A program being audited will crash when more than a few libraries make use of TLS. This is apparently caused by ld.so calling realloc() to resize the DTV even though the DTV was not allocated by malloc, thus the pointer is not known when realloc() is called on it and the program crashes. The backtrace from Fedora 41 with glibc-2.40-12.fc41.x86_64 is as follows: $ gdb ./test (gdb) set args 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 (gdb) set env LD_AUDIT=/home/ben/Shared/Work/test/tlsfault/libminaudit.so (gdb) r Starting program: /home/ben/Shared/Work/test/tlsfault/test 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 Downloading separate debug info for system-supplied DSO at 0x7ffff7fc4000 Downloading 6.69 M separate debug info for /lib64/libc.so.6 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". realloc(): invalid pointer Program received signal SIGABRT, Aborted. Downloading source file /usr/src/debug/glibc-2.40-12.fc41.x86_64/nptl/pthread_kill.c __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 44 return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0; (gdb) bt #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 #1 0x00007ffff7bd6d03 in __pthread_kill_internal (threadid=<optimized out>, signo=6) at pthread_kill.c:78 #2 0x00007ffff7b7dd1e in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x00007ffff7b65942 in __GI_abort () at abort.c:79 #4 0x00007ffff7b667a7 in __libc_message_impl (fmt=fmt@entry=0x7ffff7d193cd "%s\n") at ../sysdeps/posix/libc_fatal.c:132 #5 0x00007ffff7be0e25 in malloc_printerr (str=str@entry=0x7ffff7d17269 "realloc(): invalid pointer") at malloc.c:5772 #6 0x00007ffff7be617c in __GI___libc_realloc (oldmem=0x7ffff7b62510, bytes=736) at malloc.c:3466 #7 0x00007ffff7fd727f in realloc (ptr=0x7ffff7b62510, size=736) at ../include/rtld-malloc.h:62 #8 _dl_resize_dtv (dtv=dtv@entry=0x7ffff7b62520, max_modid=max_modid@entry=30) at ../elf/dl-tls.c:534 #9 0x00007ffff7fd7c62 in _dl_update_slotinfo (req_modid=30, new_gen=17) at ../elf/dl-tls.c:858 #10 0x00007ffff7fd7d94 in update_get_addr (ti=0x7ffff7b3dfc0, gen=<optimized out>) at ../elf/dl-tls.c:976 #11 0x00007ffff7fdaccc in __tls_get_addr () at ../sysdeps/x86_64/tls_get_addr.S:55 #12 0x00007ffff7b3b124 in dlopen_set_15 () from ./libdlopentls15.so #13 0x000000000040126b in openlib (num=0x7fffffffd9b0 "15") at test.c:29 #14 0x00000000004012d4 in main (argc=16, argv=0x7fffffffd4b8) at test.c:41 At first glance this is consistent with the OP's analysis of the problem. It appears like the resizing the DTV should not call the normal realloc() it should call a special rtld_realloc() and/or the invariant that dtv == dl_initial_dtv should include some additional logic to handle the case where dtv has already been realloc'd. Reproducible: Always Steps to Reproduce: To run the reproducer simply untar the attached reproducer and run Make. Actual Results: crash Expected Results: it runs without problems. https://sourceware.org/bugzilla/show_bug.cgi?id=32412
The patch in the upstream bug tracker resolves the problem, but we will need to expand that to include a test (derived from the reproducer). We'll review this for initial inclusion in Rawhide.
Fixed in rawhide so far.
FEDORA-2025-851644b160 (glibc-2.41-7.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-851644b160
FEDORA-2025-e489437b3d (glibc-2.40-26.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2025-e489437b3d
FEDORA-2025-e489437b3d has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-e489437b3d` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-e489437b3d See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-851644b160 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-851644b160` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-851644b160 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-851644b160 (glibc-2.41-7.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2025-e489437b3d (glibc-2.40-26.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.