From a6fa53288f51eac715cf9899ffe3cfd66e7dc42c Mon Sep 17 00:00:00 2001 From: Ulrich Drepper Date: Sun, 7 Oct 2007 05:31:00 +0000 Subject: [BZ #3924] * sysdeps/i386/dl-trampoline.S (_dl_runtime_profile): Fix a few more little bugs in creating the stack frame when pltexit has to be called. --- ChangeLog | 5 +++++ nscd/connections.c | 10 +++++++--- nscd/nscd_helper.c | 21 ++++++++++++++++++--- sysdeps/i386/dl-trampoline.S | 5 +++-- 4 files changed, 33 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 24ca28fdd5..846a38234c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,10 @@ 2007-10-06 Ulrich Drepper + [BZ #3924] + * sysdeps/i386/dl-trampoline.S (_dl_runtime_profile): Fix a few + more little bugs in creating the stack frame when pltexit has to + be called. + * nscd/nscd_helper.c (__nscd_cache_search): Prevent endless loops. * nscd/connections.c (verify_persistent_db): Recognize circular lists. diff --git a/nscd/connections.c b/nscd/connections.c index 2572a42ee7..26d75d2978 100644 --- a/nscd/connections.c +++ b/nscd/connections.c @@ -378,8 +378,9 @@ verify_persistent_db (void *mem, struct database_pers_head *readhead, int dbnr) nscd_ssize_t he_cnt = 0; for (nscd_ssize_t cnt = 0; cnt < head->module; ++cnt) { - ref_t first = head->array[cnt]; - ref_t work = first; + ref_t trail = head->array[cnt]; + ref_t work = trail; + int tick = 0; while (work != ENDREF) { @@ -439,9 +440,12 @@ verify_persistent_db (void *mem, struct database_pers_head *readhead, int dbnr) work = here->next; - if (work == first) + if (work == trail) /* A circular list, this must not happen. */ goto fail; + if (tick) + trail = ((struct hashentry *) (data + trail))->next; + tick = 1 - tick; } } diff --git a/nscd/nscd_helper.c b/nscd/nscd_helper.c index 2e6d5f76b8..6718d922f3 100644 --- a/nscd/nscd_helper.c +++ b/nscd/nscd_helper.c @@ -416,8 +416,10 @@ __nscd_cache_search (request_type type, const char *key, size_t keylen, unsigned long int hash = __nis_hash (key, keylen) % mapped->head->module; size_t datasize = mapped->datasize; - ref_t first = mapped->head->array[hash]; - ref_t work = first; + ref_t trail = mapped->head->array[hash]; + ref_t work = trail; + int tick = 0; + while (work != ENDREF && work + sizeof (struct hashentry) <= datasize) { struct hashentry *here = (struct hashentry *) (mapped->data + work); @@ -457,8 +459,21 @@ __nscd_cache_search (request_type type, const char *key, size_t keylen, work = here->next; /* Prevent endless loops. This should never happen but perhaps the database got corrupted, accidentally or deliberately. */ - if (work == first) + if (work == trail) break; + if (tick) + { + struct hashentry *trailelem; + trailelem = (struct hashentry *) (mapped->data + trail); + +#ifndef _STRING_ARCH_unaligned + /* We have to redo the checks. Maybe the data changed. */ + if ((uintptr_t) trailelem & (__alignof__ (*trailelem) - 1)) + return NULL; +#endif + trail = trailelem->next; + } + tick = 1 - tick; } return NULL; diff --git a/sysdeps/i386/dl-trampoline.S b/sysdeps/i386/dl-trampoline.S index af9eaf6d56..73b08ba67e 100644 --- a/sysdeps/i386/dl-trampoline.S +++ b/sysdeps/i386/dl-trampoline.S @@ -113,6 +113,7 @@ _dl_runtime_profile: movl %ebx, %ecx orl $4, %ebx # Increase frame size if necessary to align # stack for the function call + andl $~3, %ebx movl %esp, %edi subl %ebx, %edi movl %esp, %ebx @@ -121,9 +122,9 @@ _dl_runtime_profile: shrl $2, %ecx rep movsl - movl (%edi), %esi + movl (%ebx), %esi cfi_restore (esi) - movl 4(%edi), %edi + movl 4(%ebx), %edi cfi_restore (edi) /* %ebx+40 return address -- cgit v1.2.3