From patchwork Wed Jan 17 17:37:38 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Szabolcs Nagy X-Patchwork-Id: 25430 Received: (qmail 48038 invoked by alias); 17 Jan 2018 17:37:46 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 48021 invoked by uid 89); 17 Jan 2018 17:37:46 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-24.7 required=5.0 tests=AWL, BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, KAM_MANYTO, RCVD_IN_DNSWL_NONE, SPF_HELO_PASS, SPF_PASS autolearn=ham version=3.3.2 spammy=held X-HELO: EUR02-AM5-obe.outbound.protection.outlook.com Message-ID: <5A5F89E2.3000805@arm.com> Date: Wed, 17 Jan 2018 17:37:38 +0000 From: Szabolcs Nagy User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0 MIME-Version: 1.0 To: GNU C Library , Maninder Singh , "triegel@redhat.com" , Vaneet Narang , PANKAJ MISHRA , AMIT SAHRAWAT , Lalit Mohan Tripathi , AKHILESH KUMAR , Hakbong Lee CC: nd@arm.com Subject: [PATCH v5][BZ #21349] fix data race during lazy resolution in _dl_name_match_p X-ClientProxiedBy: AM4PR05CA0033.eurprd05.prod.outlook.com (2603:10a6:205::46) To AM5PR0802MB2483.eurprd08.prod.outlook.com (2603:10a6:203:9b::22) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: fe124900-8ca6-4336-ff29-08d55dd1022f X-MS-Office365-Filtering-HT: Tenant X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(48565401081)(2017052603307)(7153060)(49563074)(7193020); SRVR:AM5PR0802MB2483; X-Microsoft-Exchange-Diagnostics: 1; AM5PR0802MB2483; 3:5N1IRLI5wCpAil/XxXSnEQQM4QBE+SFKYkbcMSooQUz9UHjHNfoTFpeEKQqoOKLvgOpu6wPNJYYnemTTXBLfRjjNcw8iwkGo3u8lyP2GSDJLZebOv5j4HekrikD2F0j0dpGy9Bu9yLiZ1xn+WY7kEuPzKW4C4IJB4Zd57OrxtrielMFvjRjRsrRZpWfECQsSpUkkuSrPCq30BDmFkmmtH6v4Gma+s+yL222MXhFbezzQmPLY+q6RfA3DoUD1pbd7; 25:M4rnv2UFoPif/c2zdQ2O8C7s3w0n0AoGHQHuaRofYnl5dU3SseLkde7M5hXr50pACg+lD928TQqYeEYdurOn06jG/FBiQP+Vxzlaz0gbn5PN8G4N2BA1TJ6a/y8rZzW0VfET1UhPR6DHL12YP7gvN239sBpFuNXFycv7Mqs2XNBR9LmeMi3S9ze0iWNDptWbFYRKHkxY96RTU4RKGHE/4r8fV8gH1lXTNTg8wuYwVqQCsgooV1JHMmXBKQOZV5ipmSc3/GsBBYwYpkhrrWOBQyYDs9zv6k7ImRQDGBuCBcObSnd66+XCRzrz8lOtBSvxMFSp8QVYnNAzssrIfHawoQ==; 31:5r9i6sXj+lqFRerdFYxSHFbX2am7IJz5Xp2JQo5fUS/HcE1uxD9ToyRpyWrJstnKW5cMguygD9WYWC8TJqUkTCwSVlwUeHISDD60PN5s6nmZq4IubtNzFmPi4L3xi0+dQQGknwlbcxMYb8JrEcDaYL+O47KqYKFNKob82YTwUGNgETqrTaIJqtNgUFjy5t+Q2yijsnu9+okFrLtDzbHtW4/fSr2d1wb2+cVHZcmV+e0= X-MS-TrafficTypeDiagnostic: AM5PR0802MB2483: Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Szabolcs.Nagy@arm.com; NoDisclaimer: True X-Microsoft-Exchange-Diagnostics: 1; AM5PR0802MB2483; 