add XOR mangling mitigation for thread-local dtors

Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
GrapheneOS · Jun 7, 2021 · 0b03d92 · 0b03d92
1 parent e239c7d
commit 0b03d92
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 3 deletions.
diff --git a/libc/bionic/__cxa_thread_atexit_impl.cpp b/libc/bionic/__cxa_thread_atexit_impl.cpp
@@ -13,15 +13,17 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+#include <stdint.h>
 #include <sys/cdefs.h>
 
 #include <private/bionic_defs.h>
+#include <private/bionic_globals.h>
 
 #include "pthread_internal.h"
 
 class thread_local_dtor {
  public:
-  void (*func) (void *);
+  uintptr_t func;
   void *arg;
   void *dso_handle; // unused...
   thread_local_dtor* next;
@@ -35,7 +37,7 @@ __BIONIC_WEAK_FOR_NATIVE_BRIDGE
 int __cxa_thread_atexit_impl(void (*func) (void *), void *arg, void *dso_handle) {
   thread_local_dtor* dtor = new thread_local_dtor();
 
-  dtor->func = func;
+  dtor->func = __libc_globals->dtor_cookie ^ reinterpret_cast<uintptr_t>(func);
   dtor->arg = arg;
   dtor->dso_handle = dso_handle;
 
@@ -54,7 +56,7 @@ extern "C" __LIBC_HIDDEN__ void __cxa_thread_finalize() {
     thread_local_dtor* current = thread->thread_local_dtors;
     thread->thread_local_dtors = current->next;
 
-    current->func(current->arg);
+    (reinterpret_cast<void (*)(void*)>(__libc_globals->dtor_cookie ^ current->func))(current->arg);
     if (__loader_remove_thread_local_dtor != nullptr) {
       __loader_remove_thread_local_dtor(current->dso_handle);
     }

diff --git a/libc/bionic/libc_init_common.cpp b/libc/bionic/libc_init_common.cpp
@@ -45,6 +45,7 @@
 #include <async_safe/log.h>
 
 #include "private/WriteProtected.h"
+#include "private/bionic_arc4random.h"
 #include "private/bionic_defs.h"
 #include "private/bionic_globals.h"
 #include "private/bionic_tls.h"
@@ -66,6 +67,7 @@ void __libc_init_globals() {
   __libc_globals.mutate([](libc_globals* globals) {
     __libc_init_vdso(globals);
     __libc_init_setjmp_cookie(globals);
+    arc4random_buf(&globals->dtor_cookie, sizeof(globals->dtor_cookie));
   });
 }
 

diff --git a/libc/private/bionic_globals.h b/libc/private/bionic_globals.h
@@ -43,6 +43,7 @@
 
 struct libc_globals {
   vdso_entry vdso[VDSO_END];
+  long dtor_cookie;
   long setjmp_cookie;
   uintptr_t heap_pointer_tag;