Harden tls_dtor_list with pointer mangling [BZ #19018]

Message ID	5613AD38.1050209@redhat.com
State	New
Headers	show Return-Path: <libc-alpha-return-63685-incoming=patchwork.ozlabs.org@sourceware.org> DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:to:from:subject:message-id:date:mime-version :content-type; q=dns; s=default; b=oVm9MGnwQMY7zJgSo0a4oC/RsV/Go u8K0KJAfY2BtxFvUFBSz4MgNeFP3SmD6G5OpvgNQY5tBGh42RiSoOV2qHbK+XhJc 0v6Ssm/ZjATQjaDUenK8Wh3FmmKNVltJedSklZh0lu2yrwGQZUIMNV0DZ6k4zDVR GyZJEOVJvUi2JA= Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk Sender: libc-alpha-owner@sourceware.org To: GNU C Library <libc-alpha@sourceware.org> From: Florian Weimer <fweimer@redhat.com> Subject: [PATCH] Harden tls_dtor_list with pointer mangling [BZ #19018] Message-ID: <5613AD38.1050209@redhat.com> Date: Tue, 6 Oct 2015 13:15:04 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="------------090605030701050609050308"

Message ID

5613AD38.1050209@redhat.com

State

New

Headers

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:to:from:subject:message-id:date:mime-version
	:content-type; q=dns; s=default; b=oVm9MGnwQMY7zJgSo0a4oC/RsV/Go
	u8K0KJAfY2BtxFvUFBSz4MgNeFP3SmD6G5OpvgNQY5tBGh42RiSoOV2qHbK+XhJc
	0v6Ssm/ZjATQjaDUenK8Wh3FmmKNVltJedSklZh0lu2yrwGQZUIMNV0DZ6k4zDVR
	GyZJEOVJvUi2JA=
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
Sender: libc-alpha-owner@sourceware.org
To: GNU C Library <libc-alpha@sourceware.org>
From: Florian Weimer <fweimer@redhat.com>
Subject: [PATCH] Harden tls_dtor_list with pointer mangling [BZ #19018]
Message-ID: <5613AD38.1050209@redhat.com>
Date: Tue, 6 Oct 2015 13:15:04 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
	Thunderbird/38.2.0
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="------------090605030701050609050308"

Commit Message

Florian Weimer Oct. 6, 2015, 11:15 a.m. UTC

This patch mangles the destructor function pointer in tls_dtor_list with
pointer mangling, making it more difficult to construct a function
pointer which does not lead to a crash.

Tested with the new thread_local test on x86_64 (with thread_local
support in GCC).

Florian

Comments

Siddhesh Poyarekar Oct. 6, 2015, 11:21 a.m. UTC | #1

On Tuesday 06 October 2015 04:45 PM, Florian Weimer wrote:
> 2015-10-06  Florian Weimer  <fweimer@redhat.com>
> 
> 	[BZ #19018]
> 	* stdlib/cxa_thread_atexit_impl.c (__cxa_thread_atexit_impl):
> 	Mangle function pointer before storing it.
> 	(__call_tls_dtors): Demangle function pointer before calling it.

Looks OK to me.

Thanks,
Siddhesh

2015-10-06  Florian Weimer  <fweimer@redhat.com>

	[BZ #19018]
	* stdlib/cxa_thread_atexit_impl.c (__cxa_thread_atexit_impl):
	Mangle function pointer before storing it.
	(__call_tls_dtors): Demangle function pointer before calling it.

diff --git a/NEWS b/NEWS
index 16f5cfb..0f3f33f 100644
--- a/NEWS
+++ b/NEWS
@@ -17,8 +17,8 @@  Version 2.23
   18757, 18778, 18781, 18787, 18789, 18790, 18795, 18796, 18803, 18820,
   18823, 18824, 18825, 18857, 18863, 18870, 18872, 18873, 18875, 18887,
   18921, 18951, 18952, 18956, 18961, 18966, 18967, 18969, 18970, 18977,
-  18980, 18981, 18985, 19003, 19012, 19016, 19032, 19046, 19049, 19050,
-  19059, 19071.
+  18980, 18981, 18985, 19003, 19012, 19016, 19018, 19032, 19046, 19049,
+  19050, 19059, 19071.
 
 * The obsolete header <regexp.h> has been removed.  Programs that require
   this header must be updated to use <regex.h> instead.
diff --git a/stdlib/cxa_thread_atexit_impl.c b/stdlib/cxa_thread_atexit_impl.c
index 2d5d56a..5717f09 100644
--- a/stdlib/cxa_thread_atexit_impl.c
+++ b/stdlib/cxa_thread_atexit_impl.c
@@ -98,6 +98,10 @@  static __thread struct link_map *lm_cache;
 int
 __cxa_thread_atexit_impl (dtor_func func, void *obj, void *dso_symbol)
 {
+#ifdef PTR_MANGLE
+  PTR_MANGLE (func);
+#endif
+
   /* Prepend.  */
   struct dtor_list *new = calloc (1, sizeof (struct dtor_list));
   new->func = func;
@@ -142,9 +146,13 @@  __call_tls_dtors (void)
   while (tls_dtor_list)
     {
       struct dtor_list *cur = tls_dtor_list;
+      dtor_func func = cur->func;
+#ifdef PTR_DEMANGLE
+      PTR_DEMANGLE (func);
+#endif
 
       tls_dtor_list = tls_dtor_list->next;
-      cur->func (cur->obj);
+      func (cur->obj);
 
       /* Ensure that the MAP dereference happens before
 	 l_tls_dtor_count decrement.  That way, we protect this access from a

Harden tls_dtor_list with pointer mangling [BZ #19018]

Commit Message

Comments

Patch