diff options
| author | Florian Weimer <fweimer@redhat.com> | 2015-10-06 13:12:36 +0200 |
|---|---|---|
| committer | Florian Weimer <fweimer@redhat.com> | 2015-10-06 13:22:56 +0200 |
| commit | f586e1328681b400078c995a0bb6ad301ef73549 (patch) | |
| tree | bf4c5da9f4100db68bd62f244109687bed3d76dc | |
| parent | be64c2ef2ac2357ddff61841f2cc8246e5da1b20 (diff) | |
| download | glibc-f586e1328681b400078c995a0bb6ad301ef73549.tar.gz glibc-f586e1328681b400078c995a0bb6ad301ef73549.tar.xz glibc-f586e1328681b400078c995a0bb6ad301ef73549.zip | |
Harden tls_dtor_list with pointer mangling [BZ #19018]
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | NEWS | 4 | ||||
| -rw-r--r-- | stdlib/cxa_thread_atexit_impl.c | 10 |
3 files changed, 18 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog index 259b05e692..f482f689c6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2015-10-06 Florian Weimer <fweimer@redhat.com> + + [BZ #19018] + * stdlib/cxa_thread_atexit_impl.c (__cxa_thread_atexit_impl): + Mangle function pointer before storing it. + (__call_tls_dtors): Demangle function pointer before calling it. + 2015-10-05 Paul Pluzhnikov <ppluzhnikov@google.com> [BZ #19012] diff --git a/NEWS b/NEWS index 16f5cfb002..0f3f33f854 100644 --- a/NEWS +++ b/NEWS @@ -17,8 +17,8 @@ Version 2.23 18757, 18778, 18781, 18787, 18789, 18790, 18795, 18796, 18803, 18820, 18823, 18824, 18825, 18857, 18863, 18870, 18872, 18873, 18875, 18887, 18921, 18951, 18952, 18956, 18961, 18966, 18967, 18969, 18970, 18977, - 18980, 18981, 18985, 19003, 19012, 19016, 19032, 19046, 19049, 19050, - 19059, 19071. + 18980, 18981, 18985, 19003, 19012, 19016, 19018, 19032, 19046, 19049, + 19050, 19059, 19071. * The obsolete header <regexp.h> has been removed. Programs that require this header must be updated to use <regex.h> instead. diff --git a/stdlib/cxa_thread_atexit_impl.c b/stdlib/cxa_thread_atexit_impl.c index 2d5d56a7fa..5717f09e76 100644 --- a/stdlib/cxa_thread_atexit_impl.c +++ b/stdlib/cxa_thread_atexit_impl.c @@ -98,6 +98,10 @@ static __thread struct link_map *lm_cache; int __cxa_thread_atexit_impl (dtor_func func, void *obj, void *dso_symbol) { +#ifdef PTR_MANGLE + PTR_MANGLE (func); +#endif + /* Prepend. */ struct dtor_list *new = calloc (1, sizeof (struct dtor_list)); new->func = func; @@ -142,9 +146,13 @@ __call_tls_dtors (void) while (tls_dtor_list) { struct dtor_list *cur = tls_dtor_list; + dtor_func func = cur->func; +#ifdef PTR_DEMANGLE + PTR_DEMANGLE (func); +#endif tls_dtor_list = tls_dtor_list->next; - cur->func (cur->obj); + func (cur->obj); /* Ensure that the MAP dereference happens before l_tls_dtor_count decrement. That way, we protect this access from a |