Fix potential buffer overflow in makecontext trampoline

	glibc's tst-makecontext2 testcase uncovered a bug in
	__cont_link_context.  If the function misses to reserve
	shadow space for the calls to setcontext/cygwin_exit,
	both functions could overwrite memory beyond the stack
	configured in uc_stack.

        * exceptions.cc (__cont_link_context): x86_64: align stack and reserve
        shadow space for subsequent function calls, otherwise suffer potential
        buffer overflow.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>

2 files changed, 13 insertions, 1 deletions

diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog
index 55ea458..a8f6543 100644
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@@ -1,5 +1,11 @@
 2015-07-23  Corinna Vinschen  <corinna@vinschen.de>
 
+	* exceptions.cc (__cont_link_context): x86_64: align stack and reserve
+	shadow space for subsequent function calls, otherwise suffer potential
+	buffer overflow.
+
+2015-07-23  Corinna Vinschen  <corinna@vinschen.de>
+
 	* uinfo.cc (cygheap_user::ontherange): Ignore $HOME if it's not
 	starting with a slash (aka, absolute POSIX Path).
 
diff --git a/winsup/cygwin/exceptions.cc b/winsup/cygwin/exceptions.cc
index c4b0761..e6c000f 100644
--- a/winsup/cygwin/exceptions.cc
+++ b/winsup/cygwin/exceptions.cc
@@ -1929,9 +1929,14 @@ swapcontext (ucontext_t *oucp, const ucontext_t *ucp)
    is NULL, call exit. */
 __asm__ ("				\n\
 	.global	__cont_link_context	\n\
+	.seh_proc __cont_link_context	\n\
 __cont_link_context:			\n\
+	.seh_endprologue		\n\
 	movq	%rbx, %rsp		\n\
-	popq	%rcx			\n\
+	movq	(%rsp), %rcx		\n\
+	# align stack and subtract shadow space	\n\
+	andq	$~0xf, %rsp		\n\
+	subq	$0x20, %rsp		\n\
 	testq	%rcx, %rcx		\n\
 	je	1f			\n\
 	call	setcontext		\n\
@@ -1939,6 +1944,7 @@ __cont_link_context:			\n\
 1:					\n\
 	call	cygwin_exit		\n\
 	nop				\n\
+	.seh_endproc			\n\
 	");
 
 #else