20:3DrBS+uw2jK/IiUUqv4l1OL70hGk8+NnlDaggek0Gu80tXaXMGBTqw7T/sri+xnHF/nST8MWLcWoPeSdV6Wr/F86s+BuNlgw5PR3gUjxlI4MeCOC3A+sHjbrO02iHBV+af3ZQ48YANl6DentuMbrS1hUKh2Y2WkuqfHHJzi0ZMU=; 4:8eEizHwLMavWg3s+lM15K5I+q7RdTVcqiJTTbx+6Pe/thFXfySTF2KkXVYd9b3oI98fEbyyoPhPnU+ksFMr0wlBSpJH9vdeG0N48Q9kxzXwlzpUyAjiXNYC9OJi1dxFRF+Q1ewDh+yo7kUWl5DXVHJS3EFTT85tAN+Sp/dQctLsKG1MLnBdNfyfSxlUiIdzYHSj5os2zVEr+tjjBsumunaQ1v2Gt/y1zXZoNckK8zZ67teWlqHHj+MJLuBJVhvK8Ffj3ZX+ryIAPD6E9RjbztZjdmxzNrqWj+SaZzEi/5l4Jmdj4D/3Lu20tbsGKsxut+sg+cjYubOZYn6wV8qUnB8DPNPTq/kNjkFL+IUUYjDw= X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(180628864354917)(7411616537696); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(102415395)(6040470)(2401047)(5005006)(8121501046)(3231023)(944501161)(93006095)(93001095)(10201501046)(3002001)(6055026)(6041268)(20161123558120)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123562045)(6072148)(201708071742011); SRVR:AM5PR0802MB2483; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:AM5PR0802MB2483; X-Forefront-PRVS: 0555EC8317 X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(6049001)(39860400002)(366004)(39380400002)(346002)(396003)(376002)(377424004)(199004)(189003)(52116002)(4326008)(106356001)(53936002)(8676002)(16576012)(6306002)(33656002)(59450400001)(81166006)(86362001)(65816011)(36756003)(33964004)(26005)(97736004)(5660300001)(65806001)(87266011)(386003)(316002)(16526018)(83506002)(81156014)(66066001)(25786009)(6116002)(270700001)(478600001)(5890100001)(59896002)(68736007)(8936002)(72206003)(65956001)(6486002)(7736002)(21490400003)(3846002)(2501003)(58126008)(64126003)(966005)(5000100001)(110136005)(2906002)(77096006)(84326002)(105586002)(568964002)(4610100001)(16586007)(80316001)(2476003)(305945005); DIR:OUT; SFP:1101; SCL:1; SRVR:AM5PR0802MB2483; H:[10.2.206.69]; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; Received-SPF: None (protection.outlook.com: arm.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; AM5PR0802MB2483; 23:T2wOR+i1W6Mc72MjKjGmjDwbr+XU+1pVLvNmdIi?= =?us-ascii?Q?XZIsUJ+GhzJ49wBIGldyDAT3qpNj+smECXja/bvSa0aFUqdMadQm/FHamC6p?= =?us-ascii?Q?4jMgmzvfm7kltLl1WmyAv72nhqooMEBIeWLDPCBDyCsyGCLOiyBQIfydWMEz?= =?us-ascii?Q?DEfHnQpD4S5TfwwZ9s8DKxFwW3ceeuIHEn5mFFzwbYJ130mhVx2zOWPWtch+?= =?us-ascii?Q?9hCDOzEb7kus9Tl11i4pyo0jfh7GDbB9VNsNeXwHYCJ/ah1tqyZNNh4Dp1JW?= =?us-ascii?Q?ILTnJDXy2dxEt6serwqgqf456hg7Of3nn2o5WzkDLynRobCJR1lMpwYYeOxu?= =?us-ascii?Q?R6YMA5zw0rC46X2hDaV0/6qyrjAnftALy9RaSmU9X9misZoyTbwbugwM1lHh?= =?us-ascii?Q?m+jY6RYXcEbDiUCdy06PIndh5Raa+vPYE6OXEXxqrRxlWwBIlLiMBMWbhqAp?