Harden tls_dtor_list with pointer mangling [BZ #19018]
diff mbox

Message ID 5613AD38.1050209@redhat.com
State New
Headers show

Commit Message

Florian Weimer Oct. 6, 2015, 11:15 a.m. UTC
This patch mangles the destructor function pointer in tls_dtor_list with
pointer mangling, making it more difficult to construct a function
pointer which does not lead to a crash.

Tested with the new thread_local test on x86_64 (with thread_local
support in GCC).

Florian

Comments

Siddhesh Poyarekar Oct. 6, 2015, 11:21 a.m. UTC | #1
On Tuesday 06 October 2015 04:45 PM, Florian Weimer wrote:
> 2015-10-06  Florian Weimer  <fweimer@redhat.com>
> 
> 	[BZ #19018]
> 	* stdlib/cxa_thread_atexit_impl.c (__cxa_thread_atexit_impl):
> 	Mangle function pointer before storing it.
> 	(__call_tls_dtors): Demangle function pointer before calling it.

Looks OK to me.

Thanks,
Siddhesh

Patch
diff mbox

2015-10-06  Florian Weimer  <fweimer@redhat.com>

	[BZ #19018]
	* stdlib/cxa_thread_atexit_impl.c (__cxa_thread_atexit_impl):
	Mangle function pointer before storing it.
	(__call_tls_dtors): Demangle function pointer before calling it.

diff --git a/NEWS b/NEWS
index 16f5cfb..0f3f33f 100644
--- a/NEWS
+++ b/NEWS
@@ -17,8 +17,8 @@  Version 2.23
   18757, 18778, 18781, 18787, 18789, 18790, 18795, 18796, 18803, 18820,
   18823, 18824, 18825, 18857, 18863, 18870, 18872, 18873, 18875, 18887,
   18921, 18951, 18952, 18956, 18961, 18966, 18967, 18969, 18970, 18977,
-  18980, 18981, 18985, 19003, 19012, 19016, 19032, 19046, 19049, 19050,
-  19059, 19071.
+  18980, 18981, 18985, 19003, 19012, 19016, 19018, 19032, 19046, 19049,
+  19050, 19059, 19071.
 
 * The obsolete header <regexp.h> has been removed.  Programs that require
   this header must be updated to use <regex.h> instead.
diff --git a/stdlib/cxa_thread_atexit_impl.c b/stdlib/cxa_thread_atexit_impl.c
index 2d5d56a..5717f09 100644
--- a/stdlib/cxa_thread_atexit_impl.c
+++ b/stdlib/cxa_thread_atexit_impl.c
@@ -98,6 +98,10 @@  static __thread struct link_map *lm_cache;
 int
 __cxa_thread_atexit_impl (dtor_func func, void *obj, void *dso_symbol)
 {
+#ifdef PTR_MANGLE
+  PTR_MANGLE (func);
+#endif
+
   /* Prepend.  */
   struct dtor_list *new = calloc (1, sizeof (struct dtor_list));
   new->func = func;
@@ -142,9 +146,13 @@  __call_tls_dtors (void)
   while (tls_dtor_list)
     {
       struct dtor_list *cur = tls_dtor_list;
+      dtor_func func = cur->func;
+#ifdef PTR_DEMANGLE
+      PTR_DEMANGLE (func);
+#endif
 
       tls_dtor_list = tls_dtor_list->next;
-      cur->func (cur->obj);
+      func (cur->obj);
 
       /* Ensure that the MAP dereference happens before
 	 l_tls_dtor_count decrement.  That way, we protect this access from a