diff options
author | Florian Weimer <fweimer@redhat.com> | 2015-10-06 13:12:36 +0200 |
---|---|---|
committer | Tulio Magno Quites Machado Filho <tuliom@linux.vnet.ibm.com> | 2016-07-11 13:53:12 -0300 |
commit | 66986dec455c2011085a04b72a5bd55d9f9c7d1c (patch) | |
tree | 275ba79b1220c9cf0cd3901b5fce11975968fdee | |
parent | dea992adae5ff1194d7e49b698424eba741df62a (diff) | |
download | glibc-66986dec455c2011085a04b72a5bd55d9f9c7d1c.tar.gz glibc-66986dec455c2011085a04b72a5bd55d9f9c7d1c.tar.xz glibc-66986dec455c2011085a04b72a5bd55d9f9c7d1c.zip |
Harden tls_dtor_list with pointer mangling [BZ #19018]
(cherry picked from commit f586e1328681b400078c995a0bb6ad301ef73549) Conflicts: NEWS stdlib/cxa_thread_atexit_impl.c
-rw-r--r-- | ChangeLog | 7 | ||||
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | stdlib/cxa_thread_atexit_impl.c | 12 |
3 files changed, 19 insertions, 4 deletions
diff --git a/ChangeLog b/ChangeLog index f0bd736694..5d3bc8f7d2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,12 @@ 2016-07-11 Florian Weimer <fweimer@redhat.com> + [BZ #19018] + * stdlib/cxa_thread_atexit_impl.c (__cxa_thread_atexit_impl): + Mangle function pointer before storing it. + (__call_tls_dtors): Demangle function pointer before calling it. + +2016-07-11 Florian Weimer <fweimer@redhat.com> + [BZ #18928] * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove _dl_pointer_guard member. diff --git a/NEWS b/NEWS index 9bd31e4ab4..41481cd33e 100644 --- a/NEWS +++ b/NEWS @@ -12,8 +12,8 @@ Version 2.19.1 15946, 16009, 16545, 16574, 16623, 16657, 16695, 16743, 16758, 16759, 16760, 16878, 16882, 16885, 16916, 16932, 16943, 16958, 17048, 17062, 17069, 17079, 17137, 17153, 17213, 17263, 17269, 17325, 17555, 17905, - 18007, 18032, 18080, 18240, 18287, 18508, 18665, 18905, 18928, 19779, - 19791, 19879, 20010, 20112. + 18007, 18032, 18080, 18240, 18287, 18508, 18665, 18905, 18928, 19018, + 19779, 19791, 19879, 20010, 20112. * A buffer overflow in gethostbyname_r and related functions performing DNS requests has been fixed. If the NSS functions were called with a diff --git a/stdlib/cxa_thread_atexit_impl.c b/stdlib/cxa_thread_atexit_impl.c index d2f88d3ed8..6030e5fc6f 100644 --- a/stdlib/cxa_thread_atexit_impl.c +++ b/stdlib/cxa_thread_atexit_impl.c @@ -42,6 +42,10 @@ static __thread struct link_map *lm_cache; int __cxa_thread_atexit_impl (dtor_func func, void *obj, void *dso_symbol) { +#ifdef PTR_MANGLE + PTR_MANGLE (func); +#endif + /* Prepend. */ struct dtor_list *new = calloc (1, sizeof (struct dtor_list)); new->func = func; @@ -83,9 +87,13 @@ __call_tls_dtors (void) while (tls_dtor_list) { struct dtor_list *cur = tls_dtor_list; - tls_dtor_list = tls_dtor_list->next; + dtor_func func = cur->func; +#ifdef PTR_DEMANGLE + PTR_DEMANGLE (func); +#endif - cur->func (cur->obj); + tls_dtor_list = tls_dtor_list->next; + func (cur->obj); __rtld_lock_lock_recursive (GL(dl_load_lock)); |