Avoid accessing corrupted stack from __stack_chk_fail [BZ #21752]

__libc_argv[0] points to address on stack and __libc_secure_getenv accesses environment variables which are on stack. We should avoid accessing stack when stack is corrupted. This patch also renames function argument in __fortify_fail_abort from do_backtrace to need_backtrace to avoid confusion with do_backtrace from enum __libc_message_action. [BZ #21752] * debug/fortify_fail.c (__fortify_fail_abort): Don't pass down __libc_argv[0] if we aren't doing backtrace. Rename do_backtrace to need_backtrace. * sysdeps/posix/libc_fatal.c (__libc_message): Don't call __libc_secure_getenv if we aren't doing backtrace.
2025-08-08 17:42:12 +03:00 · 2017-07-24 06:06:08 -07:00
parent 55703fcace
commit 422ff87c24
3 changed files with 27 additions and 9 deletions
--- a/sysdeps/posix/libc_fatal.c
+++ b/sysdeps/posix/libc_fatal.c
@@ -75,11 +75,16 @@ __libc_message (enum __libc_message_action action, const char *fmt, ...)
  FATAL_PREPARE;
 #endif

-  /* Open a descriptor for /dev/tty unless the user explicitly
-     requests errors on standard error.  */
-  const char *on_2 = __libc_secure_getenv ("LIBC_FATAL_STDERR_");
-  if (on_2 == NULL || *on_2 == '\0')
-    fd = open_not_cancel_2 (_PATH_TTY, O_RDWR | O_NOCTTY | O_NDELAY);
+  /* Don't call __libc_secure_getenv if we aren't doing backtrace, which
+     may access the corrupted stack.  */
+  if ((action & do_backtrace))
+    {
+      /* Open a descriptor for /dev/tty unless the user explicitly
+	 requests errors on standard error.  */
+      const char *on_2 = __libc_secure_getenv ("LIBC_FATAL_STDERR_");
+      if (on_2 == NULL || *on_2 == '\0')
+	fd = open_not_cancel_2 (_PATH_TTY, O_RDWR | O_NOCTTY | O_NDELAY);
+    }

  if (fd == -1)
    fd = STDERR_FILENO;