https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=288334
--- Comment #2 from Jordan Gordeev <[email protected]> --- (In reply to Konstantin Belousov from comment #1) A copy of ld.lld for reproduction can be obtained from <https://download.freebsd.org/releases/arm64/14.3-RELEASE/base.txz> for arm64 and from <https://download.freebsd.org/releases/amd64/14.3-RELEASE/base.txz> for amd64. On arm64: MD5 (/usr/bin/ld.lld) = d024175f5e770ad1f45ad0c822bc517e On amd64: MD5 (/usr/bin/ld.lld) = 31a83183bc4441013af2335e000c594d The problem seems to only occur for executables where the PT_TLS program header entry has non-zero value for the p_filesz field. There is only one such executable in /usr/bin on FreeBSD 14.3 (both arm64 and amd64) and it is /usr/bin/ld.lld The crash happens because an invalid address is passed to memcpy() in this code from rtld.c: if (obj->tlsinitsize > 0) { memcpy(addr + tls_init_offset, obj->tlsinit, obj->tlsinitsize); } The value of obj->tlsinitsize comes from the PT_TLS entry's p_filesz field. The value of obj->tlsinit is computed in rtld.c like this: obj->tlsinit = (void *)(ph->p_vaddr + obj->relocbase); However, in map_object.c it is computed like this: obj->tlsinit = mapbase + phtls->p_vaddr; -- You are receiving this mail because: You are the assignee for the bug.