= =?us-ascii?Q?ULjKMP3zkz/fJ/nr1YZCP7Pjd1SD7B9kWicu+CEl6+pFlQ+X0iPnt4mkB03Q?= =?us-ascii?Q?gh/BKjMZc7oSeb6t//AdkY36mSnS65cutUHOY7lPaWcSayIUBTXXhRhIZt/U?= =?us-ascii?Q?RUDVqVZ9S7LQEHZNP9WcCB+uYnN+qjeRevMmNNR12ieZm58YK/ir0TU1R7Hq?= =?us-ascii?Q?O8KjtHJLDndCDOoVG6Uj4fxSYnPzEuqfMqN4aVeLSnPA8PCD9JSNwclbtfbk?= =?us-ascii?Q?nFY94p4sOZux73xnrHDpGd65z3/ctnko0eC86xZ2TFKYrsv04nR8/sQPd0zK?= =?us-ascii?Q?p1k1ymU0RFutJUq5XDsPzdVku5yIDYmVHm1nUmeUvgW5VBtuo7PGcExGXAYF?= =?us-ascii?Q?6djWyDYMfpuAfZ+F9J23srNohcTrh1Lt+XNNB3zmTKHSzaR10k1h08ThnWDW?= =?us-ascii?Q?rXuWIKq/CE2AyYbaA/4pU8IbfMiNuZfl4FXzlcGF2Go9eVwX1As4tIlLYDLO?= =?us-ascii?Q?LxoZM0sSFRLbYi2rzueKgkYAIp2GFN+/HhOdENzPdsv28Mwldwgf6UhdRm9z?= =?us-ascii?Q?cIy403yi9dexQDgMlqsaDfHFs/9QO/JzxqqpOhPjppohI0CVcKBdqcjZp4o+?= =?us-ascii?Q?I5YUJdeOJiqoWgrn1MFj7LMzdfDxRMJ1xBi0eUWQ9GAff3aoppk73AhTLOCc?= =?us-ascii?Q?9mpWYahUWxFPm5r1MZ+DH6nFf0L/cSAew62l5PR0uoVxs6s2nyLS3NfUD6OS?= =?us-ascii?Q?uzntrzlUJoWgIuqRxvB6lCaDYHgsYBytyh6z/BeBQEM8J0hDC+MM1fIHzCw7?= =?us-ascii?Q?/MmJ5kqJ8xVEV+a9w4MuctyME682/j9YuNGZasCIeDCDxQIEkPMjUoFg5C4r?= =?us-ascii?Q?sQgRCMseKTS+Hg/v2i/Weo6d1HgxBlIxPNuE74GFtGX1x57xttvibxORLT2d?= =?us-ascii?Q?/2KU5vj5fI7yNicQB/xLeuvWz6/LoyTYJ3J+wHkRY2Pp7FvS5YaatQvV7m5M?= =?us-ascii?Q?sfPonCsXF59ts5dqibfuV8CCjYbiuR26U7Uvx9gYepRMml7J+hA3ElE4V4a9?= =?us-ascii?Q?iHu0obHVWw4nfhiT4c1Rvoa4FGrq2bYN0TBs=3D?= X-Microsoft-Exchange-Diagnostics: 1; AM5PR0802MB2483; 6:3rvMkJmk6rYd3XPRqZazgxKCNtAp+VGu+/qCAvpCVf6VzntrpwACPvD/KU4rGu+T2R+LFgMYA7QUUCMATAICsys9udmGqeE3I+lUUvhHP8JT8LY+zxSKwa9JahMz6c6tGBZisvKI/B/xWaCJy0ZdDgx+c4t06zIr7jcQyz32lyVqAhZqvCc5l0JeWaZYkQj8IXoW6ZyiAujGi8JikIVUTAzeLPaJBMg7iMl/crRQTdtzHJvoCK0E5vJ5ts+cn3vqOgHlKzQKkNXOwtt7RgFGh4uIhPmG/JW7akHvBeRfnrKdh93jhv7jFO8RDbLLWKrqAE/v1j5qSQBEIq4/AmMzDGk7BnFbFkExLTsJS2oufXw=; 5:AHR+WCj4mgh9ii3DFXsxeWWqnUKR6W/6rbETDwEfvDX1/farzrK5lHGSlQsFla4vmtUCxj2jl/rkfwHo8TA3i1kdVmBDSKX+AJBqkrgAN9toK8R7yVJlTspXoWsK7LKdhw3OXwCve6NWnBa9jVdfx7pJDz6AAPKWxRz3bvtxgnY=; 24:7BGH8SHID5OJ4HVSV7DM7zg/9RePu8IJsU/OOyAhePuDtOvXGBP79n6/4lTGC2qFGQX7PX5VxCTgwVqc0ZTDfKEP5TmGXM88AXyUXYnDWzg=; 7:JOhc+RcLTwD2/w7sImjvnptwQj2fY1CyuCwx5L50Lpa3JvBREP+TWqgIpAgzRwoOOxtOyboE/XH8CGfPq2esjahozZScq04iokcJfGOCj3eoNPfVwD3QOhZYU3WJsDAH6sot9YoHi9ejhwU/YwqbO8d1ubfxKL6SHRqjr07XMxNnV2srv6IfcKN5RZw/3fCJq8edrcVsU5MaoM0oOGwfyPGhLi0ByShM/fh8BzfCSRD2oOK/cYl8yaDmJr2bjHQw SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Jan 2018 17:37:40.4978 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: fe124900-8ca6-4336-ff29-08d55dd1022f X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0802MB2483 only comments