt].pointer.val = TLS_DTV_UNALLOCATED; - dtv[total + cnt].pointer.to_free = NULL; - } - - continue; - } - /* Check whether the current dtv array is large enough. */ - size_t modid = map->l_tls_modid; - assert (total + cnt == modid); if (dtv[-1].counter < modid) { + if (map == NULL) + continue; + /* Resize the dtv. */ dtv = _dl_resize_dtv (dtv);