diff options
| author | Florian Weimer <fweimer@redhat.com> | 2015-10-06 13:12:36 +0200 |
|---|---|---|
| committer | Tulio Magno Quites Machado Filho <tuliom@linux.vnet.ibm.com> | 2015-12-30 11:57:48 -0200 |
| commit | f0cb70a25452585ff950b3a89f811ea3d473ae83 (patch) | |
| tree | db610de77267fd4652c5c1e9f773be016352349e | |
| parent | 80e44fad705561e39d8001c8258a8bae9c149fc7 (diff) | |
| download | glibc-f0cb70a25452585ff950b3a89f811ea3d473ae83.zip glibc-f0cb70a25452585ff950b3a89f811ea3d473ae83.tar.gz glibc-f0cb70a25452585ff950b3a89f811ea3d473ae83.tar.bz2 | |
Harden tls_dtor_list with pointer mangling [BZ #19018]
(cherry picked from commit f586e1328681b400078c995a0bb6ad301ef73549)
Conflicts:
NEWS
stdlib/cxa_thread_atexit_impl.c
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | stdlib/cxa_thread_atexit_impl.c | 12 |
3 files changed, 18 insertions, 3 deletions
@@ -1,5 +1,12 @@ 2015-12-30 Florian Weimer <fweimer@redhat.com> + [BZ #19018] + * stdlib/cxa_thread_atexit_impl.c (__cxa_thread_atexit_impl): + Mangle function pointer before storing it. + (__call_tls_dtors): Demangle function pointer before calling it. + +2015-12-30 Florian Weimer <fweimer@redhat.com> + [BZ #18928] * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove _dl_pointer_guard member. @@ -10,7 +10,7 @@ Version 2.18.1 * The following bugs are resolved with this release: 15073, 15128, 15909, 15996, 16150, 16169, 16387, 16510, 16885, 16916, - 16943, 16958, 18928. + 16943, 16958, 18928, 19018. * The LD_POINTER_GUARD environment variable can no longer be used to disable the pointer guard feature. It is always enabled. diff --git a/stdlib/cxa_thread_atexit_impl.c b/stdlib/cxa_thread_atexit_impl.c index dfd4c7e..6b7455d 100644 --- a/stdlib/cxa_thread_atexit_impl.c +++ b/stdlib/cxa_thread_atexit_impl.c @@ -42,6 +42,10 @@ static __thread struct link_map *lm_cache; int __cxa_thread_atexit_impl (dtor_func func, void *obj, void *dso_symbol) { +#ifdef PTR_MANGLE + PTR_MANGLE (func); +#endif + /* Prepend. */ struct dtor_list *new = calloc (1, sizeof (struct dtor_list)); new->func = func; @@ -83,9 +87,13 @@ __call_tls_dtors (void) while (tls_dtor_list) { struct dtor_list *cur = tls_dtor_list; - tls_dtor_list = tls_dtor_list->next; + dtor_func func = cur->func; +#ifdef PTR_DEMANGLE + PTR_DEMANGLE (func); +#endif - cur->func (cur->obj); + tls_dtor_list = tls_dtor_list->next; + func (cur->obj); __rtld_lock_lock_recursive (GL(dl_load_lock)); |