Missing unwind info in __startcontext causes infinite loop (BZ20435, CVE-2016-6323)

diff --git a/README.google b/README.google
index fef32de1c47ded580e6ce4ef1e8c4c8cd9fe5b86..943deec446c3e7e0fb16ac9490d6d849713b9023 100644 (file)
--- a/README.google
+++ b/README.google
@@ -657,3 +657,8 @@ catgets/tst-catgets.c
   Fix catopen() Multiple unbounded stack allocations (BZ17905, CVE-2015-8779)
   https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f58539030e436449f79189b6edab17d7479796e
   (stanshebs, backport)
+
+ports/sysdeps/unix/sysv/linux/arm/setcontext.S
+  Missing unwind info in __startcontext causes infinite loop (BZ20435, CVE-2016-6323)
+  https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9e2ff6c9cc54c0b4402b8d49e4abe7000fde7617
+  (stanshebs, backport)

diff --git a/ports/sysdeps/unix/sysv/linux/arm/setcontext.S b/ports/sysdeps/unix/sysv/linux/arm/setcontext.S
index 7b9b511b8024a3fa8033289a2893a7312b85aed8..7da16a95c298dccec8e6691e34c4d788aa563e97 100644 (file)
--- a/ports/sysdeps/unix/sysv/linux/arm/setcontext.S
+++ b/ports/sysdeps/unix/sysv/linux/arm/setcontext.S
@@ -86,12 +86,19 @@ weak_alias(__setcontext, setcontext)
 
        /* Called when a makecontext() context returns.  Start the
           context in R4 or fall through to exit().  */
+       /* Unwind descriptors are looked up based on PC - 2, so we have to
+          make sure to mark the instruction preceding the __startcontext
+          label as .cantunwind.  */
+       .fnstart
+       .cantunwind
+       nop
 ENTRY(__startcontext)
        movs    r0, r4
        bne     PLTJMP(__setcontext)
 
        @ New context was 0 - exit
        b       PLTJMP(HIDDEN_JUMPTARGET(_exit))
+       .fnend
 END(__startcontext)
 
 #ifdef PIC