diff options
| author | H.J. Lu <hjl.tools@gmail.com> | 2017-07-19 10:56:19 -0700 |
|---|---|---|
| committer | H.J. Lu <hjl.tools@gmail.com> | 2017-07-19 11:10:31 -0700 |
| commit | d8a801c2eadd6a0286434a49fafdc6c8ef2e1556 (patch) | |
| tree | 6767060a4e0f026dcd5ab29dd1f4c46a0b1c288e | |
| parent | d500130f313572651e1d299f1677f8d677060fb2 (diff) | |
| download | glibc-hjl/pr21752/master.tar.gz glibc-hjl/pr21752/master.tar.xz glibc-hjl/pr21752/master.zip | |
Avoid accessing corrupted stack from __stack_chk_fail [BZ #21752] hjl/pr21752/master
__libc_argv[0] points to address on stack and __libc_secure_getenv accesses environment variables which are on stack. We should avoid accessing stack when stack is corrupted. This patch also renames function argument in __fortify_fail_abort from do_backtrace to need_backtrace to avoid confusion with do_backtrace from enum __libc_message_action. [BZ #21752] * debug/fortify_fail.c (__fortify_fail_abort): Don't pass down __libc_argv[0] if we aren't doing backtrace. Rename do_backtrace to need_backtrace. * sysdeps/posix/libc_fatal.c (__libc_message): Don't call __libc_secure_getenv if we aren't doing backtrace.
| -rw-r--r-- | debug/fortify_fail.c | 12 | ||||
| -rw-r--r-- | sysdeps/posix/libc_fatal.c | 15 |
2 files changed, 18 insertions, 9 deletions
diff --git a/debug/fortify_fail.c b/debug/fortify_fail.c index c90d384daf..a0777ae570 100644 --- a/debug/fortify_fail.c +++ b/debug/fortify_fail.c @@ -24,13 +24,17 @@ extern char **__libc_argv attribute_hidden; void __attribute__ ((noreturn)) internal_function -__fortify_fail_abort (_Bool do_backtrace, const char *msg) +__fortify_fail_abort (_Bool need_backtrace, const char *msg) { - /* The loop is added only to keep gcc happy. */ + /* The loop is added only to keep gcc happy. Don't pass down + __libc_argv[0] if we aren't doing backtrace since __libc_argv[0] + may point to the corrupted stack. */ while (1) - __libc_message (do_backtrace ? (do_abort | do_backtrace) : do_abort, + __libc_message (need_backtrace ? (do_abort | do_backtrace) : do_abort, "*** %s ***: %s terminated\n", - msg, __libc_argv[0] ?: "<unknown>"); + msg, + (need_backtrace && __libc_argv[0] != NULL + ? __libc_argv[0] : "<unknown>")); } void diff --git a/sysdeps/posix/libc_fatal.c b/sysdeps/posix/libc_fatal.c index 25af8bd413..c9189194dd 100644 --- a/sysdeps/posix/libc_fatal.c +++ b/sysdeps/posix/libc_fatal.c @@ -75,11 +75,16 @@ __libc_message (enum __libc_message_action action, const char *fmt, ...) FATAL_PREPARE; #endif - /* Open a descriptor for /dev/tty unless the user explicitly - requests errors on standard error. */ - const char *on_2 = __libc_secure_getenv ("LIBC_FATAL_STDERR_"); - if (on_2 == NULL || *on_2 == '\0') - fd = open_not_cancel_2 (_PATH_TTY, O_RDWR | O_NOCTTY | O_NDELAY); + /* Don't call __libc_secure_getenv if we aren't doing backtrace, which + may access the corrupted stack. */ + if ((action & do_backtrace)) + { + /* Open a descriptor for /dev/tty unless the user explicitly + requests errors on standard error. */ + const char *on_2 = __libc_secure_getenv ("LIBC_FATAL_STDERR_"); + if (on_2 == NULL || *on_2 == '\0') + fd = open_not_cancel_2 (_PATH_TTY, O_RDWR | O_NOCTTY | O_NDELAY); + } if (fd == -1) fd = STDERR_FILENO; |