diff options
author | Andreas Schwab <schwab@suse.de> | 2017-01-18 12:56:41 -0800 |
---|---|---|
committer | Stan Shebs <stanshebs@google.com> | 2017-01-18 12:56:41 -0800 |
commit | e1c67173bfead6f83584f5042947591d731a06a5 (patch) | |
tree | 85159c08f219e9e40c00cb0f92a6c9e88490ea10 | |
parent | d701c3a0a506fa48855b91e511eb6e9348d634da (diff) | |
download | glibc-e1c67173bfead6f83584f5042947591d731a06a5.zip glibc-e1c67173bfead6f83584f5042947591d731a06a5.tar.gz glibc-e1c67173bfead6f83584f5042947591d731a06a5.tar.bz2 |
Missing unwind info in __startcontext causes infinite loop (BZ20435, CVE-2016-6323)
-rw-r--r-- | README.google | 5 | ||||
-rw-r--r-- | ports/sysdeps/unix/sysv/linux/arm/setcontext.S | 7 |
2 files changed, 12 insertions, 0 deletions
diff --git a/README.google b/README.google index fef32de..943deec 100644 --- a/README.google +++ b/README.google @@ -657,3 +657,8 @@ catgets/tst-catgets.c Fix catopen() Multiple unbounded stack allocations (BZ17905, CVE-2015-8779) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f58539030e436449f79189b6edab17d7479796e (stanshebs, backport) + +ports/sysdeps/unix/sysv/linux/arm/setcontext.S + Missing unwind info in __startcontext causes infinite loop (BZ20435, CVE-2016-6323) + https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9e2ff6c9cc54c0b4402b8d49e4abe7000fde7617 + (stanshebs, backport) diff --git a/ports/sysdeps/unix/sysv/linux/arm/setcontext.S b/ports/sysdeps/unix/sysv/linux/arm/setcontext.S index 7b9b511..7da16a9 100644 --- a/ports/sysdeps/unix/sysv/linux/arm/setcontext.S +++ b/ports/sysdeps/unix/sysv/linux/arm/setcontext.S @@ -86,12 +86,19 @@ weak_alias(__setcontext, setcontext) /* Called when a makecontext() context returns. Start the context in R4 or fall through to exit(). */ + /* Unwind descriptors are looked up based on PC - 2, so we have to + make sure to mark the instruction preceding the __startcontext + label as .cantunwind. */ + .fnstart + .cantunwind + nop ENTRY(__startcontext) movs r0, r4 bne PLTJMP(__setcontext) @ New context was 0 - exit b PLTJMP(HIDDEN_JUMPTARGET(_exit)) + .fnend END(__startcontext) #ifdef PIC |