From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pfrankli@redhat.com>
Received: from us-smtp-delivery-74.mimecast.com
 (us-smtp-delivery-74.mimecast.com [63.128.21.74])
 by sourceware.org (Postfix) with ESMTP id E9BBF381DCF6
 for <libc-stable@sourceware.org>; Wed, 18 Mar 2020 21:00:47 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org E9BBF381DCF6
Received: from mail-io1-f72.google.com (mail-io1-f72.google.com
 [209.85.166.72]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-214-CJ4k-eBkOoe71JxdKh0uag-1; Wed, 18 Mar 2020 17:00:44 -0400
X-MC-Unique: CJ4k-eBkOoe71JxdKh0uag-1
Received: by mail-io1-f72.google.com with SMTP id d1so15003382iod.18
 for <libc-stable@sourceware.org>; Wed, 18 Mar 2020 14:00:44 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=Fam4CJAU23/8gJhSU5lb7LFTv/qbPRCmrZuVgeUMWv0=;
 b=eqX+Axj2Rc47PBAAQJm4HpC4PbWKI1A8XnChVl8si+fCwWr47RDIa3K3sSlBuNTHxP
 h8+C+ecySqiYkNhOEcBXFVmoTDMaSSQYwKTiCp039Uk728GSqGeE847XAXS8yGubgxed
 NfzMwddIzUUPiwlvVfhoXQToBoEfO3wa1IaBVxmBlzWnbxkPgq6wAD6kW1+ByrkuILmM
 jxPtmvARCGjjpELS8cbdmBBPNACJKEyjlSfNkUFDr6azMjGHst/EbI+CTILSRy4Ay+zi
 Lif0pWZ7VP7pD/mHKPqngTX/bsmIKdCv8SBTmMLNFamhAdzgL5R5MncEYOKptBl0KS9l
 xrnQ==
X-Gm-Message-State: ANhLgQ3639aqusFEjj+RzWbXyAd16gEAF5C1WXQz3G6q6T+RJiDCat83
 WzBDIDY0f6klPU6bV02YasIualW3tXnKW68V5tSdTPsM84sU0nBT+CDyfet7R1Opw1KONK8y5Fp
 mIEDEl1tinJKUJb160UiUBNxz6bT1YpI1gP038A==
X-Received: by 2002:a92:6c0e:: with SMTP id h14mr6280294ilc.81.1584565244053; 
 Wed, 18 Mar 2020 14:00:44 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vskLQMSFqNOGRIXEjPoCvfxrmzdSnKdj4A7qe2gRTsJ7soII7zyObmo2fW5IcmxB8l8+nPxMc2y1AQqvbP2tjA=
X-Received: by 2002:a92:6c0e:: with SMTP id h14mr6280227ilc.81.1584565243276; 
 Wed, 18 Mar 2020 14:00:43 -0700 (PDT)
MIME-Version: 1.0
From: Patsy Griffin <patsy@redhat.com>
Date: Wed, 18 Mar 2020 17:00:07 -0400
Message-ID: <CAOraFgAiAzCT09b3sUpCt+AHa7OQ7Sqt0WHG6mVQ_3DMJFb6qQ@mail.gmail.com>
Subject: [2.29 COMMITTED] Fix array overflow in backtrace on PowerPC (bug
 25423)
To: libc-stable@sourceware.org
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
X-Spam-Status: No, score=-25.2 required=5.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, GIT_PATCH_1,
 GIT_PATCH_2, GIT_PATCH_3, HTML_MESSAGE, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,
 SPF_PASS autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: libc-stable@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-stable mailing list <libc-stable.sourceware.org>
List-Unsubscribe: <http://sourceware.org/mailman/options/libc-stable>,
 <mailto:libc-stable-request@sourceware.org?subject=unsubscribe>
List-Archive: <http://sourceware.org/pipermail/libc-stable/>
List-Help: <mailto:libc-stable-request@sourceware.org?subject=help>
List-Subscribe: <http://sourceware.org/mailman/listinfo/libc-stable>,
 <mailto:libc-stable-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2020 21:00:49 -0000

From: Andreas Schwab <schwab@suse.de>

When unwinding through a signal frame the backtrace function on PowerPC
didn't check array bounds when storing the frame address.  Fixes commit
d400dcac5e ("PowerPC: fix backtrace to handle signal trampolines").

(cherry picked from commit d93769405996dfc11d216ddbe415946617b5a494)
---
 debug/tst-backtrace5.c                | 12 ++++++++++++
 sysdeps/powerpc/powerpc32/backtrace.c |  2 ++
 sysdeps/powerpc/powerpc64/backtrace.c |  2 ++
 3 files changed, 16 insertions(+)

diff --git a/debug/tst-backtrace5.c b/debug/tst-backtrace5.c
index 5a5ce8bc79..aed5ee4c94 100644
--- a/debug/tst-backtrace5.c
+++ b/debug/tst-backtrace5.c
@@ -89,6 +89,18 @@ handle_signal (int signum)
       }
   /* Symbol names are not available for static functions, so we do not
      check do_test.  */
+
+  /* Check that backtrace does not return more than what fits in the array
+     (bug 25423).  */
+  for (int j =3D 0; j < NUM_FUNCTIONS; j++)
+    {
+      n =3D backtrace (addresses, j);
+      if (n > j)
+ {
+  FAIL ();
+  return;
+ }
+    }
 }

 NO_INLINE int
diff --git a/sysdeps/powerpc/powerpc32/backtrace.c
b/sysdeps/powerpc/powerpc32/backtrace.c
index 857a8aad7b..dc187a8f20 100644
--- a/sysdeps/powerpc/powerpc32/backtrace.c
+++ b/sysdeps/powerpc/powerpc32/backtrace.c
@@ -114,6 +114,8 @@ __backtrace (void **array, int size)
         }
       if (gregset)
  {
+  if (count + 1 =3D=3D size)
+    break;
   array[++count] =3D (void*)((*gregset)[PT_NIP]);
   current =3D (void*)((*gregset)[PT_R1]);
  }
diff --git a/sysdeps/powerpc/powerpc64/backtrace.c
b/sysdeps/powerpc/powerpc64/backtrace.c
index 7a167838d9..ce038a139f 100644
--- a/sysdeps/powerpc/powerpc64/backtrace.c
+++ b/sysdeps/powerpc/powerpc64/backtrace.c
@@ -87,6 +87,8 @@ __backtrace (void **array, int size)
       if (is_sigtramp_address (current->return_address))
         {
   struct signal_frame_64 *sigframe =3D (struct signal_frame_64*) current;
+  if (count + 1 =3D=3D size)
+    break;
           array[++count] =3D (void*)
sigframe->uc.uc_mcontext.gp_regs[PT_NIP];
   current =3D (void*) sigframe->uc.uc_mcontext.gp_regs[PT_R1];
  }
--=20
2.21.1