and description update compared to https://sourceware.org/ml/libc-alpha/2017-04/msg00160.html (Code is from Maninder Singh and Vaneet Narang, comments and description is from Szabolcs Nagy.) dlopen updates libname_list by writing to lastp->next, but concurrent reads in _dl_name_match_p were not synchronized when it was called without holding GL(dl_load_lock), which can happen during lazy symbol resolution. This patch fixes the race between _dl_name_match_p reading lastp->next and add_name_to_object writing to it. This could cause segfault on targets with weak memory order when lastp->next->name is read, which was observed on an arm system. 2018-01-17 Maninder Singh Vaneet Narang Szabolcs Nagy [BZ #21349] * elf/dl-load.c (add_name_to_object): Use atomic_store_release. * elf/dl-misc.c (_dl_name_match_p): Use atomic_load_acquire. diff --git a/elf/dl-load.c b/elf/dl-load.c index 7554a99b5a..d3e59952e8 100644 --- a/elf/dl-load.c +++ b/elf/dl-load.c @@ -375,7 +375,23 @@ add_name_to_object (struct link_map *l, const char *name) newname->name = memcpy (newname + 1, name, name_len); newname->next = NULL; newname->dont_free = 0; - lastp->next = newname; + /* CONCURRENCY NOTES: + + Make sure the initialization of newname happens before its address is + read from the lastp->next store below. + + GL(dl_load_lock) is held here (and by other writers, e.g. dlclose), so + readers of libname_list->next (e.g. _dl_check_caller or the reads above) + can use that for synchronization, however the read in _dl_name_match_p + may be executed without holding the lock during _dl_runtime_resolve + (i.e. lazy symbol resolution when a function of library l is called). + + The release MO store below synchronizes with the acquire MO load in + _dl_name_match_p. Other writes need to synchronize with that load too, + however those happen either early when the process is single threaded + (dl_main) or when the library is unloaded (dlclose) and the user has to + synchronize library calls with unloading. */ + atomic_store_release (&lastp->next, newname); } /* Standard search directories. */ diff --git a/elf/dl-misc.c b/elf/dl-misc.c index b7174994cd..03a8feb0c6 100644 --- a/elf/dl-misc.c +++ b/elf/dl-misc.c @@ -289,7 +289,9 @@ _dl_name_match_p (const char *name, const struct link_map *map) if (strcmp (name, runp->name) == 0) return 1; else - runp = runp->next; + /* Synchronize with the release MO store in add_name_to_object. + See CONCURRENCY NOTES in add_name_to_object in dl-load.c. */ + runp = atomic_load_acquire (&runp->next); return 0; }