[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RFC PATCH glibc 24/34] hurd: Only check for TLS initialization insi

From: Sergey Bugaev
Subject: Re: [RFC PATCH glibc 24/34] hurd: Only check for TLS initialization inside rtld or in static builds
Date: Thu, 13 Apr 2023 15:17:51 +0300

Alright, here's some more analysis.

I was unable to fetch your core dump (403), but the test case and
libc/ld all 200'ed, and the crash / hang reproduces -- awesome.

and guess what? Firstly, the error we get from mach_port_mod_refs is
EMACH_RCV_INVALID_NAME 268451842 (ipc/rcv) invalid name
so my hunch that this one reply port was broken turned out correct. So
now looking at how we get it...

(gdb) disas __mig_get_reply_port
Dump of assembler code for function __GI___mig_get_reply_port:
   0x0001c310 <+0>:       call   0x1cb9e2 <__x86.get_pc_thunk.cx>
   0x0001c315 <+5>:       add    $0x28ecdf,%ecx
   0x0001c31b <+11>:      mov    %gs:0x0,%eax
   0x0001c321 <+17>:      mov    0x38(%eax),%edx
   0x0001c324 <+20>:      test   %edx,%edx
   0x0001c326 <+22>:      je     0x1c340 <__GI___mig_get_reply_port+48>
   0x0001c328 <+24>:      lea    0x16d8(%ecx),%ecx
   0x0001c32e <+30>:      add    $0x38,%eax
   0x0001c331 <+33>:      cmp    %ecx,%eax
   0x0001c333 <+35>:      je     0x1c339 <__GI___mig_get_reply_port+41>
   0x0001c335 <+37>:      cmp    (%ecx),%edx
   0x0001c337 <+39>:      je     0x1c340 <__GI___mig_get_reply_port+48>
   0x0001c339 <+41>:      mov    %edx,%eax
   0x0001c33b <+43>:      ret
   0x0001c33c <+44>:      lea    0x0(%esi,%eiz,1),%esi
   0x0001c340 <+48>:      sub    $0xc,%esp
   0x0001c343 <+51>:      call   0x1ba40 <__GI___mach_reply_port>
   0x0001c348 <+56>:      mov    %gs:0x0,%eax
   0x0001c34e <+62>:      mov    0x38(%eax),%eax
   0x0001c351 <+65>:      add    $0xc,%esp
   0x0001c354 <+68>:      ret

That is surely very different from the one I cited in the cover
letter! Look at what it's doing to the result of mach_reply_port (in
%eax) -- it straight-up overwrites it with the tcb pointer.

That is, of course, exactly the __seg_gs miscompilation I reported,
and exactly what "hurd: Remove __hurd_local_reply_port" was supposed
to work around (by not accessing it as THREAD_SELF->reply_port, but
rather using THREAD_SETMEM). I have now sent the second version of
that patch, please try applying it and test if that fixes it.

And the commit that has broken things here was
748511f0bb61785f976e18843d707a8ba8fffe29 ("hurd: i386 TLS tweaks"),
where I made THREAD_SELF (and friends) work through __seg_gs,
triggering the miscompilation. I'm surprised your testing hasn't
caught it earlier, but maybe the extra branch/indirection for the
no-tls case was masking the miscompilation. Please also check if the
other reply port tweak you reverted today is also innocent.

I have uploaded my own builds of libc.so and ld.so at [0] & [1] (but
these are with v1 of "hurd: Remove __hurd_local_reply_port", and with
all of this patchset applied).
[0] https://darnassus.sceen.net/~bugaevc/libc.so
[1] https://darnassus.sceen.net/~bugaevc/ld.so

Please test whether they work on your system.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]