This is the mail archive of the
cygwin-cvs@cygwin.com
mailing list for the Cygwin project.
[newlib-cygwin] Fix potential buffer overflow in makecontext trampoline
- From: Corinna Vinschen <corinna at sourceware dot org>
- To: cygwin-cvs at sourceware dot org
- Date: 23 Jul 2015 18:25:36 -0000
- Subject: [newlib-cygwin] Fix potential buffer overflow in makecontext trampoline
https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=be8183701a4943d07bbc51d16952e9c02e7ef2c1
commit be8183701a4943d07bbc51d16952e9c02e7ef2c1
Author: Corinna Vinschen <corinna@vinschen.de>
Date: Thu Jul 23 20:25:22 2015 +0200
Fix potential buffer overflow in makecontext trampoline
glibc's tst-makecontext2 testcase uncovered a bug in
__cont_link_context. If the function misses to reserve
shadow space for the calls to setcontext/cygwin_exit,
both functions could overwrite memory beyond the stack
configured in uc_stack.
* exceptions.cc (__cont_link_context): x86_64: align stack and reserve
shadow space for subsequent function calls, otherwise suffer potential
buffer overflow.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Diff:
---
winsup/cygwin/ChangeLog | 6 ++++++
winsup/cygwin/exceptions.cc | 8 +++++++-
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog
index 55ea458..a8f6543 100644
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@@ -1,5 +1,11 @@
2015-07-23 Corinna Vinschen <corinna@vinschen.de>
+ * exceptions.cc (__cont_link_context): x86_64: align stack and reserve
+ shadow space for subsequent function calls, otherwise suffer potential
+ buffer overflow.
+
+2015-07-23 Corinna Vinschen <corinna@vinschen.de>
+
* uinfo.cc (cygheap_user::ontherange): Ignore $HOME if it's not
starting with a slash (aka, absolute POSIX Path).
diff --git a/winsup/cygwin/exceptions.cc b/winsup/cygwin/exceptions.cc
index c4b0761..e6c000f 100644
--- a/winsup/cygwin/exceptions.cc
+++ b/winsup/cygwin/exceptions.cc
@@ -1929,9 +1929,14 @@ swapcontext (ucontext_t *oucp, const ucontext_t *ucp)
is NULL, call exit. */
__asm__ (" \n\
.global __cont_link_context \n\
+ .seh_proc __cont_link_context \n\
__cont_link_context: \n\
+ .seh_endprologue \n\
movq %rbx, %rsp \n\
- popq %rcx \n\
+ movq (%rsp), %rcx \n\
+ # align stack and subtract shadow space \n\
+ andq $~0xf, %rsp \n\
+ subq $0x20, %rsp \n\
testq %rcx, %rcx \n\
je 1f \n\
call setcontext \n\
@@ -1939,6 +1944,7 @@ __cont_link_context: \n\
1: \n\
call cygwin_exit \n\
nop \n\
+ .seh_endproc \n\
");
#else