From patchwork Tue Oct  6 11:15:04 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Florian Weimer <fweimer@redhat.com>
X-Patchwork-Id: 526702
Return-Path: 
 <libc-alpha-return-63685-incoming=patchwork.ozlabs.org@sourceware.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from sourceware.org (server1.sourceware.org [209.132.180.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 78B9D140D6C
	for <incoming@patchwork.ozlabs.org>;
	Tue,  6 Oct 2015 22:15:20 +1100 (AEDT)
Authentication-Results: ozlabs.org; dkim=pass (1024-bit key;
	secure) header.d=sourceware.org header.i=@sourceware.org
	header.b=ifatmKFP; dkim-atps=neutral
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:to:from:subject:message-id:date:mime-version
	:content-type; q=dns; s=default; b=oVm9MGnwQMY7zJgSo0a4oC/RsV/Go
	u8K0KJAfY2BtxFvUFBSz4MgNeFP3SmD6G5OpvgNQY5tBGh42RiSoOV2qHbK+XhJc
	0v6Ssm/ZjATQjaDUenK8Wh3FmmKNVltJedSklZh0lu2yrwGQZUIMNV0DZ6k4zDVR
	GyZJEOVJvUi2JA=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:to:from:subject:message-id:date:mime-version
	:content-type; s=default; bh=+PFA+7bkpzn8BlUru72g7uYY70A=; b=ifa
	tmKFPpi6SnKhhDhaiCjj7zbfpOrahGoVpwaNoDk6Pzn6/DVPg5F0Su4hQVOvwwvl
	krnSGCGrKDKIfbkOHP8Xkonb+Vku9/I8g5dx5xssA5i8uR0V/vG3QmcjsBm0hRGc
	VXayJepzSsJoMVsqF39bN26VGLL/FdbzTKcTiXlI=
Received: (qmail 113396 invoked by alias); 6 Oct 2015 11:15:14 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: 
 <mailto:libc-alpha-unsubscribe-incoming=patchwork.ozlabs.org@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 113342 invoked by uid 89); 6 Oct 2015 11:15:13 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-1.3 required=5.0 tests=AWL, BAYES_50,
	SPF_HELO_PASS, T_RP_MATCHES_RCVD autolearn=ham version=3.3.2
X-HELO: mx1.redhat.com
To: GNU C Library <libc-alpha@sourceware.org>
From: Florian Weimer <fweimer@redhat.com>
Subject: [PATCH] Harden tls_dtor_list with pointer mangling [BZ #19018]
Message-ID: <5613AD38.1050209@redhat.com>
Date: Tue, 6 Oct 2015 13:15:04 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
	Thunderbird/38.2.0
MIME-Version: 1.0

This patch mangles the destructor function pointer in tls_dtor_list with
pointer mangling, making it more difficult to construct a function
pointer which does not lead to a crash.

Tested with the new thread_local test on x86_64 (with thread_local
support in GCC).

Florian

2015-10-06  Florian Weimer  <fweimer@redhat.com>

	[BZ #19018]
	* stdlib/cxa_thread_atexit_impl.c (__cxa_thread_atexit_impl):
	Mangle function pointer before storing it.
	(__call_tls_dtors): Demangle function pointer before calling it.

diff --git a/NEWS b/NEWS
index 16f5cfb..0f3f33f 100644
--- a/NEWS
+++ b/NEWS
@@ -17,8 +17,8 @@ Version 2.23
   18757, 18778, 18781, 18787, 18789, 18790, 18795, 18796, 18803, 18820,
   18823, 18824, 18825, 18857, 18863, 18870, 18872, 18873, 18875, 18887,
   18921, 18951, 18952, 18956, 18961, 18966, 18967, 18969, 18970, 18977,
-  18980, 18981, 18985, 19003, 19012, 19016, 19032, 19046, 19049, 19050,
-  19059, 19071.
+  18980, 18981, 18985, 19003, 19012, 19016, 19018, 19032, 19046, 19049,
+  19050, 19059, 19071.
 
 * The obsolete header <regexp.h> has been removed.  Programs that require
   this header must be updated to use <regex.h> instead.
diff --git a/stdlib/cxa_thread_atexit_impl.c b/stdlib/cxa_thread_atexit_impl.c
index 2d5d56a..5717f09 100644
--- a/stdlib/cxa_thread_atexit_impl.c
+++ b/stdlib/cxa_thread_atexit_impl.c
@@ -98,6 +98,10 @@ static __thread struct link_map *lm_cache;
 int
 __cxa_thread_atexit_impl (dtor_func func, void *obj, void *dso_symbol)
 {
+#ifdef PTR_MANGLE
+  PTR_MANGLE (func);
+#endif
+
   /* Prepend.  */
   struct dtor_list *new = calloc (1, sizeof (struct dtor_list));
   new->func = func;
@@ -142,9 +146,13 @@ __call_tls_dtors (void)
   while (tls_dtor_list)
     {
       struct dtor_list *cur = tls_dtor_list;
+      dtor_func func = cur->func;
+#ifdef PTR_DEMANGLE
+      PTR_DEMANGLE (func);
+#endif
 
       tls_dtor_list = tls_dtor_list->next;
-      cur->func (cur->obj);
+      func (cur->obj);
 
       /* Ensure that the MAP dereference happens before
 	 l_tls_dtor_count decrement.  That way, we protect this access from a