Bug 23790 - Data race in _dl_profile_fixup with reloc_result update from multiple threads.
Summary: Data race in _dl_profile_fixup with reloc_result update from multiple threads.
Status: NEW
Alias: None
Product: glibc
Classification: Unclassified
Component: dynamic-link (show other bugs)
Version: 2.30
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-18 01:51 UTC by Carlos O'Donell
Modified: 2023-01-31 19:15 UTC (History)
3 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
Project(s) to access:
ssh public key:
fweimer: security-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos O'Donell 2018-10-18 01:51:20 UTC 
There is a data race in _dl_profile_fixup where multiple threads may enter from the same PLT entry, and update the same reloc_result index entry.

This is similar to the data dependency issues from bug 23690, but there we only look to solve the issue for threads that find the guard variable indicating the structure is initialized only to see incomplete writes to the structure and crash.

The fix is for _dl_profile_fixup to be rewritten such that the threads work on a local copy of a struct reloc_result and then use a RMW sequence to place it into the final array, and thus we avoid the data races.
Comment 1 Carlos O'Donell 2021-06-14 16:54:55 UTC 
This issue is only relevant when the PLT entry is a multi-word entry and therefore needs multiple writes to complete.

I think that IA64 and HPPA (32-bit) are impacted by this issue because of the function descriptor in the PLT.

The power code also likely suffers from this, but in binutils the PLT update sequence is designed to be "thread safe" using architecture-related interlocks.
Comment 2 Carlos O'Donell 2021-06-15 02:31:10 UTC 
(In reply to Carlos O'Donell from comment #1)
> This issue is only relevant when the PLT entry is a multi-word entry and
> therefore needs multiple writes to complete.
> 
> I think that IA64 and HPPA (32-bit) are impacted by this issue because of
> the function descriptor in the PLT.
> 
> The power code also likely suffers from this, but in binutils the PLT update
> sequence is designed to be "thread safe" using architecture-related
> interlocks.

What I wrote here applies both to the traditional PLT fixup in the dynamic loader *and* the fixup of the cached entries while profiling. This particular bug is about only the fixup of the cached entries which are updated when profiling. In this case glibc is entirely responsible for the update.
Comment 3 Kaitlyn John 2023-01-31 19:15:52 UTC Comment hidden (spam)