diff options
| author | Florian Weimer <fweimer@redhat.com> | 2015-10-06 13:12:36 +0200 |
|---|---|---|
| committer | Tulio Magno Quites Machado Filho <tuliom@linux.vnet.ibm.com> | 2016-07-11 13:53:12 -0300 |
| commit | 66986dec455c2011085a04b72a5bd55d9f9c7d1c (patch) | |
| tree | 275ba79b1220c9cf0cd3901b5fce11975968fdee | |
| parent | dea992adae5ff1194d7e49b698424eba741df62a (diff) | |
| download | glibc-66986dec455c2011085a04b72a5bd55d9f9c7d1c.zip glibc-66986dec455c2011085a04b72a5bd55d9f9c7d1c.tar.gz glibc-66986dec455c2011085a04b72a5bd55d9f9c7d1c.tar.bz2 | |
Harden tls_dtor_list with pointer mangling [BZ #19018]
(cherry picked from commit f586e1328681b400078c995a0bb6ad301ef73549)
Conflicts:
NEWS
stdlib/cxa_thread_atexit_impl.c
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | NEWS | 4 | ||||
| -rw-r--r-- | stdlib/cxa_thread_atexit_impl.c | 12 |
3 files changed, 19 insertions, 4 deletions
@@ -1,5 +1,12 @@ 2016-07-11 Florian Weimer <fweimer@redhat.com> + [BZ #19018] + * stdlib/cxa_thread_atexit_impl.c (__cxa_thread_atexit_impl): + Mangle function pointer before storing it. + (__call_tls_dtors): Demangle function pointer before calling it. + +2016-07-11 Florian Weimer <fweimer@redhat.com> + [BZ #18928] * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove _dl_pointer_guard member. @@ -12,8 +12,8 @@ Version 2.19.1 15946, 16009, 16545, 16574, 16623, 16657, 16695, 16743, 16758, 16759, 16760, 16878, 16882, 16885, 16916, 16932, 16943, 16958, 17048, 17062, 17069, 17079, 17137, 17153, 17213, 17263, 17269, 17325, 17555, 17905, - 18007, 18032, 18080, 18240, 18287, 18508, 18665, 18905, 18928, 19779, - 19791, 19879, 20010, 20112. + 18007, 18032, 18080, 18240, 18287, 18508, 18665, 18905, 18928, 19018, + 19779, 19791, 19879, 20010, 20112. * A buffer overflow in gethostbyname_r and related functions performing DNS requests has been fixed. If the NSS functions were called with a diff --git a/stdlib/cxa_thread_atexit_impl.c b/stdlib/cxa_thread_atexit_impl.c index d2f88d3..6030e5f 100644 --- a/stdlib/cxa_thread_atexit_impl.c +++ b/stdlib/cxa_thread_atexit_impl.c @@ -42,6 +42,10 @@ static __thread struct link_map *lm_cache; int __cxa_thread_atexit_impl (dtor_func func, void *obj, void *dso_symbol) { +#ifdef PTR_MANGLE + PTR_MANGLE (func); +#endif + /* Prepend. */ struct dtor_list *new = calloc (1, sizeof (struct dtor_list)); new->func = func; @@ -83,9 +87,13 @@ __call_tls_dtors (void) while (tls_dtor_list) { struct dtor_list *cur = tls_dtor_list; - tls_dtor_list = tls_dtor_list->next; + dtor_func func = cur->func; +#ifdef PTR_DEMANGLE + PTR_DEMANGLE (func); +#endif - cur->func (cur->obj); + tls_dtor_list = tls_dtor_list->next; + func (cur->obj); __rtld_lock_lock_recursive (GL(dl_load_lock)); |