From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 54501 invoked by alias); 18 Aug 2016 09:59:46 -0000 Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Subscribe: List-Archive: Sender: libc-stable-owner@sourceware.org Received: (qmail 54491 invoked by uid 89); 18 Aug 2016 09:59:46 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.99.2 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.4 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=preceding, 2241, denial, makecontext X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD,SPF_HELO_PASS autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: mx1.redhat.com Date: Fri, 01 Jan 2016 00:00:00 -0000 To: libc-stable@sourceware.org Subject: [2.24 COMMITTED] arm: mark __startcontext as .cantunwind (bug 20435) User-Agent: Heirloom mailx 12.5 7/5/10 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20160818095934.53795439942E2@oldenburg.str.redhat.com> From: fweimer@redhat.com (Florian Weimer) X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Thu, 18 Aug 2016 09:59:35 +0000 (UTC) X-SW-Source: 2016-08/txt/msg00016.txt.bz2 __startcontext marks the bottom of the call stack of the contexts created by makecontext. (cherry picked from commit 9e2ff6c9cc54c0b4402b8d49e4abe7000fde7617) Also includes the NEWS update, cherry-picked from commits 056dd72af83f5459ce6d545a49dea6dba7d635dc and 4d047efdbc55b0d68947cde682e5363d16a66294. 2016-08-15 Andreas Schwab [BZ #20435] * sysdeps/unix/sysv/linux/arm/setcontext.S (__startcontext): Mark as .cantunwind. diff --git a/NEWS b/NEWS index b0447e7..4a042db 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,17 @@ See the end for copying conditions. Please send GNU C library bug reports via using `glibc' in the "product" field. +Version 2.24.1 + +Security related changes: + +* On ARM EABI (32-bit), generating a backtrace for execution contexts which + have been created with makecontext could fail to terminate due to a + missing .cantunwind annotation. This has been observed to lead to a hang + (denial of service) in some Go applications compiled with gccgo. Reported + by Andreas Schwab. (CVE-2016-6323) + + Version 2.24 * The minimum Linux kernel version that this version of the GNU C Library diff --git a/sysdeps/unix/sysv/linux/arm/setcontext.S b/sysdeps/unix/sysv/linux/arm/setcontext.S index 603e508..d1f168f 100644 --- a/sysdeps/unix/sysv/linux/arm/setcontext.S +++ b/sysdeps/unix/sysv/linux/arm/setcontext.S @@ -86,12 +86,19 @@ weak_alias(__setcontext, setcontext) /* Called when a makecontext() context returns. Start the context in R4 or fall through to exit(). */ + /* Unwind descriptors are looked up based on PC - 2, so we have to + make sure to mark the instruction preceding the __startcontext + label as .cantunwind. */ + .fnstart + .cantunwind + nop ENTRY(__startcontext) movs r0, r4 bne PLTJMP(__setcontext) @ New context was 0 - exit b PLTJMP(HIDDEN_JUMPTARGET(exit)) + .fnend END(__startcontext) #ifdef PIC