commit bf427f42254f0a8d60dad3d1198c2f589d260cc8
author Ryan Prichard <rprichard@google.com> Thu Jan 17 16:37:11 2019 -0800
committer Ryan Prichard <rprichard@google.com> Thu Jan 17 17:13:53 2019 -0800
tree 357db0946598c5dc08388b51b7503dd33edfd2a2
parent 9a238653c1a32a7bd046aba8411e7400dda8367e

Fix soinfo_tls::module dangling reference

The field was pointing into an element of an std::vector, but the address
of a vector element is invalidated when the vector is resized.

This bug was caught by the new elftls.shared_ie and
elftls_dl.dlopen_shared_var_ie tests.

Bug: http://b/78026329
Test: bionic unit tests
Change-Id: I7232f6d703a9e339fe8966a95b7a68bae2c9c420

linker/linker_tls.cpp

diff --git a/linker/linker_tls.cpp b/linker/linker_tls.cpp
index a50d926..0d1796b 100644
--- a/linker/linker_tls.cpp
+++ b/linker/linker_tls.cpp
@@ -41,6 +41,9 @@
 static bool g_static_tls_finished;
 static std::vector<TlsModule> g_tls_modules;
 
+static inline size_t module_id_to_idx(size_t id) { return id - 1; }
+static inline size_t module_idx_to_id(size_t idx) { return idx + 1; }
+
 static size_t get_unused_module_index() {
   for (size_t i = 0; i < g_tls_modules.size(); ++i) {
     if (g_tls_modules[i].soinfo_ptr == nullptr) {
@@ -59,13 +62,11 @@
   ScopedWriteLock locker(&__libc_shared_globals()->tls_modules.rwlock);
 
   size_t module_idx = get_unused_module_index();
-  TlsModule* module = &g_tls_modules[module_idx];
 
   soinfo_tls* si_tls = si->get_tls();
-  si_tls->module_id = module_idx + 1;
-  si_tls->module = module;
+  si_tls->module_id = module_idx_to_id(module_idx);
 
-  *module = {
+  g_tls_modules[module_idx] = {
     .segment = si_tls->segment,
     .static_offset = static_offset,
     .first_generation = ++__libc_shared_globals()->tls_modules.generation,
@@ -77,11 +78,18 @@
   ScopedWriteLock locker(&__libc_shared_globals()->tls_modules.rwlock);
 
   soinfo_tls* si_tls = si->get_tls();
-  CHECK(si_tls->module->static_offset == SIZE_MAX);
-  CHECK(si_tls->module->soinfo_ptr == si);
-  *si_tls->module = {};
+  TlsModule& mod = g_tls_modules[module_id_to_idx(si_tls->module_id)];
+  CHECK(mod.static_offset == SIZE_MAX);
+  CHECK(mod.soinfo_ptr == si);
+  mod = {};
   si_tls->module_id = kUninitializedModuleId;
-  si_tls->module = nullptr;
+}
+
+// The reference is valid until a TLS module is registered or unregistered.
+const TlsModule& get_tls_module(size_t module_id) {
+  size_t module_idx = module_id_to_idx(module_id);
+  CHECK(module_idx < g_tls_modules.size());
+  return g_tls_modules[module_idx];
 }
 
 __BIONIC_WEAK_FOR_NATIVE_BRIDGE