diff options
| author | Mark Wielaard <mjw@redhat.com> | 2014-08-27 17:07:58 +0200 |
|---|---|---|
| committer | Florian Weimer <fweimer@redhat.com> | 2014-08-28 09:53:08 +0200 |
| commit | 9570bc53fcc11d3cfe028989e611266e8d55bd09 (patch) | |
| tree | b282e160fc7057dcb9b8a5ea9fa3f5c5fea73de7 /NEWS | |
| parent | b0f955c9ac70181532e93aa78c49c204c2a31dfd (diff) | |
| download | glibc-9570bc53fcc11d3cfe028989e611266e8d55bd09.tar.gz glibc-9570bc53fcc11d3cfe028989e611266e8d55bd09.tar.xz glibc-9570bc53fcc11d3cfe028989e611266e8d55bd09.zip | |
i386 TLS_INIT_TP might produce bogus asm changing stack pointer [BZ #17319]
TLS_INIT_TP in sysdeps/i386/nptl/tls.h uses some hand written asm to generate a set_thread_area that might result in exchanging ebx and esp around the syscall causing introspection tools like valgrind to loose track of the user stack. Just use INTERNAL_SYSCALL which makes sure esp isn't changed arbitrarily. Before the patch the code would generate: mov $0xf3,%eax movl $0xfffff,0x8(%esp) movl $0x51,0xc(%esp) xchg %esp,%ebx int $0x80 xchg %esp,%ebx Using INTERNAL_SYSCALL instead will generate: movl $0xfffff,0x8(%esp) movl $0x51,0xc(%esp) xchg %ecx,%ebx mov $0xf3,%eax int $0x80 xchg %ecx,%ebx Thanks to Florian Weimer for analysing why the original code generated the bogus esp usage: _segdescr.desc happens to be at the top of the stack, so its address is in %esp. The asm statement says that %3 is an input, so its value will not change, and GCC can use %esp as the input register for the expression &_segdescr.desc. But the constraints do not fully describe the asm statement because the %3 register is actually modified, albeit only temporarily. [BZ #17319] * sysdeps/i386/nptl/tls.h (TLS_INIT_TP): Use INTERNAL_SYSCALL to call set_thread_area instead of hand written asm. (__NR_set_thread_area): Removed define. (TLS_FLAG_WRITABLE): Likewise. (__ASSUME_SET_THREAD_AREA): Remove check. (TLS_EBX_ARG): Remove define. (TLS_LOAD_EBX): Likewise.
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/NEWS b/NEWS index e5cbd3ea5e..1af9e706dc 100644 --- a/NEWS +++ b/NEWS @@ -23,7 +23,7 @@ Version 2.20 16966, 16967, 16977, 16978, 16984, 16990, 16996, 17009, 17022, 17031, 17042, 17048, 17050, 17058, 17061, 17062, 17069, 17075, 17078, 17079, 17084, 17086, 17088, 17092, 17097, 17125, 17135, 17137, 17150, 17153, - 17187, 17213, 17259, 17261, 17262, 17263. + 17187, 17213, 17259, 17261, 17262, 17263, 17319. * Reverted change of ABI data structures for s390 and s390x: On s390 and s390x the size of struct ucontext and jmp_buf was increased in |