about summary refs log tree commit diff
diff options
context:
space:
mode:
authorMark Wielaard <mjw@redhat.com>2014-08-27 17:07:58 +0200
committerFlorian Weimer <fweimer@redhat.com>2014-08-28 09:53:08 +0200
commit9570bc53fcc11d3cfe028989e611266e8d55bd09 (patch)
treeb282e160fc7057dcb9b8a5ea9fa3f5c5fea73de7
parentb0f955c9ac70181532e93aa78c49c204c2a31dfd (diff)
downloadglibc-9570bc53fcc11d3cfe028989e611266e8d55bd09.tar.gz
glibc-9570bc53fcc11d3cfe028989e611266e8d55bd09.tar.xz
glibc-9570bc53fcc11d3cfe028989e611266e8d55bd09.zip
i386 TLS_INIT_TP might produce bogus asm changing stack pointer [BZ #17319]
TLS_INIT_TP in sysdeps/i386/nptl/tls.h uses some hand written asm to
generate a set_thread_area that might result in exchanging ebx and esp
around the syscall causing introspection tools like valgrind to loose
track of the user stack. Just use INTERNAL_SYSCALL which makes sure
esp isn't changed arbitrarily.

Before the patch the code would generate:

mov    $0xf3,%eax
movl   $0xfffff,0x8(%esp)
movl   $0x51,0xc(%esp)
xchg   %esp,%ebx
int    $0x80
xchg   %esp,%ebx

Using INTERNAL_SYSCALL instead will generate:

movl   $0xfffff,0x8(%esp)
movl   $0x51,0xc(%esp)
xchg   %ecx,%ebx
mov    $0xf3,%eax
int    $0x80
xchg   %ecx,%ebx

Thanks to Florian Weimer for analysing why the original code generated
the bogus esp usage:

  _segdescr.desc happens to be at the top of the stack, so its address
  is in %esp.  The asm statement says that %3 is an input, so its value
  will not change, and GCC can use %esp as the input register for the
  expression &_segdescr.desc.  But the constraints do not fully describe
  the asm statement because the %3 register is actually modified, albeit
  only temporarily.

	[BZ #17319]
	* sysdeps/i386/nptl/tls.h (TLS_INIT_TP): Use INTERNAL_SYSCALL
	to call set_thread_area instead of hand written asm.
	(__NR_set_thread_area): Removed define.
	(TLS_FLAG_WRITABLE): Likewise.
	(__ASSUME_SET_THREAD_AREA): Remove check.
	(TLS_EBX_ARG): Remove define.
	(TLS_LOAD_EBX): Likewise.
-rw-r--r--ChangeLog11
-rw-r--r--NEWS2
-rw-r--r--sysdeps/i386/nptl/tls.h31
3 files changed, 14 insertions, 30 deletions
diff --git a/ChangeLog b/ChangeLog
index 8d1eef4558..23c900dcf7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2014-08-27  Mark Wielaard  <mjw@redhat.com>
+
+	[BZ #17319]
+	* sysdeps/i386/nptl/tls.h (TLS_INIT_TP): Use INTERNAL_SYSCALL
+	to call set_thread_area instead of hand written asm.
+	(__NR_set_thread_area): Removed define.
+	(TLS_FLAG_WRITABLE): Likewise.
+	(__ASSUME_SET_THREAD_AREA): Remove check.
+	(TLS_EBX_ARG): Remove define.
+	(TLS_LOAD_EBX): Likewise.
+
 2014-08-27  Samuel Thibault  <samuel.thibault@ens-lyon.org>
 
 	Simplify atomicity of socket creation in bind.
diff --git a/NEWS b/NEWS
index e5cbd3ea5e..1af9e706dc 100644
--- a/NEWS
+++ b/NEWS
@@ -23,7 +23,7 @@ Version 2.20
   16966, 16967, 16977, 16978, 16984, 16990, 16996, 17009, 17022, 17031,
   17042, 17048, 17050, 17058, 17061, 17062, 17069, 17075, 17078, 17079,
   17084, 17086, 17088, 17092, 17097, 17125, 17135, 17137, 17150, 17153,
-  17187, 17213, 17259, 17261, 17262, 17263.
+  17187, 17213, 17259, 17261, 17262, 17263, 17319.
 
 * Reverted change of ABI data structures for s390 and s390x:
   On s390 and s390x the size of struct ucontext and jmp_buf was increased in
diff --git a/sysdeps/i386/nptl/tls.h b/sysdeps/i386/nptl/tls.h
index ac9c9a22f9..d7302ba8aa 100644
--- a/sysdeps/i386/nptl/tls.h
+++ b/sysdeps/i386/nptl/tls.h
@@ -154,29 +154,6 @@ union user_desc_init
   __asm ("movw %w0, %%gs" :: "q" (val))
 # endif
 
-
-# ifndef __NR_set_thread_area
-#  define __NR_set_thread_area 243
-# endif
-# ifndef TLS_FLAG_WRITABLE
-#  define TLS_FLAG_WRITABLE		0x00000001
-# endif
-
-// XXX Enable for the real world.
-#if 0
-# ifndef __ASSUME_SET_THREAD_AREA
-#  error "we need set_thread_area"
-# endif
-#endif
-
-# ifdef __PIC__
-#  define TLS_EBX_ARG "r"
-#  define TLS_LOAD_EBX "xchgl %3, %%ebx\n\t"
-# else
-#  define TLS_EBX_ARG "b"
-#  define TLS_LOAD_EBX
-# endif
-
 #if defined NEED_DL_SYSINFO
 # define INIT_SYSINFO \
   _head->sysinfo = GLRO(dl_sysinfo)
@@ -231,12 +208,8 @@ tls_fill_user_desc (union user_desc_init *desc,
      tls_fill_user_desc (&_segdescr, -1, _thrdescr);			      \
 									      \
      /* Install the TLS.  */						      \
-     asm volatile (TLS_LOAD_EBX						      \
-		   "int $0x80\n\t"					      \
-		   TLS_LOAD_EBX						      \
-		   : "=a" (_result), "=m" (_segdescr.desc.entry_number)	      \
-		   : "0" (__NR_set_thread_area),			      \
-		     TLS_EBX_ARG (&_segdescr.desc), "m" (_segdescr.desc));    \
+     INTERNAL_SYSCALL_DECL (err);					      \
+     _result = INTERNAL_SYSCALL (set_thread_area, err, 1, &_segdescr.desc);   \
 									      \
      if (_result == 0)							      \
        /* We know the index in the GDT, now load the segment register.	      \