From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pfrankli@redhat.com>
Received: from us-smtp-delivery-74.mimecast.com
 (us-smtp-delivery-74.mimecast.com [216.205.24.74])
 by sourceware.org (Postfix) with ESMTP id ADC993877027
 for <libc-stable@sourceware.org>; Wed, 18 Mar 2020 17:38:54 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org ADC993877027
Received: from mail-il1-f199.google.com (mail-il1-f199.google.com
 [209.85.166.199]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-399-y5qYqwGMPaGSMP8TIsX_Bw-1; Wed, 18 Mar 2020 13:38:51 -0400
X-MC-Unique: y5qYqwGMPaGSMP8TIsX_Bw-1
Received: by mail-il1-f199.google.com with SMTP id j88so20620177ilg.9
 for <libc-stable@sourceware.org>; Wed, 18 Mar 2020 10:38:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=+d6Hu5K61tpMC+99NG05USJixqGUjOqQvLFqNAg9w9s=;
 b=FR2dNG3SXlwQ+ccs6d0mSqA1AP0Gp/2TxqYJapQMDHBxbrYR7h8esRjcIvMj1n8Lzq
 2CFRZpBMEXETlNMIgmb9kmRbLgnLGBpbMoWAAk+rxvPQjedVGYZGv/Cma5W+a2v+y5lq
 R9tdNmn4XpSLRQNbjUIu8KJ2B12MLZjSnBpDOFvcY8bdSMQmgX61Hfk2LM45ROafSGDb
 OBqqBF3zN2Ac3jmfZWNNGma9PcbAJKl/KNGE0DBquwSXmfEOSY2pnL+WjfkUws/G5Yc0
 ri/zWPSVvKQ7aMN1fNy5rE1MAAk1w3756XzTz20dhk3T7VfvXZ07LbMqtvSEpkvZz3G7
 CNbQ==
X-Gm-Message-State: ANhLgQ1CHfWfHlGsiAAlv5Q4YZ6YlouLuVr0M+LGhSsWI3MVOElsZnfb
 D51ancEzyIY3NcHSYiQPCWghPgCu/Z8MPTdO9OxOHgn061RBi7d89zTlmtyPMXF/DI6Z/UlwuRj
 Y7EF5mBMnEXTVQ6fCITCAjZtGf4khQNRnEBtLIw==
X-Received: by 2002:a92:60b:: with SMTP id x11mr5280620ilg.9.1584553131119;
 Wed, 18 Mar 2020 10:38:51 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vvRaoknMJPvEVIddgGeuGZfPsqOy0FaHtCJxMdYNUC4qit1uxfwhQdr+NENMwh35bu+mX/ZSC283kM9/pksNFs=
X-Received: by 2002:a92:60b:: with SMTP id x11mr5280598ilg.9.1584553130831;
 Wed, 18 Mar 2020 10:38:50 -0700 (PDT)
MIME-Version: 1.0
From: Patsy Griffin <patsy@redhat.com>
Date: Wed, 18 Mar 2020 13:38:15 -0400
Message-ID: <CAOraFgDQKgkveAttbH5RZ5DhAYe89XfiivfTJ3MM8au4MDQ=LA@mail.gmail.com>
Subject: [2.30 COMMITTED] Fix array overflow in backtrace on PowerPC (bug
 25423)
To: libc-stable@sourceware.org
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
X-Spam-Status: No, score=-25.2 required=5.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, GIT_PATCH_1,
 GIT_PATCH_2, GIT_PATCH_3, HTML_MESSAGE, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,
 SPF_PASS autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: libc-stable@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-stable mailing list <libc-stable.sourceware.org>
List-Unsubscribe: <http://sourceware.org/mailman/options/libc-stable>,
 <mailto:libc-stable-request@sourceware.org?subject=unsubscribe>
List-Archive: <http://sourceware.org/pipermail/libc-stable/>
List-Help: <mailto:libc-stable-request@sourceware.org?subject=help>
List-Subscribe: <http://sourceware.org/mailman/listinfo/libc-stable>,
 <mailto:libc-stable-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2020 17:38:56 -0000

From: Andreas Schwab <schwab@suse.de>

    Fix array overflow in backtrace on PowerPC (bug 25423)

    When unwinding through a signal frame the backtrace function on PowerPC
    didn't check array bounds when storing the frame address.  Fixes commit
    d400dcac5e ("PowerPC: fix backtrace to handle signal trampolines").

    (cherry picked from commit d93769405996dfc11d216ddbe415946617b5a494)

diff --git a/debug/tst-backtrace5.c b/debug/tst-backtrace5.c
index 5a5ce8bc79..aed5ee4c94 100644
--- a/debug/tst-backtrace5.c
+++ b/debug/tst-backtrace5.c
@@ -89,6 +89,18 @@ handle_signal (int signum)
       }
   /* Symbol names are not available for static functions, so we do not
      check do_test.  */
+
+  /* Check that backtrace does not return more than what fits in the array
+     (bug 25423).  */
+  for (int j =3D 0; j < NUM_FUNCTIONS; j++)
+    {
+      n =3D backtrace (addresses, j);
+      if (n > j)
+ {
+  FAIL ();
+  return;
+ }
+    }
 }

 NO_INLINE int
diff --git a/sysdeps/powerpc/powerpc32/backtrace.c
b/sysdeps/powerpc/powerpc32/backtrace.c
index 857a8aad7b..dc187a8f20 100644
--- a/sysdeps/powerpc/powerpc32/backtrace.c
+++ b/sysdeps/powerpc/powerpc32/backtrace.c
@@ -114,6 +114,8 @@ __backtrace (void **array, int size)
         }
       if (gregset)
  {
+  if (count + 1 =3D=3D size)
+    break;
   array[++count] =3D (void*)((*gregset)[PT_NIP]);
   current =3D (void*)((*gregset)[PT_R1]);
  }
diff --git a/sysdeps/powerpc/powerpc64/backtrace.c
b/sysdeps/powerpc/powerpc64/backtrace.c
index 7a167838d9..ce038a139f 100644
--- a/sysdeps/powerpc/powerpc64/backtrace.c
+++ b/sysdeps/powerpc/powerpc64/backtrace.c
@@ -87,6 +87,8 @@ __backtrace (void **array, int size)
       if (is_sigtramp_address (current->return_address))
         {
   struct signal_frame_64 *sigframe =3D (struct signal_frame_64*) current;
+  if (count + 1 =3D=3D size)
+    break;
           array[++count] =3D (void*)
sigframe->uc.uc_mcontext.gp_regs[PT_NIP];
   current =3D (void*) sigframe->uc.uc_mcontext.gp_regs[PT_R1];
  }