_tls_used offsets the start of the tls section by adding 1 to _tls_start.
I feel this is incorrect in two respects. The first is that _tls_start is defined as a char so adding 1 only increments by 1 byte.
Second secrel32 generates an offset from the start of the section. By offsetting from _tls_start the secrel32 offset becomes invalid and has the potential to allow access to invalid memory.
I also see no reason _tls_used should be placed in the TLS section. Other compilers treat is as read only and place it in .rdata.
See the included patch for my suggested changes.
Corrected TLS alignment. Removed _tls_used from section .tls.
Ticket moved from /p/mingw/patches/508/