Bug#328183: permit user-level-controlled TLS
reopen 328183
thanks
Aurelien Jarno, le Tue 11 Apr 2006 11:57:41 +0200, a écrit :
> Starting with version 2.3.6-6, the glibc build a libc6-xen. This closes
> this bug.
There are still direct gs:offset references in the libc6-xen binaries,
because of missing #ifdef NO_TLS_DIRECT_SEG_REFS here and there.
For instance, (libc 2.3.6-13) :
(gdb) disassemble poll
Dump of assembler code for function poll:
0xb7eefe40 <poll+0>: push %ebp
0xb7eefe41 <poll+1>: mov %esp,%ebp
0xb7eefe43 <poll+3>: sub $0x10,%esp
0xb7eefe46 <poll+6>: mov %ebx,0xfffffff4(%ebp)
0xb7eefe49 <poll+9>: mov %edi,0xfffffffc(%ebp)
0xb7eefe4c <poll+12>: mov 0x8(%ebp),%edi
0xb7eefe4f <poll+15>: mov %esi,0xfffffff8(%ebp)
0xb7eefe52 <poll+18>: call 0xb7e3bd10 <__i686.get_pc_thunk.bx>
0xb7eefe57 <poll+23>: add $0x6e19d,%ebx
0xb7eefe5d <poll+29>: mov %gs:0xc,%eax
=======
0xb7eefe63 <poll+35>: test %eax,%eax
0xb7eefe65 <poll+37>: jne 0xb7eefe97 <poll+87>
0xb7eefe67 <poll+39>: mov 0xc(%ebp),%ecx
0xb7eefe6a <poll+42>: mov 0x10(%ebp),%edx
0xb7eefe6d <poll+45>: xchg %ebx,%edi
0xb7eefe6f <poll+47>: mov $0xa8,%eax
0xb7eefe74 <poll+52>: call *%gs:0x10
=========
0xb7eefe7b <poll+59>: xchg %edi,%ebx
0xb7eefe7d <poll+61>: cmp $0xfffff000,%eax
0xb7eefe82 <poll+66>: mov %eax,%esi
0xb7eefe84 <poll+68>: mov %eax,%edi
0xb7eefe86 <poll+70>: ja 0xb7eefec9 <poll+137>
0xb7eefe88 <poll+72>: mov %edi,%eax
0xb7eefe8a <poll+74>: mov 0xfffffff4(%ebp),%ebx
0xb7eefe8d <poll+77>: mov 0xfffffff8(%ebp),%esi
0xb7eefe90 <poll+80>: mov 0xfffffffc(%ebp),%edi
0xb7eefe93 <poll+83>: mov %ebp,%esp
0xb7eefe95 <poll+85>: pop %ebp
0xb7eefe96 <poll+86>: ret
0xb7eefe97 <poll+87>: call 0xb7f08300 <__libc_enable_asynccancel>
0xb7eefe9c <poll+92>: mov 0xc(%ebp),%ecx
0xb7eefe9f <poll+95>: mov 0x10(%ebp),%edx
0xb7eefea2 <poll+98>: mov %eax,%esi
0xb7eefea4 <poll+100>: xchg %ebx,%edi
0xb7eefea6 <poll+102>: mov $0xa8,%eax
0xb7eefeab <poll+107>: call *%gs:0x10
=========
0xb7eefeb2 <poll+114>: xchg %edi,%ebx
0xb7eefeb4 <poll+116>: cmp $0xfffff000,%eax
0xb7eefeb9 <poll+121>: mov %eax,%edi
0xb7eefebb <poll+123>: mov %eax,0xfffffff0(%ebp)
...
%gs:0x10 seems to come from
sysdeps/unix/sysv/linux/i386/sysdep.h:206:
#ifdef I386_USE_SYSENTER
# ifdef SHARED
# define ENTER_KERNEL call *%gs:SYSINFO_OFFSET
===================
# else
# define ENTER_KERNEL call *_dl_sysinfo
# endif
#else
# define ENTER_KERNEL int $0x80
#endif
and gs:0x0c comes from nptl/sysdeps/i386/tls.h, where there is a bunch
of inline assembly like
asm ("movl %%gs:%c1,%0" : "=r" (__self) \
asm volatile ("movb %%gs:%P2,%b0" \
asm volatile ("movl %%gs:%P1,%0" \
asm volatile ("movl %%gs:%P1,%%eax\n\t" \
...
There are other references in sysdeps/unix/sysv/linux/i386/sysdep.h:376:
"call *%%gs:%P2\n\t" \
and 388
"call *%%gs:%P2\n\t" \
in sysdeps/unix/sysv/linux/i386/clone.S:139-140:
movl %eax, %gs:PID
movl %eax, %gs:TID
and in several places in
nptl/sysdeps/unix/sysv/linux/i386/i486/pthread_rwlock_timedwrlock.S,
nptl/sysdeps/unix/sysv/linux/i386/i486/sem_wait.S,
nptl/sysdeps/unix/sysv/linux/i386/i486/pthread_rwlock_wrlock.S,
nptl/sysdeps/unix/sysv/linux/i386/i486/sem_timedwait.S,
nptl/sysdeps/unix/sysv/linux/i386/i486/pthread_rwlock_rdlock.S,
nptl/sysdeps/unix/sysv/linux/i386/i486/libc-lowlevellock.S,
nptl/sysdeps/unix/sysv/linux/i386/i486/pthread_rwlock_timedrdlock.S,
nptl/sysdeps/unix/sysv/linux/i386/pt-vfork.S,
nptl/sysdeps/unix/sysv/linux/i386/vfork.S,
nptl/sysdeps/unix/sysv/linux/i386/sysdep-cancel.h,
nptl/sysdeps/unix/sysv/linux/i386/lowlevellock.h
Regards,
Samuel
Reply to: