glibc.git/sysdeps/generic/ldsodefs.h, branch master Unnamed repository; edit this file 'description' to name the repository. htl: Fix conditions for thread list variables 2025-11-22T20:55:02+00:00 Samuel Thibault samuel.thibault@ens-lyon.org 2025-11-22T10:55:40+00:00 0f7b73f2ed70e783cd02ab77503645b03ee1d332 _dl_stack_used/user/etc. vs _dl_pthread_num_threads etc. is really an nptl vs htl question rather than pthread being in libc. 
_dl_stack_used/user/etc. vs _dl_pthread_num_threads etc. is really an
nptl vs htl question rather than pthread being in libc.
tls: Add debug logging for TLS and TCB management 2025-11-03T09:47:28+00:00 Frédéric Bérat fberat@redhat.com 2025-09-05T14:14:38+00:00 332f8e62afef53492dd8285490bcf7aeef18c80a Introduce the `DL_DEBUG_TLS` debug mask to enable detailed logging for Thread-Local Storage (TLS) and Thread Control Block (TCB) management. This change integrates a new `tls` option into the `LD_DEBUG` environment variable, allowing developers to trace: - TCB allocation, deallocation, and reuse events in `dl-tls.c`, `nptl/allocatestack.c`, and `nptl/nptl-stack.c`. - Thread startup events, including the TID and TCB address, in `nptl/pthread_create.c`. A new test, `tst-dl-debug-tid`, has been added to validate the functionality of this new debug logging, ensuring that relevant messages are correctly generated for both main and worker threads. This enhances the debugging capabilities for diagnosing issues related to TLS allocation and thread lifecycle within the dynamic linker. Reviewed-by: DJ Delorie <dj@redhat.com> 
Introduce the `DL_DEBUG_TLS` debug mask to enable detailed logging for
Thread-Local Storage (TLS) and Thread Control Block (TCB) management.

This change integrates a new `tls` option into the `LD_DEBUG`
environment variable, allowing developers to trace:
- TCB allocation, deallocation, and reuse events in `dl-tls.c`,
  `nptl/allocatestack.c`, and `nptl/nptl-stack.c`.
- Thread startup events, including the TID and TCB address, in
  `nptl/pthread_create.c`.

A new test, `tst-dl-debug-tid`, has been added to validate the
functionality of this new debug logging, ensuring that relevant messages
are correctly generated for both main and worker threads.

This enhances the debugging capabilities for diagnosing issues related
to TLS allocation and thread lifecycle within the dynamic linker.

Reviewed-by: DJ Delorie <dj@redhat.com>
elf: early conversion of elf p_flags to mprotect flags 2025-08-27T13:45:45+00:00 Cupertino Miranda cupertino.miranda@oracle.com 2025-08-22T10:37:00+00:00 3b2b88cceeb79f73a72367800d91599e2af4bb39 This patch replaces _dl_stack_flags global variable by _dl_stack_prot_flags. The advantage is that any convertion from p_flags to final used mprotect flags occurs at loading of p_flags. It avoids repeated spurious convertions of _dl_stack_flags, for example in allocate_thread_stack. This modification was suggested in: https://sourceware.org/pipermail/libc-alpha/2025-March/165537.html Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> 
This patch replaces _dl_stack_flags global variable by
_dl_stack_prot_flags.
The advantage is that any convertion from p_flags to final used mprotect
flags occurs at loading of p_flags. It avoids repeated spurious
convertions of _dl_stack_flags, for example in allocate_thread_stack.

This modification was suggested in:
  https://sourceware.org/pipermail/libc-alpha/2025-March/165537.html

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
elf: Restore support for _r_debug interpositions and copy relocations 2025-07-05T18:15:12+00:00 Florian Weimer fweimer@redhat.com 2025-07-04T19:46:30+00:00 ea85e7d55087075376a29261e722e4fae14ecbe7 The changes in commit a93d9e03a31ec14405cb3a09aa95413b67067380 ("Extend struct r_debug to support multiple namespaces [BZ #15971]") break the dyninst dynamic instrumentation tool. It brings its own definition of _r_debug (rather than a declaration). Furthermore, it turns out it is rather hard to use the proposed handshake for accessing _r_debug via DT_DEBUG. If applications want to access _r_debug, they can do so directly if the relevant code has been built as PIC. To protect against harm from accidental copy relocations due to linker relaxations, this commit restores copy relocation support by adjusting both copies if interposition or copy relocations are in play. Therefore, it is possible to use a hidden reference in ld.so to access _r_debug. Only perform the copy relocation initialization if libc has been loaded. Otherwise, the ld.so search scope can be empty, and the lookup of the _r_debug symbol mail fail. Reviewed-by: H.J. Lu <hjl.tools@gmail.com> 
The changes in commit a93d9e03a31ec14405cb3a09aa95413b67067380
("Extend struct r_debug to support multiple namespaces [BZ #15971]")
break the dyninst dynamic instrumentation tool.  It brings its
own definition of _r_debug (rather than a declaration).

Furthermore, it turns out it is rather hard to use the proposed
handshake for accessing _r_debug via DT_DEBUG. If applications want
to access _r_debug, they can do so directly if the relevant code has
been built as PIC.  To protect against harm from accidental copy
relocations due to linker relaxations, this commit restores copy
relocation support by adjusting both copies if interposition or
copy relocations are in play.  Therefore, it is possible to
use a hidden reference in ld.so to access _r_debug.

Only perform the copy relocation initialization if libc has been
loaded.  Otherwise, the ld.so search scope can be empty, and the
lookup of the _r_debug symbol mail fail.

Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
elf: Introduce _dl_debug_change_state 2025-07-05T18:15:12+00:00 Florian Weimer fweimer@redhat.com 2025-07-04T19:46:16+00:00 8329939a37f483a16013dd8af8303cbcb86d92cb It combines updating r_state with the debugger notification. The second change to _dl_open introduces an additional debugger notification for dlmopen, but debuggers are expected to ignore it. Reviewed-by: H.J. Lu <hjl.tools@gmail.com> 
It combines updating r_state with the debugger notification.

The second change to  _dl_open introduces an additional debugger
notification for dlmopen, but debuggers are expected to ignore it.

Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
elf: Introduce separate _r_debug_array variable 2025-07-05T18:15:12+00:00 Florian Weimer fweimer@redhat.com 2025-07-04T19:46:05+00:00 7278d11f3a0cd528188c719bab75575b0aea2c6e It replaces the ns_debug member of the namespaces. Previously, the base namespace had an unused ns_debug member. This change also fixes a concurrency issue: Now _dl_debug_initialize only updates r_next of the previous namespace's r_debug after the new r_debug is initialized, so that only the initialized version is observed. (Client code accessing _r_debug will benefit from load dependency tracking in CPUs even without explicit barriers.) Reviewed-by: H.J. Lu <hjl.tools@gmail.com> 
It replaces the ns_debug member of the namespaces.  Previously,
the base namespace had an unused ns_debug member.

This change also fixes a concurrency issue: Now _dl_debug_initialize
only updates r_next of the previous namespace's r_debug after the new
r_debug is initialized, so that only the initialized version is
observed.  (Client code accessing _r_debug will benefit from load
dependency tracking in CPUs even without explicit barriers.)

Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
nptl: Fix pthread_getattr_np when modules with execstack are allowed (BZ 32897) 2025-04-28T13:13:46+00:00 Adhemerval Zanella adhemerval.zanella@linaro.org 2025-04-24T15:27:44+00:00 0c3425942374e72c3bcac28b2578117d36b0f9df The BZ 32653 fix (12a497c716f0a06be5946cabb8c3ec22a079771e) kept the stack pointer zeroing from make_main_stack_executable on _dl_make_stack_executable. However, previously the 'stack_endp' pointed to temporary variable created before the call of _dl_map_object_from_fd; while now we use the __libc_stack_end directly. Since pthread_getattr_np relies on correct __libc_stack_end, if _dl_make_stack_executable is called (for instance, when glibc.rtld.execstack=2 is set) __libc_stack_end will be set to zero, and the call will always fail. The __libc_stack_end zero was used a mitigation hardening, but since 52a01100ad011293197637e42b5be1a479a2f4ae it is used solely on pthread_getattr_np code. So there is no point in zeroing anymore. Checked on x86_64-linux-gnu and i686-linux-gnu. Reviewed-by: Sam James <sam@gentoo.org> 
The BZ 32653 fix (12a497c716f0a06be5946cabb8c3ec22a079771e) kept the
stack pointer zeroing from make_main_stack_executable on
_dl_make_stack_executable.  However, previously the 'stack_endp'
pointed to temporary variable created before the call of
_dl_map_object_from_fd; while now we use the __libc_stack_end
directly.

Since pthread_getattr_np relies on correct __libc_stack_end, if
_dl_make_stack_executable is called (for instance, when
glibc.rtld.execstack=2 is set) __libc_stack_end will be set to zero,
and the call will always fail.

The __libc_stack_end zero was used a mitigation hardening, but since
52a01100ad011293197637e42b5be1a479a2f4ae it is used solely on
pthread_getattr_np code.  So there is no point in zeroing anymore.

Checked on x86_64-linux-gnu and i686-linux-gnu.
Reviewed-by: Sam James <sam@gentoo.org>
elf: Extend glibc.rtld.execstack tunable to force executable stack (BZ 32653) 2025-04-08T19:19:49+00:00 Adhemerval Zanella adhemerval.zanella@linaro.org 2025-02-13T17:02:38+00:00 12a497c716f0a06be5946cabb8c3ec22a079771e From the bug report [1], multiple programs still require to dlopen shared libraries with either missing PT_GNU_STACK or with the executable bit set. Although, in some cases, it seems to be a hard-craft assembly source without the required .note.GNU-stack marking (so the static linker is forced to set the stack executable if the ABI requires it), other cases seem that the library uses trampolines [2]. Unfortunately, READ_IMPLIES_EXEC is not an option since on some ABIs (x86_64), the kernel clears the bit, making it unsupported. To avoid reinstating the broken code that changes stack permission on dlopen (0ca8785a28), this patch extends the glibc.rtld.execstack tunable to allow an option to force an executable stack at the program startup. The tunable is a security issue because it defeats the PT_GNU_STACK hardening. It has the slight advantage of making it explicit by the caller, and, as for other tunables, this is disabled for setuid binaries. A tunable also allows us to eventually remove it, but from previous experiences, it would require some time. Checked on aarch64-linux-gnu, x86_64-linux-gnu, and i686-linux-gnu. [1] https://sourceware.org/bugzilla/show_bug.cgi?id=32653 [2] https://github.com/conda-forge/ctng-compiler-activation-feedstock/issues/143 Reviewed-by: Sam James <sam@gentoo.org> 
From the bug report [1], multiple programs still require to dlopen
shared libraries with either missing PT_GNU_STACK or with the executable
bit set.  Although, in some cases, it seems to be a hard-craft assembly
source without the required .note.GNU-stack marking (so the static linker
is forced to set the stack executable if the ABI requires it), other
cases seem that the library uses trampolines [2].

Unfortunately, READ_IMPLIES_EXEC is not an option since on some ABIs
(x86_64), the kernel clears the bit, making it unsupported.  To avoid
reinstating the broken code that changes stack permission on dlopen
(0ca8785a28), this patch extends the glibc.rtld.execstack tunable to
allow an option to force an executable stack at the program startup.

The tunable is a security issue because it defeats the PT_GNU_STACK
hardening.  It has the slight advantage of making it explicit by the
caller, and, as for other tunables, this is disabled for setuid binaries.
A tunable also allows us to eventually remove it, but from previous
experiences, it would require some time.

Checked on aarch64-linux-gnu, x86_64-linux-gnu, and i686-linux-gnu.

