Missing unwind info in __startcontext causes infinite loop (BZ20435, CVE-2016-6323)

2025-02-23 13:09:58 +08:00 · 2017-01-18 12:56:41 -08:00 · 2017-01-18 12:56:41 -08:00 · e1c67173bf
commit e1c67173bf
parent d701c3a0a5
2 changed files with 12 additions and 0 deletions
--- a/README.google
+++ b/README.google
@ -657,3 +657,8 @@ catgets/tst-catgets.c
  Fix catopen() Multiple unbounded stack allocations (BZ17905, CVE-2015-8779)
  https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f58539030e436449f79189b6edab17d7479796e
  (stanshebs, backport)
+
+ports/sysdeps/unix/sysv/linux/arm/setcontext.S
+  Missing unwind info in __startcontext causes infinite loop (BZ20435, CVE-2016-6323)
+  https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9e2ff6c9cc54c0b4402b8d49e4abe7000fde7617
+  (stanshebs, backport)
--- a/ports/sysdeps/unix/sysv/linux/arm/setcontext.S
+++ b/ports/sysdeps/unix/sysv/linux/arm/setcontext.S
@ -86,12 +86,19 @@ weak_alias(__setcontext, setcontext)

 	/* Called when a makecontext() context returns.  Start the
 	   context in R4 or fall through to exit().  */
+	/* Unwind descriptors are looked up based on PC - 2, so we have to
+	   make sure to mark the instruction preceding the __startcontext
+	   label as .cantunwind.  */
+	.fnstart
+	.cantunwind
+	nop
 ENTRY(__startcontext)
 	movs    r0, r4
 	bne     PLTJMP(__setcontext)

 	@ New context was 0 - exit
 	b       PLTJMP(HIDDEN_JUMPTARGET(_exit))
+	.fnend
 END(__startcontext)

 #ifdef PIC