about summary refs log tree commit diff
diff options
context:
space:
mode:
authorH.J. Lu <hjl.tools@gmail.com>2017-07-19 10:56:19 -0700
committerH.J. Lu <hjl.tools@gmail.com>2017-07-19 11:10:31 -0700
commitd8a801c2eadd6a0286434a49fafdc6c8ef2e1556 (patch)
tree6767060a4e0f026dcd5ab29dd1f4c46a0b1c288e
parentd500130f313572651e1d299f1677f8d677060fb2 (diff)
downloadglibc-d8a801c2eadd6a0286434a49fafdc6c8ef2e1556.tar.gz
glibc-d8a801c2eadd6a0286434a49fafdc6c8ef2e1556.tar.xz
glibc-d8a801c2eadd6a0286434a49fafdc6c8ef2e1556.zip
Avoid accessing corrupted stack from __stack_chk_fail [BZ #21752] hjl/pr21752/master
__libc_argv[0] points to address on stack and __libc_secure_getenv
accesses environment variables which are on stack.  We should avoid
accessing stack when stack is corrupted.

This patch also renames function argument in __fortify_fail_abort
from do_backtrace to need_backtrace to avoid confusion with do_backtrace
from enum __libc_message_action.

	[BZ #21752]
	* debug/fortify_fail.c (__fortify_fail_abort): Don't pass down
	__libc_argv[0] if we aren't doing backtrace.  Rename do_backtrace
	to need_backtrace.
	* sysdeps/posix/libc_fatal.c (__libc_message): Don't call
	__libc_secure_getenv if we aren't doing backtrace.
-rw-r--r--debug/fortify_fail.c12
-rw-r--r--sysdeps/posix/libc_fatal.c15
2 files changed, 18 insertions, 9 deletions
diff --git a/debug/fortify_fail.c b/debug/fortify_fail.c
index c90d384daf..a0777ae570 100644
--- a/debug/fortify_fail.c
+++ b/debug/fortify_fail.c
@@ -24,13 +24,17 @@ extern char **__libc_argv attribute_hidden;
 
 void
 __attribute__ ((noreturn)) internal_function
-__fortify_fail_abort (_Bool do_backtrace, const char *msg)
+__fortify_fail_abort (_Bool need_backtrace, const char *msg)
 {
-  /* The loop is added only to keep gcc happy.  */
+  /* The loop is added only to keep gcc happy.  Don't pass down
+     __libc_argv[0] if we aren't doing backtrace since __libc_argv[0]
+     may point to the corrupted stack.  */
   while (1)
-    __libc_message (do_backtrace ? (do_abort | do_backtrace) : do_abort,
+    __libc_message (need_backtrace ? (do_abort | do_backtrace) : do_abort,
 		    "*** %s ***: %s terminated\n",
-		    msg, __libc_argv[0] ?: "<unknown>");
+		    msg,
+		    (need_backtrace && __libc_argv[0] != NULL
+		     ? __libc_argv[0] : "<unknown>"));
 }
 
 void
diff --git a/sysdeps/posix/libc_fatal.c b/sysdeps/posix/libc_fatal.c
index 25af8bd413..c9189194dd 100644
--- a/sysdeps/posix/libc_fatal.c
+++ b/sysdeps/posix/libc_fatal.c
@@ -75,11 +75,16 @@ __libc_message (enum __libc_message_action action, const char *fmt, ...)
   FATAL_PREPARE;
 #endif
 
-  /* Open a descriptor for /dev/tty unless the user explicitly
-     requests errors on standard error.  */
-  const char *on_2 = __libc_secure_getenv ("LIBC_FATAL_STDERR_");
-  if (on_2 == NULL || *on_2 == '\0')
-    fd = open_not_cancel_2 (_PATH_TTY, O_RDWR | O_NOCTTY | O_NDELAY);
+  /* Don't call __libc_secure_getenv if we aren't doing backtrace, which
+     may access the corrupted stack.  */
+  if ((action & do_backtrace))
+    {
+      /* Open a descriptor for /dev/tty unless the user explicitly
+	 requests errors on standard error.  */
+      const char *on_2 = __libc_secure_getenv ("LIBC_FATAL_STDERR_");
+      if (on_2 == NULL || *on_2 == '\0')
+	fd = open_not_cancel_2 (_PATH_TTY, O_RDWR | O_NOCTTY | O_NDELAY);
+    }
 
   if (fd == -1)
     fd = STDERR_FILENO;