Harden tls_dtor_list with pointer mangling [BZ #19018]

(cherry picked from commit f586e1328681b400078c995a0bb6ad301ef73549)

3 files changed, 18 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index d0d2f56bf8..391ffca191 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2015-10-06  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #19018]
+	* stdlib/cxa_thread_atexit_impl.c (__cxa_thread_atexit_impl):
+	Mangle function pointer before storing it.
+	(__call_tls_dtors): Demangle function pointer before calling it.
+
 2015-10-15  Florian Weimer  <fweimer@redhat.com>
 
 	[BZ #18928]
diff --git a/NEWS b/NEWS
index fa6f58d17e..cb503d13b0 100644
--- a/NEWS
+++ b/NEWS
@@ -9,7 +9,8 @@ Version 2.22.1
 
 * The following bugs are resolved with this release:
 
-  18589, 18778, 18781, 18787, 18796, 18870, 18887, 18921, 18928, 18969.
+  18589, 18778, 18781, 18787, 18796, 18870, 18887, 18921, 18928, 18969,
+  19018.
 
 * The LD_POINTER_GUARD environment variable can no longer be used to
   disable the pointer guard feature.  It is always enabled.
diff --git a/stdlib/cxa_thread_atexit_impl.c b/stdlib/cxa_thread_atexit_impl.c
index 2d5d56a7fa..5717f09e76 100644
--- a/stdlib/cxa_thread_atexit_impl.c
+++ b/stdlib/cxa_thread_atexit_impl.c
@@ -98,6 +98,10 @@ static __thread struct link_map *lm_cache;
 int
 __cxa_thread_atexit_impl (dtor_func func, void *obj, void *dso_symbol)
 {
+#ifdef PTR_MANGLE
+  PTR_MANGLE (func);
+#endif
+
   /* Prepend.  */
   struct dtor_list *new = calloc (1, sizeof (struct dtor_list));
   new->func = func;
@@ -142,9 +146,13 @@ __call_tls_dtors (void)
   while (tls_dtor_list)
     {
       struct dtor_list *cur = tls_dtor_list;
+      dtor_func func = cur->func;
+#ifdef PTR_DEMANGLE
+      PTR_DEMANGLE (func);
+#endif
 
       tls_dtor_list = tls_dtor_list->next;
-      cur->func (cur->obj);
+      func (cur->obj);
 
       /* Ensure that the MAP dereference happens before
 	 l_tls_dtor_count decrement.  That way, we protect this access from a