Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 87940 - reading uninitialized memory in _dl_relocate_object_internal
Summary: reading uninitialized memory in _dl_relocate_object_internal
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: glibc
Version: 9
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jakub Jelinek
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-04-03 21:12 UTC by John Reiser
Modified: 2016-11-24 15:13 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2003-04-04 14:00:46 UTC


Attachments (Terms of Use)
input commands to reproduce bug, with output transcript (deleted)
2003-04-03 21:14 UTC, John Reiser
no flags Details

Description John Reiser 2003-04-03 21:12:39 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529

Description of problem:
_dl_relocate_object_internal reads uninitialized local memory when running the
test program iconvdata/bug-iconv1.  The source is
-----elf/dl-reloc.c line 44
static void __attribute_noinline__
allocate_static_tls (struct link_map *map)
{
  size_t offset, used, check;

# if TLS_TCB_AT_TP
  offset = roundup (GL(dl_tls_static_used) + map->l_tls_blocksize,
                    map->l_tls_align);
  used = offset;
  check = offset + TLS_TCB_SIZE;
# elif TLS_DTV_AT_TP
  offset = roundup (GL(dl_tls_static_used), map->l_tls_align);
  used = offset + map->l_tls_blocksize;     ##### l_tls_blocksize uninit, sometimes
-----
but the context is
-----elf/dl-reloc.c line 209
#define CHECK_STATIC_TLS(map, sym_map)                                        \
    do {                                                                      \
      if (__builtin_expect ((sym_map)->l_tls_offset == 0, 0))                 \
        allocate_static_tls (sym_map);                                        \
    } while (0)

#include "dynamic-link.h"
-----
because gcc does not obey the __attribute_noinline__.


Version-Release number of selected component (if applicable):
glibc-2.3.2-11.9

How reproducible:
Always

Steps to Reproduce:
1.Enter commands in attached file bug.gdb.
2.Notice that the watchpoint reports no write to stack-local address $ebp-0x5c,
yet that location is read.
3.
    

Actual Results:  Stack-local location $ebp-0x5c is read before it is written.

Expected Results:  Write $ebp-0x5c before reading it.

Additional info:

Comment 1 John Reiser 2003-04-03 21:14:41 UTC
Created attachment 90882 [details]
input commands to reproduce bug, with output transcript

Piping into gdb does not work for me, so I copy+paste each line individually.

Comment 2 Jakub Jelinek 2003-04-04 14:00:46 UTC
No, you're looking at very different source to what _dl_relocate_object
is doing at those instructions.
The read from unitialized stack is in the second _ELF_DYNAMIC_DO_RELOC
macro definition in elf/dynamic-link.h:
        for (ranges_index = 0; ranges_index < 2; ++ranges_index)              \
          elf_dynamic_do_##reloc ((map),                                      \
                                  ranges[ranges_index].start,                 \
                                  ranges[ranges_index].size,                  \
                                  ranges[ranges_index].lazy);                 \
second iteration of the loop, ie. read from ranges[1].start.
Yes, it is read from unitialized memory, but does it matter?
ranges[1].size is initialized (to 0) if this happens, and if 3rd arg to
elf/do-rel.h's elf_machine_do_rel is 0, the second (nor fourth) argument
don't matter at all (end = reladdr + 0 and so all the loops with r < end
condition are never executed.


Note You need to log in before you can comment on or make changes to this bug.