I attempted fixing this issue before at 43fbaf99. Although it did work, it worked wrong, and it was just consistently working (but in wrong way) until it didn't.
Since this is (hopefully) the real fix, I will try to explain exactly what is going on.
This is explanation by example:
our TLS is memory of size 0x1000 starting at 0x7ffff6c50000, but the real size is 0x000068 so we have padding stored at master.offset = 0xf98
Now our symbol looks as follows
Offset Type Sym. Value Name 000000432b20 R_X86_64_DTPOFF64 0000000000000058 errno
The old code did 0x7ffff6c50000 + 0xf98 + 000000432b20 which is obviosly overflowing the memory and wrong.
The right way 0x7ffff6c50000 + 0xf98 + 0000000000000058.
THe Tls base part and offset are added at __tls_get_addr function. What is left is storing the 0x58 at the relocation address. The problem is that we don't have 0x58, but we have (binary base + 0x58) in global symbol table and binary base so what we store is the (binarybase + 0x58
- binary base).
I hope this does turn out to be wrong.