This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug nptl/22743] __pthread_register_cancel corrupts stack after f81ddabffd

From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Thu, 25 Jan 2018 12:26:02 +0000
Subject: [Bug nptl/22743] __pthread_register_cancel corrupts stack after f81ddabffd
Auto-submitted: auto-generated
References: <bug-22743-131@http.sourceware.org/bugzilla/>

https://sourceware.org/bugzilla/show_bug.cgi?id=22743

--- Comment #4 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, hjl/pr22743/master has been created
        at  10bba58b7eece4eac0db07c100217b709efd4727 (commit)

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=10bba58b7eece4eac0db07c100217b709efd4727

commit 10bba58b7eece4eac0db07c100217b709efd4727
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Wed Jan 24 15:27:49 2018 -0800

    nptl: Update struct pthread_unwind_buf [BZ #22743]

    In glibc 2.27, the size of cancel_jmp_buf in struct pthread_unwind_buf
    has been increased to match the size of __jmp_buf_tag on Linux/x86 in
    order to save and restore shadow stack.  Struct pthread_unwind_buf is
    used in <pthread.h>, whose address is passed from applications to
    libpthread.  To access the private data in struct pthread_unwind_buf,
    which is placed after cancel_jmp_buf, in libpthread, we must know which
    struct pthread_unwind_buf, before glibc 27 and after glibc 2.27, is used
    in caller.  If the size of caller's struct pthread_unwind_buf is smaller
    than what libpthread expects, libpthread will override caller's stack
    since struct pthread_unwind_buf is placed on caller's stack.

    We enable shadow stack at run-time only if program and all used shared
    objects, including dlopened ones, are shadow stack enabled, which means
    that they must be compiled with GCC 8 or above and glibc 2.27 or above.
    Since we need to save and restore shadow stack only if shadow stack is
    enabled, we can safely assume that caller is compiled with smaller
    struct pthread_unwind_buf on stack if shadow stack isn't enabled at
    run-time.  For callers with larger struct pthread_unwind_buf, but
    shadow stack isn't enabled, we just have some unused space on caller's
    stack.

    struct pthread_unwind_buf is changed to union of

    1. struct cancel_jmp_buf[1], which contains the common fields of struct
    updated_pthread_unwind_buf and struct compat_pthread_unwind_buf.
    2. struct updated_pthread_unwind_buf, which is the updated layout of
    the cleanup buffer.
    3. struct compat_pthread_unwind_buf, which is the compatible layout of
    the cleanup buffer.

    A macro, UNWIND_BUF_PRIV, is added to get the pointer to the priv field.
    By default, it uses the priv field of struct compat_pthread_unwind_buf.
    If a target defines NEED_SAVED_MASK_IN_CANCEL_JMP_BUF, it must provide
    its own version of UNEIND_BUF_PRIV to get the pointer to the priv field.
    On Linux/x86, it uses the priv field of struct compat_pthread_unwind_buf
    if shadow stack is disabled and struct updated_pthread_unwind_buf if
    shadow stack is enabled.

        [BZ #22743]
        * csu/libc-start.c (LIBC_START_MAIN): Use the updated version
        of the cleanup buffer.
        * nptl/cleanup.c (__pthread_register_cancel): Use UNWIND_BUF_PRIV
        to access the priv field in the cleanup buffer.
        (__pthread_unregister_cancel): Likewise.
        * nptl/cleanup_defer.c (__pthread_register_cancel_defer):
        Likewise.
        (__pthread_unregister_cancel_restore): Likewise.
        * nptl/unwind.c (unwind_stop): Likewise.
        (__pthread_unwind_next): Likewise.
        * nptl/descr.h (pthread_unwind_buf_data): New.
        (updated_pthread_unwind_buf): Likewise.
        (compat_pthread_unwind_buf): Likewise.
        (pthread_unwind_buf): Updated to use updated_pthread_unwind_buf
        and compat_pthread_unwind_buf.
        (UNWIND_BUF_PRIV): New.  Macro to get pointer to the priv field
        in the cleanup buffer.
        * nptl/pthread_create.c (START_THREAD_DEFN): Use the updated
        version of the cleanup buffer.
        (__pthread_create_2_1): Use THREAD_COPY_ADDITONAL_INFO to copy
        additonal info if defined.
        * sysdeps/unix/sysv/linux/x86/nptl/pthreadP.h: Use the updated
        version of the cleanup buffer to check cancel_jmp_buf size.
        * sysdeps/unix/sysv/linux/x86/pthreaddef.h
        (THREAD_COPY_ADDITONAL_INFO): New.
        (UNWIND_BUF_PRIV): Likewise.

-----------------------------------------------------------------------

-- 
You are receiving this mail because:
You are on the CC list for the bug.

References:
- [Bug nptl/22743] New: __pthread_register_cancel corrupts stack after f81ddabffd
  - From: andrew.n.senkevich at gmail dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]