This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug dynamic-link/13862] Reuse of cached stack can cause bounds overrun of thread DTV
- From: "paul at vineyardnetworks dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: Fri, 16 Mar 2012 23:01:57 +0000
- Subject: [Bug dynamic-link/13862] Reuse of cached stack can cause bounds overrun of thread DTV
- Auto-submitted: auto-generated
- References: <bug-13862-131@http.sourceware.org/bugzilla/>
http://sourceware.org/bugzilla/show_bug.cgi?id=13862
--- Comment #1 from Paul Archard <paul at vineyardnetworks dot com> 2012-03-16 23:01:57 UTC ---
An alternative fix would be the following - it is possibly a more complete fix
but it does break encapsulation a little. The previous suggested fix relies on
the dtv being fixed up later.
*** dl-tls.c 2011-05-30 21:12:33.000000000 -0700
--- ../../glibc-2.14.orig/elf/dl-tls.c 2012-03-12 14:37:27.422794007 -0700
***************
*** 35,48 ****
/* Out-of-memory handler. */
- #ifdef SHARED
static void
__attribute__ ((__noreturn__))
oom (void)
{
_dl_fatal_printf ("cannot allocate memory for thread-local data: ABORT\n");
}
- #endif
size_t
--- 35,46 ----
***************
*** 388,393 ****
--- 386,437 ----
TLS. For those which are dynamically loaded we add the values
indicating deferred allocation. */
listp = GL(dl_tls_dtv_slotinfo_list);
+
+ /* check if current dtv is big enough */
+ if (dtv[-1].counter < GL(dl_tls_max_dtv_idx))
+ {
+ dtv_t *newp;
+ size_t newsize = GL(dl_tls_max_dtv_idx) + DTV_SURPLUS;
+ size_t oldsize = dtv[-1].counter;
+
+ if (
+ #ifdef SHARED
+ dtv == GL(dl_initial_dtv)
+ #else
+ 0
+ #endif
+ )
+ {
+ /* This is the initial dtv that was allocated
+ during rtld startup using the dl-minimal.c
+ malloc instead of the real malloc. We can't
+ free it, we have to abandon the old storage. */
+ newp = malloc ((2 + newsize) * sizeof (dtv_t));
+ if (newp == NULL)
+ oom ();
+ memcpy (newp, &dtv[-1], (2 + oldsize) * sizeof (dtv_t));
+ }
+ else
+ {
+ newp = realloc(&dtv[-1], (2 + newsize) * sizeof (dtv_t));
+ if (newp == NULL)
+ oom();
+ }
+
+ newp[0].counter = newsize;
+
+ /* Clear the newly allocated part. */
+ memset (newp + 2 + oldsize, '\0', (newsize - oldsize) * sizeof (dtv_t));
+
+ /* Point dtv to the generation counter. */
+ dtv = &newp[1];
+
+ /* Install this new dtv in the given thread */
+ INSTALL_DTV (result, newp);
+
+ assert(dtv[-1].counter >= GL(dl_tls_max_dtv_idx));
+ }
+
while (1)
{
size_t cnt;
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.