[Bug libc/11952] New: glibc may use uninitialized DTV slot, return NULL for &thread_local

["ppluzhnikov at google dot com" <sourceware-bugzilla at sourceware dot org>]

When a shared library foo.so with TLS variables is loaded as a result
of dlopen("bar.so"), and bar.so has R_386_TLS_TPOFF, then glibc may
use unitialized (zero'd) dtv[] entry, and address of thread-local variable
will become NULL.

The bug exists in glibc-2.7 and current git HEAD.

Repro instructions:

cat > foo.c <<EOF
static __thread int foo;
int *get_foo() { return &foo; }
EOF

cat > bar.c <<EOF
static __thread int bar;
extern int *get_bar() { return &bar; }
EOF

cat > main.c <<EOF
#include <stdio.h>
#include <dlfcn.h>

int main()
{
  void *h = dlopen("./bar.so", RTLD_LAZY);
  int* (*get_bar)(void) = dlsym(h, "get_bar");
  int* (*get_foo)(void) = dlsym(h, "get_foo");

  printf("get_bar() = %p\n", (*get_bar)());
  printf("get_foo() = %p\n", (*get_foo)());

  return 0;
}
EOF

gcc -m32 -fPIC -shared -o foo.so foo.c
gcc -m32 -shared -o bar.so bar.c ./foo.so  # NOTE: no -fPIC
gcc -m32 main.c -ldl

./a.out
get_bar() = 0xf756e680
get_foo() = (nil)          <<<- BUG


Rebuilding bar.so with -fPIC makes the problem go away:

gcc -m32 -fPIC -shared -o bar.so bar.c ./foo.so
./a.out
get_bar() = 0x804a700
get_foo() = 0x804a710

-- 
           Summary: glibc may use uninitialized DTV slot, return NULL for
                    &thread_local
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper at redhat dot com
        ReportedBy: ppluzhnikov at google dot com
                CC: glibc-bugs at sources dot redhat dot com
 GCC build triplet: x86_64-unknown-linux-gnu
  GCC host triplet: x86_64-unknown-linux-gnu
GCC target triplet: i586-unknown-linux-gnu


http://sourceware.org/bugzilla/show_bug.cgi?id=11952

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.