[newlib-cygwin] Fix potential buffer overflow in makecontext trampoline

Thu, 23 Jul 2015 11:26:29 -0700 

https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=be8183701a4943d07bbc51d16952e9c02e7ef2c1

commit be8183701a4943d07bbc51d16952e9c02e7ef2c1
Author: Corinna Vinschen <[email protected]>
Date:   Thu Jul 23 20:25:22 2015 +0200

    Fix potential buffer overflow in makecontext trampoline
    
        glibc's tst-makecontext2 testcase uncovered a bug in
        __cont_link_context.  If the function misses to reserve
        shadow space for the calls to setcontext/cygwin_exit,
        both functions could overwrite memory beyond the stack
        configured in uc_stack.
    
            * exceptions.cc (__cont_link_context): x86_64: align stack and 
reserve
            shadow space for subsequent function calls, otherwise suffer 
potential
            buffer overflow.
    
    Signed-off-by: Corinna Vinschen <[email protected]>

Diff:
---
 winsup/cygwin/ChangeLog     | 6 ++++++
 winsup/cygwin/exceptions.cc | 8 +++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog
index 55ea458..a8f6543 100644
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@@ -1,5 +1,11 @@
 2015-07-23  Corinna Vinschen  <[email protected]>
 
+       * exceptions.cc (__cont_link_context): x86_64: align stack and reserve
+       shadow space for subsequent function calls, otherwise suffer potential
+       buffer overflow.
+
+2015-07-23  Corinna Vinschen  <[email protected]>
+
        * uinfo.cc (cygheap_user::ontherange): Ignore $HOME if it's not
        starting with a slash (aka, absolute POSIX Path).
 
diff --git a/winsup/cygwin/exceptions.cc b/winsup/cygwin/exceptions.cc
index c4b0761..e6c000f 100644
--- a/winsup/cygwin/exceptions.cc
+++ b/winsup/cygwin/exceptions.cc
@@ -1929,9 +1929,14 @@ swapcontext (ucontext_t *oucp, const ucontext_t *ucp)
    is NULL, call exit. */
 __asm__ ("                             \n\
        .global __cont_link_context     \n\
+       .seh_proc __cont_link_context   \n\
 __cont_link_context:                   \n\
+       .seh_endprologue                \n\
        movq    %rbx, %rsp              \n\
-       popq    %rcx                    \n\
+       movq    (%rsp), %rcx            \n\
+       # align stack and subtract shadow space \n\
+       andq    $~0xf, %rsp             \n\
+       subq    $0x20, %rsp             \n\
        testq   %rcx, %rcx              \n\
        je      1f                      \n\
        call    setcontext              \n\
@@ -1939,6 +1944,7 @@ __cont_link_context:                      \n\
 1:                                     \n\
        call    cygwin_exit             \n\
        nop                             \n\
+       .seh_endproc                    \n\
        ");
 
 #else

Reply via email to