[1] https://sourceware.org/bugzilla/show_bug.cgi?id=32653
[2] https://github.com/conda-forge/ctng-compiler-activation-feedstock/issues/143
Reviewed-by: Sam James <sam@gentoo.org>
debug: Improve '%n' fortify detection (BZ 30932) 2025-03-21T18:46:48+00:00 Adhemerval Zanella adhemerval.zanella@linaro.org 2025-03-14T19:09:57+00:00 ed6a68bac7cd056abda9008019c71b167f0362dc The 7bb8045ec0 path made the '%n' fortify check ignore EMFILE errors while trying to open /proc/self/maps, and this added a security issue where EMFILE can be attacker-controlled thus making it ineffective for some cases. The EMFILE failure is reinstated but with a different error message. Also, to improve the false positive of the hardening for the cases where no new files can be opened, the _dl_readonly_area now uses _dl_find_object to check if the memory area is within a writable ELF segment. The procfs method is still used as fallback. Checked on x86_64-linux-gnu and i686-linux-gnu. Reviewed-by: Arjun Shankar <arjun@redhat.com> 
The 7bb8045ec0 path made the '%n' fortify check ignore EMFILE errors
while trying to open /proc/self/maps, and this added a security
issue where EMFILE can be attacker-controlled thus making it
ineffective for some cases.

The EMFILE failure is reinstated but with a different error
message.  Also, to improve the false positive of the hardening for
the cases where no new files can be opened, the
_dl_readonly_area now uses  _dl_find_object to check if the
memory area is within a writable ELF segment.  The procfs method is
still used as fallback.

Checked on x86_64-linux-gnu and i686-linux-gnu.
Reviewed-by: Arjun Shankar <arjun@redhat.com>
elf: Canonicalize $ORIGIN in an explicit ld.so invocation [BZ 25263] 2025-03-13T19:50:16+00:00 Adhemerval Zanella adhemerval.zanella@linaro.org 2025-02-18T20:58:16+00:00 9b646f5dc933dfa019f2ed7f80b6198b43e31f62 When an executable is invoked directly, we calculate $ORIGIN by calling readlink on /proc/self/exe, which the Linux kernel resolves to the target of any symlinks. However, if an executable is run through ld.so, we cannot use /proc/self/exe and instead use the path given as an argument. This leads to a different calculation of $ORIGIN, which is most notable in that it causes ldd to behave differently (e.g., by not finding a library) from directly running the program. To make the behavior consistent, take advantage of the fact that the kernel also resolves /proc/self/fd/ symlinks to the target of any symlinks in the same manner, so once we have opened the main executable in order to load it, replace the user-provided path with the result of calling readlink("/proc/self/fd/N"). (On non-Linux platforms this resolution does not happen and so no behavior change is needed.) The __fd_to_filename requires _fitoa_word and _itoa_word, which for 32-bits pulls a lot of definitions from _itoa.c (due _ITOA_NEEDED being defined). To simplify the build move the required function to a new file, _fitoa_word.c. Checked on x86_64-linux-gnu and i686-linux-gnu. Co-authored-by: Geoffrey Thomas <geofft@ldpreload.com> Reviewed-by: Geoffrey Thomas <geofft@ldpreload.com> Tested-by: Geoffrey Thomas <geofft@ldpreload.com> 
When an executable is invoked directly, we calculate $ORIGIN by calling
readlink on /proc/self/exe, which the Linux kernel resolves to the
target of any symlinks.  However, if an executable is run through ld.so,
we cannot use /proc/self/exe and instead use the path given as an
argument.  This leads to a different calculation of $ORIGIN, which is
most notable in that it causes ldd to behave differently (e.g., by not
finding a library) from directly running the program.

To make the behavior consistent, take advantage of the fact that the
kernel also resolves /proc/self/fd/ symlinks to the target of any
symlinks in the same manner, so once we have opened the main executable
in order to load it, replace the user-provided path with the result of
calling readlink("/proc/self/fd/N").

(On non-Linux platforms this resolution does not happen and so no
behavior change is needed.)

The __fd_to_filename requires _fitoa_word and _itoa_word, which for
32-bits pulls a lot of definitions from _itoa.c (due _ITOA_NEEDED
being defined).  To simplify the build move the required function
to a new file, _fitoa_word.c.

Checked on x86_64-linux-gnu and i686-linux-gnu.

Co-authored-by: Geoffrey Thomas <geofft@ldpreload.com>
Reviewed-by: Geoffrey Thomas <geofft@ldpreload.com>
Tested-by: Geoffrey Thomas <geofft@ldpreload.com>