libio: Disable vtable validation in case of interposition [BZ #23313]

(cherry picked from commit c402355dfa7807b8e0adb27c009135a7e2b9f1b0)

3 files changed, 22 insertions, 0 deletions

diff --git a/ChangeLog b/ChangeLog
index 7ecc33e61d..f1880ebc37 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2018-06-26  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #23313]
+	* libio/vtables.c (check_stdfiles_vtables): New ELF constructor.
+
 2017-11-15  Steve Ellcey  <sellcey@cavium.com>
 
 	[BZ #22442]
diff --git a/NEWS b/NEWS
index 48d28e166a..5bcca538c6 100644
--- a/NEWS
+++ b/NEWS
@@ -144,6 +144,7 @@ The following bugs are resolved with this release:
   [23171] Fix parameter type in C++ version of iseqsig
   [23196] __mempcpy_avx512_no_vzeroupper mishandles large copies
   [23236] Harden function pointers in _IO_str_fields
+  [23313] libio: Disable vtable validation in case of interposition
   [23349] Various glibc headers no longer compatible with <linux/time.h>
 
 Version 2.26
diff --git a/libio/vtables.c b/libio/vtables.c
index 41b48db98c..a11226ab17 100644
--- a/libio/vtables.c
+++ b/libio/vtables.c
@@ -70,3 +70,19 @@ _IO_vtable_check (void)
 
   __libc_fatal ("Fatal error: glibc detected an invalid stdio handle\n");
 }
+
+/* Some variants of libstdc++ interpose _IO_2_1_stdin_ etc. and
+   install their own vtables directly, without calling _IO_init or
+   other functions.  Detect this by looking at the vtables values
+   during startup, and disable vtable validation in this case.  */
+#ifdef SHARED
+__attribute__ ((constructor))
+static void
+check_stdfiles_vtables (void)
+{
+  if (_IO_2_1_stdin_.vtable != &_IO_file_jumps
+      || _IO_2_1_stdout_.vtable != &_IO_file_jumps
+      || _IO_2_1_stderr_.vtable != &_IO_file_jumps)
+    IO_set_accept_foreign_vtables (&_IO_vtable_check);
+}
+#endif