From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 89089 invoked by alias); 19 Jul 2017 18:50:41 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Received: (qmail 89070 invoked by uid 89); 19 Jul 2017 18:50:41 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-25.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,NO_DNS_FOR_FROM,RP_MATCHES_RCVD autolearn=ham version=3.3.2 spammy= X-HELO: mga09.intel.com X-ExtLoop1: 1 Date: Wed, 19 Jul 2017 18:50:00 -0000 From: "H.J. Lu" To: GNU C Library Subject: [PATCH] Avoid accessing corrupted stack from __stack_chk_fail [BZ #21752] Message-ID: <20170719185036.GA32763@gmail.com> Reply-To: "H.J. Lu" MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.8.3 (2017-05-23) X-SW-Source: 2017-07/txt/msg00696.txt.bz2 __libc_argv[0] points to address on stack and __libc_secure_getenv accesses environment variables which are on stack. We should avoid accessing stack when stack is corrupted. This patch also renames function argument in __fortify_fail_abort from do_backtrace to need_backtrace to avoid confusion with do_backtrace from enum __libc_message_action. Tested on x86-64 and i686. OK for master? H.J. --- [BZ #21752] * debug/fortify_fail.c (__fortify_fail_abort): Don't pass down __libc_argv[0] if we aren't doing backtrace. Rename do_backtrace to need_backtrace. * sysdeps/posix/libc_fatal.c (__libc_message): Don't call __libc_secure_getenv if we aren't doing backtrace. --- debug/fortify_fail.c | 12 ++++++++---- sysdeps/posix/libc_fatal.c | 15 ++++++++++----- 2 files changed, 18 insertions(+), 9 deletions(-) diff --git a/debug/fortify_fail.c b/debug/fortify_fail.c index c90d384daf..a0777ae570 100644 --- a/debug/fortify_fail.c +++ b/debug/fortify_fail.c @@ -24,13 +24,17 @@ extern char **__libc_argv attribute_hidden; void __attribute__ ((noreturn)) internal_function -__fortify_fail_abort (_Bool do_backtrace, const char *msg) +__fortify_fail_abort (_Bool need_backtrace, const char *msg) { - /* The loop is added only to keep gcc happy. */ + /* The loop is added only to keep gcc happy. Don't pass down + __libc_argv[0] if we aren't doing backtrace since __libc_argv[0] + may point to the corrupted stack. */ while (1) - __libc_message (do_backtrace ? (do_abort | do_backtrace) : do_abort, + __libc_message (need_backtrace ? (do_abort | do_backtrace) : do_abort, "*** %s ***: %s terminated\n", - msg, __libc_argv[0] ?: ""); + msg, + (need_backtrace && __libc_argv[0] != NULL + ? __libc_argv[0] : "")); } void diff --git a/sysdeps/posix/libc_fatal.c b/sysdeps/posix/libc_fatal.c index 25af8bd413..c9189194dd 100644 --- a/sysdeps/posix/libc_fatal.c +++ b/sysdeps/posix/libc_fatal.c @@ -75,11 +75,16 @@ __libc_message (enum __libc_message_action action, const char *fmt, ...) FATAL_PREPARE; #endif - /* Open a descriptor for /dev/tty unless the user explicitly - requests errors on standard error. */ - const char *on_2 = __libc_secure_getenv ("LIBC_FATAL_STDERR_"); - if (on_2 == NULL || *on_2 == '\0') - fd = open_not_cancel_2 (_PATH_TTY, O_RDWR | O_NOCTTY | O_NDELAY); + /* Don't call __libc_secure_getenv if we aren't doing backtrace, which + may access the corrupted stack. */ + if ((action & do_backtrace)) + { + /* Open a descriptor for /dev/tty unless the user explicitly + requests errors on standard error. */ + const char *on_2 = __libc_secure_getenv ("LIBC_FATAL_STDERR_"); + if (on_2 == NULL || *on_2 == '\0') + fd = open_not_cancel_2 (_PATH_TTY, O_RDWR | O_NOCTTY | O_NDELAY); + } if (fd == -1) fd = STDERR_FILENO; -- 2.13.3