From 371b5ecb70cfabcf0a1257b7929dd294df4560ce Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Aug 18 2016 14:06:54 +0000 Subject: CVE-2016-6323: Backtraces can hang on ARM EABI (32-bit) (swbz#20435) --- diff --git a/glibc-swbz20435.patch b/glibc-swbz20435.patch new file mode 100644 index 0000000..cb5732d --- /dev/null +++ b/glibc-swbz20435.patch @@ -0,0 +1,39 @@ +commit a85abfa92220239cad0a8a6b0f2a223f5e6472a9 +Author: Andreas Schwab +Date: Thu Aug 18 11:38:28 2016 +0200 + + arm: mark __startcontext as .cantunwind (bug 20435) + + __startcontext marks the bottom of the call stack of the contexts created + by makecontext. + + (cherry picked from commit 9e2ff6c9cc54c0b4402b8d49e4abe7000fde7617) + + Also includes the NEWS update, cherry-picked from commits + 056dd72af83f5459ce6d545a49dea6dba7d635dc and + 4d047efdbc55b0d68947cde682e5363d16a66294. + +diff --git a/sysdeps/unix/sysv/linux/arm/setcontext.S b/sysdeps/unix/sysv/linux/arm/setcontext.S +index 24c7294..926b65a 100644 +--- a/sysdeps/unix/sysv/linux/arm/setcontext.S ++++ b/sysdeps/unix/sysv/linux/arm/setcontext.S +@@ -86,12 +86,19 @@ weak_alias(__setcontext, setcontext) + + /* Called when a makecontext() context returns. Start the + context in R4 or fall through to exit(). */ ++ /* Unwind descriptors are looked up based on PC - 2, so we have to ++ make sure to mark the instruction preceding the __startcontext ++ label as .cantunwind. */ ++ .fnstart ++ .cantunwind ++ nop + ENTRY(__startcontext) + movs r0, r4 + bne PLTJMP(__setcontext) + + @ New context was 0 - exit + b PLTJMP(HIDDEN_JUMPTARGET(exit)) ++ .fnend + END(__startcontext) + + #ifdef PIC diff --git a/glibc.spec b/glibc.spec index a8a28ba..309bb6c 100644 --- a/glibc.spec +++ b/glibc.spec @@ -273,6 +273,7 @@ Patch1052: glibc-rh1337291.patch Patch1053: glibc-build-time.patch Patch1054: glibc-rh1352625.patch Patch1055: glibc-rh1348620.patch +Patch1056: glibc-swbz20435.patch ############################################################################## # @@ -745,6 +746,7 @@ microbenchmark tests on the system. %patch1053 -p1 %patch1054 -p1 %patch1055 -p1 +%patch1056 -p1 %patch0059 -p1 ############################################################################## @@ -1969,6 +1971,7 @@ rm -f *.filelist* - Build time improvements - Avoid duplicating object files already in libc.a (#1352625) - malloc: Avoid premature fallback to mmap (#1348620) +- CVE-2016-6323: Backtraces can hang on ARM EABI (32-bit) (swbz#20435) * Thu Jun 2 2016 Florian Weimer - 2.22-17 - CVE-2016-4429: stack overflow in Sun RPC clntudp_call (#1337140)