From f496b750f135e57da921e975835c44bd199246dd Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Thu, 1 Aug 2024 23:31:30 +0200 Subject: elf: Avoid re-initializing already allocated TLS in dlopen (bug 31717) The old code used l_init_called as an indicator for whether TLS initialization was complete. However, it is possible that TLS for an object is initialized, written to, and then dlopen for this object is called again, and l_init_called is not true at this point. Previously, this resulted in TLS being initialized twice, discarding any interim writes (technically introducing a use-after-free bug even). This commit introduces an explicit per-object flag, l_tls_in_slotinfo. It indicates whether _dl_add_to_slotinfo has been called for this object. This flag is used to avoid double-initialization of TLS. In update_tls_slotinfo, the first_static_tls micro-optimization is removed because preserving the initalization flag for subsequent use by the second loop for static TLS is a bit complicated, and another per-object flag does not seem to be worth it. Furthermore, the l_init_called flag is dropped from the second loop (for static TLS initialization) because l_need_tls_init on its own prevents double-initialization. The remaining l_init_called usage in resize_scopes and update_scopes is just an optimization due to the use of scope_has_map, so it is not changed in this commit. The isupper check ensures that libc.so.6 is TLS is not reverted. Such a revert happens if l_need_tls_init is not cleared in _dl_allocate_tls_init for the main_thread case, now that l_init_called is not checked anymore in update_tls_slotinfo in elf/dl-open.c. Reported-by: Jonathon Anderson Reviewed-by: Carlos O'Donell (cherry picked from commit 5097cd344fd243fb8deb6dec96e8073753f962f9) --- NEWS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'NEWS') diff --git a/NEWS b/NEWS index 10a125bc66..5b20efbf6c 100644 --- a/NEWS +++ b/NEWS @@ -10,7 +10,7 @@ Version 2.40.1 The following bugs are resolved with this release: [30081] resolv: Do not wait for non-existing second DNS response after error - [31968] mremap implementation in C does not handle arguments correctly + [31717] elf: Avoid re-initializing already allocated TLS in dlopen [31890] resolv: Allow short error responses to match any DNS query [31968] mremap implementation in C does not handle arguments correctly [32026] strerror/strsignal TLS not handled correctly for secondary namespaces -- cgit 1.4.1