From 5590df9b268140cc535c3a57066a99eefd39627f Mon Sep 17 00:00:00 2001 From: liqingqing_1229 Date: Tue, 6 Feb 2024 19:16:15 +0800 Subject: [PATCH] arm: Remove wrong ldr from _dl_start_user (BZ 31339) --- ...ong-ldr-from-_dl_start_user-BZ-31339.patch | 40 +++++++++++++++++++ glibc.spec | 6 ++- 2 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 arm-Remove-wrong-ldr-from-_dl_start_user-BZ-31339.patch diff --git a/arm-Remove-wrong-ldr-from-_dl_start_user-BZ-31339.patch b/arm-Remove-wrong-ldr-from-_dl_start_user-BZ-31339.patch new file mode 100644 index 0000000..cf400cd --- /dev/null +++ b/arm-Remove-wrong-ldr-from-_dl_start_user-BZ-31339.patch @@ -0,0 +1,40 @@ +From b09073e63138ce409bf6426cf820eeaa0d28ca74 Mon Sep 17 00:00:00 2001 +From: Adhemerval Zanella +Date: Mon, 5 Feb 2024 16:10:24 +0000 +Subject: [PATCH] arm: Remove wrong ldr from _dl_start_user (BZ 31339) + +The commit 49d877a80b29d3002887b084eec6676d9f5fec18 (arm: Remove +_dl_skip_args usage) removed the _SKIP_ARGS literal, which was +previously loader to r4 on loader _start. However, the cleanup did not +remove the following 'ldr r4, [sl, r4]' on _dl_start_user, used to check +to skip the arguments after ld self-relocations. + +In my testing, the kernel initially set r4 to 0, which makes the +ldr instruction just read the _GLOBAL_OFFSET_TABLE_. However, since r4 +is a callee-saved register; a different runtime might not zero +initialize it and thus trigger an invalid memory access. + +Checked on arm-linux-gnu. + +Reported-by: Adrian Ratiu +Reviewed-by: Szabolcs Nagy +(cherry picked from commit 1e25112dc0cb2515d27d8d178b1ecce778a9d37a) +--- + sysdeps/arm/dl-machine.h | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/sysdeps/arm/dl-machine.h b/sysdeps/arm/dl-machine.h +index d720c02c96..77dc7415e9 100644 +--- a/sysdeps/arm/dl-machine.h ++++ b/sysdeps/arm/dl-machine.h +@@ -137,7 +137,6 @@ _start:\n\ + _dl_start_user:\n\ + adr r6, .L_GET_GOT\n\ + add sl, sl, r6\n\ +- ldr r4, [sl, r4]\n\ + @ save the entry point in another register\n\ + mov r6, r0\n\ + @ get the original arg count\n\ +-- +2.33.0 + diff --git a/glibc.spec b/glibc.spec index 4d1b98c..cf8246b 100644 --- a/glibc.spec +++ b/glibc.spec @@ -67,7 +67,7 @@ ############################################################################## Name: glibc Version: 2.38 -Release: 20 +Release: 21 Summary: The GNU libc libraries License: %{all_license} URL: http://www.gnu.org/software/glibc/ @@ -139,6 +139,7 @@ Patch50: sparc-Fix-broken-memset-for-sparc32-BZ-31068.patch Patch51: sparc64-Remove-unwind-information-from-signal-return.patch Patch52: sparc-Fix-sparc64-memmove-length-comparison-BZ-31266.patch Patch53: sparc-Remove-unwind-information-from-signal-return-s.patch +Patch54: arm-Remove-wrong-ldr-from-_dl_start_user-BZ-31339.patch Patch9000: turn-default-value-of-x86_rep_stosb_threshold_form_2K_to_1M.patch Patch9001: locale-delete-no-hard-link-to-avoid-all_language-pac.patch @@ -1352,6 +1353,9 @@ fi %endif %changelog +* Tue Feb 6 Qingqing Li - 2.38-21 +- arm: Remove wrong ldr from _dl_start_user (BZ 31339) + * Mon Feb 5 Qingqing Li - 2.38-20 - x86_64: Optimize ffsll function code size - S390: Fix building with disable mutli arch (BZ 31196) -- Gitee