[ipfire-2.x.git] / src / patches / glibc-2.38 / 0037-x86-64-Fix-the-tcb-field-load-for-x32-BZ-31185.patch

From 968c983d43bc51f719f3e7a0fcb1bb8669b5f7c4 Mon Sep 17 00:00:00 2001
From: "H.J. Lu" <hjl.tools@gmail.com>
Date: Wed, 20 Dec 2023 19:42:12 -0800
Subject: [PATCH 37/44] x86-64: Fix the tcb field load for x32 [BZ #31185]

_dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic access the thread pointer
via the tcb field in TCB:

_dl_tlsdesc_undefweak:
        _CET_ENDBR
        movq    8(%rax), %rax
        subq    %fs:0, %rax
        ret

_dl_tlsdesc_dynamic:
	...
        subq    %fs:0, %rax
        movq    -8(%rsp), %rdi
        ret

Since the tcb field in TCB is a pointer, %fs:0 is a 32-bit location,
not 64-bit. It should use "sub %fs:0, %RAX_LP" instead.  Since
_dl_tlsdesc_undefweak returns ptrdiff_t and _dl_make_tlsdesc_dynamic
returns void *, RAX_LP is appropriate here for x32 and x86-64.  This
fixes BZ #31185.

(cherry picked from commit 81be2a61dafc168327c1639e97b6dae128c7ccf3)
---
 NEWS                        | 1 +
 sysdeps/x86_64/dl-tlsdesc.S | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 71057e4793..6fbb8a9e1d 100644
--- a/NEWS
+++ b/NEWS
@@ -38,6 +38,7 @@ The following bugs are resolved with this release:
     -D_FILE_OFFSET_BITS=64
   [30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527)
   [31184] FAIL: elf/tst-tlsgap
+  [31185] Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic
 
 \f
 Version 2.38
diff --git a/sysdeps/x86_64/dl-tlsdesc.S b/sysdeps/x86_64/dl-tlsdesc.S
index c4823547d7..4579424bf7 100644
--- a/sysdeps/x86_64/dl-tlsdesc.S
+++ b/sysdeps/x86_64/dl-tlsdesc.S
@@ -61,7 +61,7 @@ _dl_tlsdesc_return:
 _dl_tlsdesc_undefweak:
 	_CET_ENDBR
 	movq	8(%rax), %rax
-	subq	%fs:0, %rax
+	sub	%fs:0, %RAX_LP
 	ret
 	cfi_endproc
 	.size	_dl_tlsdesc_undefweak, .-_dl_tlsdesc_undefweak
@@ -116,7 +116,7 @@ _dl_tlsdesc_dynamic:
 	addq	TLSDESC_MODOFF(%rdi), %rax
 .Lret:
 	movq	-16(%rsp), %rsi
-	subq	%fs:0, %rax
+	sub	%fs:0, %RAX_LP
 	movq	-8(%rsp), %rdi
 	ret
 .Lslow:
-- 
2.39.2
Commit	Line	Data
a61a21ef MT	1	From 968c983d43bc51f719f3e7a0fcb1bb8669b5f7c4 Mon Sep 17 00:00:00 2001
	2	From: "H.J. Lu" <hjl.tools@gmail.com>
	3	Date: Wed, 20 Dec 2023 19:42:12 -0800
	4	Subject: [PATCH 37/44] x86-64: Fix the tcb field load for x32 [BZ #31185]
	5
	6	_dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic access the thread pointer
	7	via the tcb field in TCB:
	8
	9	_dl_tlsdesc_undefweak:
	10	_CET_ENDBR
	11	movq 8(%rax), %rax
	12	subq %fs:0, %rax
	13	ret
	14
	15	_dl_tlsdesc_dynamic:
	16	...
	17	subq %fs:0, %rax
	18	movq -8(%rsp), %rdi
	19	ret
	20
	21	Since the tcb field in TCB is a pointer, %fs:0 is a 32-bit location,
	22	not 64-bit. It should use "sub %fs:0, %RAX_LP" instead. Since
	23	_dl_tlsdesc_undefweak returns ptrdiff_t and _dl_make_tlsdesc_dynamic
	24	returns void *, RAX_LP is appropriate here for x32 and x86-64. This
	25	fixes BZ #31185.
	26
	27	(cherry picked from commit 81be2a61dafc168327c1639e97b6dae128c7ccf3)
	28	---
	29	NEWS \| 1 +
	30	sysdeps/x86_64/dl-tlsdesc.S \| 4 ++--
	31	2 files changed, 3 insertions(+), 2 deletions(-)
	32
	33	diff --git a/NEWS b/NEWS
	34	index 71057e4793..6fbb8a9e1d 100644
	35	--- a/NEWS
	36	+++ b/NEWS
	37	@@ -38,6 +38,7 @@ The following bugs are resolved with this release:
	38	-D_FILE_OFFSET_BITS=64
	39	[30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527)
	40	[31184] FAIL: elf/tst-tlsgap
	41	+ [31185] Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic
	42
	43	\f
	44	Version 2.38
	45	diff --git a/sysdeps/x86_64/dl-tlsdesc.S b/sysdeps/x86_64/dl-tlsdesc.S
	46	index c4823547d7..4579424bf7 100644
	47	--- a/sysdeps/x86_64/dl-tlsdesc.S
	48	+++ b/sysdeps/x86_64/dl-tlsdesc.S
	49	@@ -61,7 +61,7 @@ _dl_tlsdesc_return:
	50	_dl_tlsdesc_undefweak:
	51	_CET_ENDBR
	52	movq 8(%rax), %rax
	53	- subq %fs:0, %rax
	54	+ sub %fs:0, %RAX_LP
	55	ret
	56	cfi_endproc
	57	.size _dl_tlsdesc_undefweak, .-_dl_tlsdesc_undefweak
	58	@@ -116,7 +116,7 @@ _dl_tlsdesc_dynamic:
	59	addq TLSDESC_MODOFF(%rdi), %rax
	60	.Lret:
	61	movq -16(%rsp), %rsi
	62	- subq %fs:0, %rax
	63	+ sub %fs:0, %RAX_LP
	64	movq -8(%rsp), %rdi
65	ret
66	.Lslow:
67	--
68	2.39.2
69