git: 98fd69f0090d - main - rtld/arm: fix initial-exec (IE) thread-local storage relocation

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Kristof Provost <kp_at_FreeBSD.org>
Date: Fri, 03 Nov 2023 21:44:14 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=98fd69f0090da73d9d0451bd769d7752468284c6

commit 98fd69f0090da73d9d0451bd769d7752468284c6
Author:     R. Christian McDonald <rcm@rcm.sh>
AuthorDate: 2023-11-03 12:56:58 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2023-11-03 21:43:40 +0000

    rtld/arm: fix initial-exec (IE) thread-local storage relocation
    
    net/frr[89] revealed an interesting edge-case on arm when dynamically
    linking a shared library that declares more than one static TLS variable
    with at least one  using the "initial-exec" TLS model. In the case
    of frr[89], this library was libfrr.so which essentially does the
    following:
    
            #include <stdio.h>
    
            #include "lib.h"
    
            static __thread int *a
                    __attribute__((tls_model("initial-exec")));
    
            void lib_test()
            {
                    static __thread int b = -1;
    
                    printf("&a = %p\n", &a);
                    printf(" a = %p\n", a);
    
                    printf("\n");
    
                    printf("&b = %p\n", &b);
                    printf(" b = %d\n", b);
            }
    
    Allocates a file scoped `static __thread` pointer with
    tls_model("initial-exec") and later a block scoped TLS int. Notice in
    the above minimal reproducer, `b == -1`. The relocation process does
    the wrong thing and ends up pointing both `a` and `b` at the same place
    in memory.
    
    The output of the above in the broken state is:
    
            &a = 0x4009c018
             a = 0xffffffff
    
            &b = 0x4009c018
             b = -1
    
    With the patch applied, the output becomes:
    
            &a = 0x4009c01c
             a = 0x0
    
            &b = 0x4009c018
             b = -1
    
    Reviewed by:    kib
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D42415/
---
 libexec/rtld-elf/arm/reloc.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libexec/rtld-elf/arm/reloc.c b/libexec/rtld-elf/arm/reloc.c
index c3e95940be74..6efc9f499761 100644
--- a/libexec/rtld-elf/arm/reloc.c
+++ b/libexec/rtld-elf/arm/reloc.c
@@ -280,10 +280,13 @@ reloc_nonplt_object(Obj_Entry *obj, const Elf_Rel *rel, SymCache *cache,
 				return -1;
 
 			tmp = (Elf_Addr)def->st_value + defobj->tlsoffset;
-			if (__predict_true(RELOC_ALIGNED_P(where)))
+			if (__predict_true(RELOC_ALIGNED_P(where))) {
+				tmp += *where;
 				*where = tmp;
-			else
+			} else {
+				tmp += load_ptr(where);
 				store_ptr(where, tmp);
+			}
 			dbg("TLS_TPOFF32 %s in %s --> %p",
 			    obj->strtab + obj->symtab[symnum].st_name,
 			    obj->path, (void *)tmp);