From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-stable-return-184-listarch-libc-stable=sourceware.org@sourceware.org>
Received: (qmail 127163 invoked by alias); 11 Jul 2016 17:09:06 -0000
Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:libc-stable@sourceware.org>
List-Help: <mailto:libc-stable-help@sourceware.org>
List-Subscribe: <mailto:libc-stable-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-stable/>
Sender: libc-stable-owner@sourceware.org
Received: (qmail 127151 invoked by uid 89); 11 Jul 2016 17:09:05 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Checked: by ClamAV 0.99.1 on sourceware.org
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-1.6 required=5.0 tests=AWL,BAYES_00,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_LOW autolearn=no version=3.3.2 spammy=*cur, COMMITTED, cherry, prepend
X-Spam-Status: No, score=-1.6 required=5.0 tests=AWL,BAYES_00,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_LOW autolearn=no version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org
X-Spam-Level: 
X-HELO: mx0a-001b2d01.pphosted.com
X-IBM-Helo: d24dlp01.br.ibm.com
X-IBM-MailFrom: tuliom@linux.vnet.ibm.com
X-IBM-RcptTo: libc-stable@sourceware.org
From: "Tulio Magno Quites Machado Filho" <tuliom@linux.vnet.ibm.com>
To: libc-stable@sourceware.org
Cc: Florian Weimer <fweimer@redhat.com>
Subject: [COMMITTED 2.19] Harden tls_dtor_list with pointer mangling [BZ #19018]
Date: Fri, 01 Jan 2016 00:00:00 -0000
X-Mailer: git-send-email 2.1.0
In-Reply-To: <1468256896-29138-1-git-send-email-tuliom@linux.vnet.ibm.com>
References: <1468256896-29138-1-git-send-email-tuliom@linux.vnet.ibm.com>
X-TM-AS-MML: disable
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 16071117-0028-0000-0000-00000123041F
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 16071117-0029-0000-0000-000013CCD01A
Message-Id: <1468256896-29138-3-git-send-email-tuliom@linux.vnet.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2016-07-11_11:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=1
 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam
 adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000
 definitions=main-1607110170
X-SW-Source: 2016-07/txt/msg00005.txt.bz2

From: Florian Weimer <fweimer@redhat.com>

(cherry picked from commit f586e1328681b400078c995a0bb6ad301ef73549)

Conflicts:
	NEWS
	stdlib/cxa_thread_atexit_impl.c
---
 ChangeLog                       |  7 +++++++
 NEWS                            |  4 ++--
 stdlib/cxa_thread_atexit_impl.c | 12 ++++++++++--
 3 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index f0bd736..5d3bc8f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
 2016-07-11  Florian Weimer  <fweimer@redhat.com>
 
+	[BZ #19018]
+	* stdlib/cxa_thread_atexit_impl.c (__cxa_thread_atexit_impl):
+	Mangle function pointer before storing it.
+	(__call_tls_dtors): Demangle function pointer before calling it.
+
+2016-07-11  Florian Weimer  <fweimer@redhat.com>
+
 	[BZ #18928]
 	* sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
 	_dl_pointer_guard member.
diff --git a/NEWS b/NEWS
index 9bd31e4..41481cd 100644
--- a/NEWS
+++ b/NEWS
@@ -12,8 +12,8 @@ Version 2.19.1
   15946, 16009, 16545, 16574, 16623, 16657, 16695, 16743, 16758, 16759,
   16760, 16878, 16882, 16885, 16916, 16932, 16943, 16958, 17048, 17062,
   17069, 17079, 17137, 17153, 17213, 17263, 17269, 17325, 17555, 17905,
-  18007, 18032, 18080, 18240, 18287, 18508, 18665, 18905, 18928, 19779,
-  19791, 19879, 20010, 20112.
+  18007, 18032, 18080, 18240, 18287, 18508, 18665, 18905, 18928, 19018,
+  19779, 19791, 19879, 20010, 20112.
 
 * A buffer overflow in gethostbyname_r and related functions performing DNS
   requests has been fixed.  If the NSS functions were called with a
diff --git a/stdlib/cxa_thread_atexit_impl.c b/stdlib/cxa_thread_atexit_impl.c
index d2f88d3..6030e5f 100644
--- a/stdlib/cxa_thread_atexit_impl.c
+++ b/stdlib/cxa_thread_atexit_impl.c
@@ -42,6 +42,10 @@ static __thread struct link_map *lm_cache;
 int
 __cxa_thread_atexit_impl (dtor_func func, void *obj, void *dso_symbol)
 {
+#ifdef PTR_MANGLE
+  PTR_MANGLE (func);
+#endif
+
   /* Prepend.  */
   struct dtor_list *new = calloc (1, sizeof (struct dtor_list));
   new->func = func;
@@ -83,9 +87,13 @@ __call_tls_dtors (void)
   while (tls_dtor_list)
     {
       struct dtor_list *cur = tls_dtor_list;
-      tls_dtor_list = tls_dtor_list->next;
+      dtor_func func = cur->func;
+#ifdef PTR_DEMANGLE
+      PTR_DEMANGLE (func);
+#endif
 
-      cur->func (cur->obj);
+      tls_dtor_list = tls_dtor_list->next;
+      func (cur->obj);
 
       __rtld_lock_lock_recursive (GL(dl_load_lock));
 
-- 
2.1.0