Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 23 May 2015 23:08:09 -0400
From: Rich Felker <dalias@...c.org>
To: musl@...ts.openwall.com
Subject: Re: ppc soft-float regression

On Fri, May 22, 2015 at 02:23:46AM -0400, Rich Felker wrote:
> On Tue, May 19, 2015 at 12:07:31AM +0200, Felix Janda wrote:
> > Rich Felker wrote:
> > > On Mon, May 18, 2015 at 04:10:43PM -0400, Rich Felker wrote:
> > > > OK I've looked at this and I understand what's happening. PowerPC does
> > > > not have a separate relocation type for GOT entries; instead it uses
> > > > the same relocation type used for address constants global data. These
> > > > do not get re-processed after the main program and libraries are
> > > > added, because unlike GOT slots, they have addends, and if the addend
> > > > is inline (using REL rather than RELA) then it's already been
> > > > clobbered by the early relocation phase and can't easily be recovered.
> > > > 
> > > > I see three possible solutions:
> > > > 
> > > > 1. Treat R_PPC_ADDR32 as a GOT relocation instead of a regular
> > > >    symbolic relocation in data. This would suppress the addend (giving
> > > >    wrong address) if inline addends (REL) were used, but in practice
> > > >    powerpc aways uses RELA. I consider this a hack, and perhaps risky,
> > > >    since in principle someone could make powerpc binaries with REL.
> > > > 
> > > > 2. Re-process not just GOT type relocs, but also any RELA
> > > >    (non-inline-addend) relocs again on the second pass. This would
> > > >    work as long as powerpc only uses RELA, and if REL is ever used,
> > > >    the worst that would happen is the current bug (losing environ,
> > > >    etc.) rather than silently wrong relocations in global data. This
> > > >    approach is not a hack, but I consider it something of an
> > > >    incomplete fix.
> > > > 
> > > > 3. Re-process all symbolic relocations. For REL-type (inline addend),
> > > >    we have to recover the original addend, which can be done by
> > > >    calling find_sym again, but using ldso instead of the current
> > > >    library chain head as the context to search for the symbol in, then
> > > >    subtracting the resulting address to get back the original addend.
> > > > 
> > > > I like the third solution best, even though it incurs a small code
> > > > size cost and a performance cost for archs using REL, because it's
> > > > completely robust against any weird ways some archs might end up using
> > > > relocations. The expected number of such relocations is tiny anyway;
> > > > on my i386 builds it's 14.
> > > > 
> > > > If option 3 proves to be difficult or costly, however, we could
> > > > consider option 2 as a temporary measure to get powerpc working. It
> > > > wouldn't even need to be reverted, because option 3 includes/subsumes
> > > > the work that would be done for option 2.
> > > 
> > > Attached is a patch to implement option 2. I'll probably commit it
> > > soon anyway but here is it in case you want to test sooner. I verified
> > > it fixes the test program on powerpc for me.
> > 
> > Thanks for the quick fix! The new commit fixes also the other segfaults
> > I've seen.
> 
> Attached is a patch that finishes the job by completing option 3. I
> haven't tested it much yet so I'll hold off on committing it for a
> while but it seems to work fine (not break anything) on i386.
> 
> diff --git a/src/ldso/dynlink.c b/src/ldso/dynlink.c
> index 93595a0..485bd4f 100644
> --- a/src/ldso/dynlink.c
> +++ b/src/ldso/dynlink.c
> @@ -280,12 +280,17 @@ static void do_relocs(struct dso *dso, size_t *rel, size_t rel_size, size_t stri
>  			def.dso = dso;
>  		}
>  
> -		int gotplt = (type == REL_GOT || type == REL_PLT);
> -		if (dso->rel_update_got && !gotplt && stride==2) continue;
> -
> -		addend = stride>2 ? rel[2]
> -			: gotplt || type==REL_COPY ? 0
> -			: *reloc_addr;
> +		if (stride > 2) {
> +			addend = rel[2];
> +		} else if (type==REL_GOT || type==REL_PLT || type==REL_COPY) {
> +			addend = 0;
> +		} else {
> +			addend = *reloc_addr;
> +			if (dso->rel_update_got) {
> +				struct symdef old = find_sym(&ldso, name, 0);
> +				addend -= (size_t)ldso.base+old.sym->st_value;
> +			}
> +		}

Actually I'm not happy with this patch as-is. It's only valid for
REL_SYMBOLIC (or REL_SYM_OR_REL with a symbol) type relocations,
because it's assuming that the value at reloc_addr is sym_val+addend.
We could restrict reprocessing to just those types, but there are a
number of other reloc types that could theoretically arise and that we
should be treating correctly. REL_OFFSET/REL_OFFSET32 probably should
not appear in libc.so (or anything without TEXTRELs), but if we need
to support them, we would also need to adjust by (size_t)reloc_addr.
What's more important, though, are TLS-type relocations which in
principle could appear if libgcc.a is emulating floating point
environment for softfloat via TLS. REL_DTPOFF and REL_TLSDESC are
probably the only ones that would be valid here (only GD model is
valid in shared libraries) and REL_DTPOFF is trivial to reverse and
extract an addend, but REL_TLSDESC is relatively complex to handle.

Sure we could just do REL_SYMBOLIC for now, but if we can't yet solve
the problem in a future-proof way, I'm not sure there's much value in
committing the patch at this point, since there's no present issue
it's fixing.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.