From f586e1328681b400078c995a0bb6ad301ef73549 Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Tue, 6 Oct 2015 13:12:36 +0200 Subject: Harden tls_dtor_list with pointer mangling [BZ #19018] --- ChangeLog | 7 +++++++ NEWS | 4 ++-- stdlib/cxa_thread_atexit_impl.c | 10 +++++++++- 3 files changed, 18 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 259b05e..f482f68 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2015-10-06 Florian Weimer + + [BZ #19018] + * stdlib/cxa_thread_atexit_impl.c (__cxa_thread_atexit_impl): + Mangle function pointer before storing it. + (__call_tls_dtors): Demangle function pointer before calling it. + 2015-10-05 Paul Pluzhnikov [BZ #19012] diff --git a/NEWS b/NEWS index 16f5cfb..0f3f33f 100644 --- a/NEWS +++ b/NEWS @@ -17,8 +17,8 @@ Version 2.23 18757, 18778, 18781, 18787, 18789, 18790, 18795, 18796, 18803, 18820, 18823, 18824, 18825, 18857, 18863, 18870, 18872, 18873, 18875, 18887, 18921, 18951, 18952, 18956, 18961, 18966, 18967, 18969, 18970, 18977, - 18980, 18981, 18985, 19003, 19012, 19016, 19032, 19046, 19049, 19050, - 19059, 19071. + 18980, 18981, 18985, 19003, 19012, 19016, 19018, 19032, 19046, 19049, + 19050, 19059, 19071. * The obsolete header has been removed. Programs that require this header must be updated to use instead. diff --git a/stdlib/cxa_thread_atexit_impl.c b/stdlib/cxa_thread_atexit_impl.c index 2d5d56a..5717f09 100644 --- a/stdlib/cxa_thread_atexit_impl.c +++ b/stdlib/cxa_thread_atexit_impl.c @@ -98,6 +98,10 @@ static __thread struct link_map *lm_cache; int __cxa_thread_atexit_impl (dtor_func func, void *obj, void *dso_symbol) { +#ifdef PTR_MANGLE + PTR_MANGLE (func); +#endif + /* Prepend. */ struct dtor_list *new = calloc (1, sizeof (struct dtor_list)); new->func = func; @@ -142,9 +146,13 @@ __call_tls_dtors (void) while (tls_dtor_list) { struct dtor_list *cur = tls_dtor_list; + dtor_func func = cur->func; +#ifdef PTR_DEMANGLE + PTR_DEMANGLE (func); +#endif tls_dtor_list = tls_dtor_list->next; - cur->func (cur->obj); + func (cur->obj); /* Ensure that the MAP dereference happens before l_tls_dtor_count decrement. That way, we protect this access from a -- cgit v1.1