From d5ef25a8d894fa5833854588afaacdf8771972a8 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Tue, 6 Oct 2015 13:12:36 +0200
Subject: [PATCH] Harden tls_dtor_list with pointer mangling [BZ #19018]

(cherry picked from commit f586e1328681b400078c995a0bb6ad301ef73549)

Conflicts:
	NEWS
	stdlib/cxa_thread_atexit_impl.c
---
 ChangeLog                       |  7 +++++++
 NEWS                            |  2 +-
 stdlib/cxa_thread_atexit_impl.c | 12 ++++++++++--
 3 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 32f9e4a62f0..95c077f3ae6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2016-02-25  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #19018]
+	* stdlib/cxa_thread_atexit_impl.c (__cxa_thread_atexit_impl):
+	Mangle function pointer before storing it.
+	(__call_tls_dtors): Demangle function pointer before calling it.
+
 2016-02-25  Florian Weimer  <fweimer@redhat.com>
 
 	[BZ #18928]
diff --git a/NEWS b/NEWS
index 34daa036617..b0588be1950 100644
--- a/NEWS
+++ b/NEWS
@@ -10,7 +10,7 @@ Version 2.20.1
 * The following bugs are resolved with this release:
 
   16009, 16617, 16618, 17266, 17370, 17371, 17460, 17485, 17555, 17625,
-  17630, 17801, 18694, 18928.
+  17630, 17801, 18694, 18928, 19018.
 
 * The LD_POINTER_GUARD environment variable can no longer be used to
   disable the pointer guard feature.  It is always enabled.
diff --git a/stdlib/cxa_thread_atexit_impl.c b/stdlib/cxa_thread_atexit_impl.c
index 1a6d9864f6e..0cb9331d63c 100644
--- a/stdlib/cxa_thread_atexit_impl.c
+++ b/stdlib/cxa_thread_atexit_impl.c
@@ -42,6 +42,10 @@ static __thread struct link_map *lm_cache;
 int
 __cxa_thread_atexit_impl (dtor_func func, void *obj, void *dso_symbol)
 {
+#ifdef PTR_MANGLE
+  PTR_MANGLE (func);
+#endif
+
   /* Prepend.  */
   struct dtor_list *new = calloc (1, sizeof (struct dtor_list));
   new->func = func;
@@ -83,9 +87,13 @@ __call_tls_dtors (void)
   while (tls_dtor_list)
     {
       struct dtor_list *cur = tls_dtor_list;
-      tls_dtor_list = tls_dtor_list->next;
+      dtor_func func = cur->func;
+#ifdef PTR_DEMANGLE
+      PTR_DEMANGLE (func);
+#endif
 
-      cur->func (cur->obj);
+      tls_dtor_list = tls_dtor_list->next;
+      func (cur->obj);
 
       __rtld_lock_lock_recursive (GL(dl_load_lock));
 
-- 
2.47.2