[musl] arm32 tlsdesc bug

[musl] arm32 tlsdesc bug

[Rui Ueyama]

[-- Attachment #1: Type: text/plain, Size: 1715 bytes --]

Hi,

I think there's a bug in musl's TLSDESC implementation for ARM32.

TLSDESC uses two consecutive GOT slots to store a function pointer and its
argument. Usually, the function pointer is stored in the first slot and the
argument in the second. However, on ARM32, the order is reversed; the
argument is stored in the first slot.

If a TLSDESC relocation has a non-zero addend, it's applied to the function
argument and not to the function pointer. That means, for an ABI that uses
the REL-type relocations (as opposed to RELA-type), the addend should be
stored to the location where the function argument is stored, and that's
the first slot on ARM32.

So, I believe we need something like this.

diff --git a/ldso/dynlink.c b/ldso/dynlink.c
index ceca3c98..254fa5b8 100644
--- a/ldso/dynlink.c
+++ b/ldso/dynlink.c
@@ -513,11 +513,17 @@ static void do_relocs(struct dso *dso, size_t *rel,
size_t rel_size, size_t stri
                case REL_TPOFF_NEG:
                        *reloc_addr = def.dso->tls.offset - tls_val +
addend;
                        break;
 #endif
                case REL_TLSDESC:
-                       if (stride<3) addend = reloc_addr[1];
+                       if (stride<3) {
+#ifdef TLSDESC_BACKWARDS
+                               addend = reloc_addr[0];
+#else
+                               addend = reloc_addr[1];
+#endif
+                       }
                        if (def.dso->tls_id > static_tls_cnt) {
                                struct td_index *new = malloc(sizeof *new);
                                if (!new) {
                                        error(
                                        "Error relocating %s: cannot
allocate TLSDESC for %s",

[-- Attachment #2: Type: text/html, Size: 2156 bytes --]

Re: [musl] arm32 tlsdesc bug

[Rich Felker]

On Fri, Oct 06, 2023 at 01:08:18PM +0900, Rui Ueyama wrote:
> Hi,
> 
> I think there's a bug in musl's TLSDESC implementation for ARM32.
> 
> TLSDESC uses two consecutive GOT slots to store a function pointer and its
> argument. Usually, the function pointer is stored in the first slot and the
> argument in the second. However, on ARM32, the order is reversed; the
> argument is stored in the first slot.
> 
> If a TLSDESC relocation has a non-zero addend, it's applied to the function
> argument and not to the function pointer. That means, for an ABI that uses
> the REL-type relocations (as opposed to RELA-type), the addend should be
> stored to the location where the function argument is stored, and that's
> the first slot on ARM32.
> 
> So, I believe we need something like this.
> 
> diff --git a/ldso/dynlink.c b/ldso/dynlink.c
> index ceca3c98..254fa5b8 100644
> --- a/ldso/dynlink.c
> +++ b/ldso/dynlink.c
> @@ -513,11 +513,17 @@ static void do_relocs(struct dso *dso, size_t *rel,
> size_t rel_size, size_t stri
>                 case REL_TPOFF_NEG:
>                         *reloc_addr = def.dso->tls.offset - tls_val +
> addend;
>                         break;
>  #endif
>                 case REL_TLSDESC:
> -                       if (stride<3) addend = reloc_addr[1];
> +                       if (stride<3) {
> +#ifdef TLSDESC_BACKWARDS
> +                               addend = reloc_addr[0];
> +#else
> +                               addend = reloc_addr[1];
> +#endif
> +                       }
>                         if (def.dso->tls_id > static_tls_cnt) {
>                                 struct td_index *new = malloc(sizeof *new);
>                                 if (!new) {
>                                         error(
>                                         "Error relocating %s: cannot
> allocate TLSDESC for %s",

Thank you!! This almost surely explains the TLSDESC problems we've
encountered on arm (32-bit) that prevented enabling it by default.

Rich