From 66986dec455c2011085a04b72a5bd55d9f9c7d1c Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Tue, 6 Oct 2015 13:12:36 +0200 Subject: [PATCH] Harden tls_dtor_list with pointer mangling [BZ #19018] (cherry picked from commit f586e1328681b400078c995a0bb6ad301ef73549) Conflicts: NEWS stdlib/cxa_thread_atexit_impl.c --- ChangeLog | 7 +++++++ NEWS | 4 ++-- stdlib/cxa_thread_atexit_impl.c | 12 ++++++++++-- 3 files changed, 19 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index f0bd7366944..5d3bc8f7d24 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2016-07-11 Florian Weimer + + [BZ #19018] + * stdlib/cxa_thread_atexit_impl.c (__cxa_thread_atexit_impl): + Mangle function pointer before storing it. + (__call_tls_dtors): Demangle function pointer before calling it. + 2016-07-11 Florian Weimer [BZ #18928] diff --git a/NEWS b/NEWS index 9bd31e4ab4c..41481cd33e1 100644 --- a/NEWS +++ b/NEWS @@ -12,8 +12,8 @@ Version 2.19.1 15946, 16009, 16545, 16574, 16623, 16657, 16695, 16743, 16758, 16759, 16760, 16878, 16882, 16885, 16916, 16932, 16943, 16958, 17048, 17062, 17069, 17079, 17137, 17153, 17213, 17263, 17269, 17325, 17555, 17905, - 18007, 18032, 18080, 18240, 18287, 18508, 18665, 18905, 18928, 19779, - 19791, 19879, 20010, 20112. + 18007, 18032, 18080, 18240, 18287, 18508, 18665, 18905, 18928, 19018, + 19779, 19791, 19879, 20010, 20112. * A buffer overflow in gethostbyname_r and related functions performing DNS requests has been fixed. If the NSS functions were called with a diff --git a/stdlib/cxa_thread_atexit_impl.c b/stdlib/cxa_thread_atexit_impl.c index d2f88d3ed83..6030e5fc6fa 100644 --- a/stdlib/cxa_thread_atexit_impl.c +++ b/stdlib/cxa_thread_atexit_impl.c @@ -42,6 +42,10 @@ static __thread struct link_map *lm_cache; int __cxa_thread_atexit_impl (dtor_func func, void *obj, void *dso_symbol) { +#ifdef PTR_MANGLE + PTR_MANGLE (func); +#endif + /* Prepend. */ struct dtor_list *new = calloc (1, sizeof (struct dtor_list)); new->func = func; @@ -83,9 +87,13 @@ __call_tls_dtors (void) while (tls_dtor_list) { struct dtor_list *cur = tls_dtor_list; - tls_dtor_list = tls_dtor_list->next; + dtor_func func = cur->func; +#ifdef PTR_DEMANGLE + PTR_DEMANGLE (func); +#endif - cur->func (cur->obj); + tls_dtor_list = tls_dtor_list->next; + func (cur->obj); __rtld_lock_lock_recursive (GL(dl_load_lock)); -- 2.47.2