Missing unwind info in __startcontext causes infinite loop (BZ20435, CVE-2016-6323)

2 files changed, 12 insertions, 0 deletions

diff --git a/README.google b/README.google
index fef32de1c4..943deec446 100644
--- a/README.google
+++ b/README.google
@@ -657,3 +657,8 @@ catgets/tst-catgets.c
   Fix catopen() Multiple unbounded stack allocations (BZ17905, CVE-2015-8779)
   https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f58539030e436449f79189b6edab17d7479796e
   (stanshebs, backport)
+
+ports/sysdeps/unix/sysv/linux/arm/setcontext.S
+  Missing unwind info in __startcontext causes infinite loop (BZ20435, CVE-2016-6323)
+  https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9e2ff6c9cc54c0b4402b8d49e4abe7000fde7617
+  (stanshebs, backport)
diff --git a/ports/sysdeps/unix/sysv/linux/arm/setcontext.S b/ports/sysdeps/unix/sysv/linux/arm/setcontext.S
index 7b9b511b80..7da16a95c2 100644
--- a/ports/sysdeps/unix/sysv/linux/arm/setcontext.S
+++ b/ports/sysdeps/unix/sysv/linux/arm/setcontext.S
@@ -86,12 +86,19 @@ weak_alias(__setcontext, setcontext)
 
 	/* Called when a makecontext() context returns.  Start the
 	   context in R4 or fall through to exit().  */
+	/* Unwind descriptors are looked up based on PC - 2, so we have to
+	   make sure to mark the instruction preceding the __startcontext
+	   label as .cantunwind.  */
+	.fnstart
+	.cantunwind
+	nop
 ENTRY(__startcontext)
 	movs    r0, r4
 	bne     PLTJMP(__setcontext)
 
 	@ New context was 0 - exit
 	b       PLTJMP(HIDDEN_JUMPTARGET(_exit))
+	.fnend
 END(__startcontext)
 
 #ifdef PIC