From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 62969 invoked by alias); 24 May 2018 13:07:29 -0000 Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Subscribe: List-Archive: Sender: libc-stable-owner@sourceware.org Received: (qmail 62576 invoked by uid 89); 24 May 2018 13:07:27 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.99.4 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_SHORT,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=4813 X-Spam-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_SHORT,SPF_HELO_PASS autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Thu, 24 May 2018 13:07:19 +0000 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 0EDA31B3450 for ; Thu, 24 May 2018 13:07:18 +0000 (UTC) Received: from oldenburg.str.redhat.com (ovpn-117-98.ams2.redhat.com [10.36.117.98]) by smtp.corp.redhat.com (Postfix) with ESMTP id CE784607A7 for ; Thu, 24 May 2018 13:07:17 +0000 (UTC) Received: by oldenburg.str.redhat.com (Postfix, from userid 1000) id 828A3402A45AC; Thu, 24 May 2018 15:07:16 +0200 (CEST) Date: Mon, 01 Jan 2018 00:00:00 -0000 To: libc-stable@sourceware.org Subject: [2.27 COMMITTED] Don't write beyond destination in __mempcpy_avx512_no_vzeroupper (bug 23196) User-Agent: Heirloom mailx 12.5 7/5/10 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20180524130716.828A3402A45AC@oldenburg.str.redhat.com> From: fweimer@redhat.com (Florian Weimer) X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Thu, 24 May 2018 13:07:18 +0000 (UTC) X-IsSubscribed: yes X-SW-Source: 2018-05/txt/msg00038.txt.bz2 From: Andreas Schwab When compiled as mempcpy, the return value is the end of the destination buffer, thus it cannot be used to refer to the start of it. (cherry picked from commit 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e) 2018-05-23 Andreas Schwab [BZ #23196] CVE-2018-11237 * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S (L(preloop_large)): Save initial destination pointer in %r11 and use it instead of %rax after the loop. * string/test-mempcpy.c (MIN_PAGE_SIZE): Define. diff --git a/NEWS b/NEWS index 57f6714d89..ee08fc3d23 100644 --- a/NEWS +++ b/NEWS @@ -48,6 +48,13 @@ The following bugs are resolved with this release: build with -Os) [23152] gd_GB: Fix typo in "May" (abbreviated) [23166] sunrpc: Remove stray exports without --enable-obsolete-rpc + [23196] __mempcpy_avx512_no_vzeroupper mishandles large copies + +Security related changes: + + CVE-2018-11237: The mempcpy implementation for the Intel Xeon Phi + architecture could write beyond the target buffer, resulting in a buffer + overflow. Reported by Andreas Schwab. Version 2.27 diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c index c08fba895e..d98ecdd2d9 100644 --- a/string/test-mempcpy.c +++ b/string/test-mempcpy.c @@ -18,6 +18,7 @@ . */ #define MEMCPY_RESULT(dst, len) (dst) + (len) +#define MIN_PAGE_SIZE 131072 #define TEST_MAIN #define TEST_NAME "mempcpy" #include "test-string.h" diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S index 23c0f7a9ed..effc3ac2de 100644 --- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S +++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S @@ -336,6 +336,7 @@ L(preloop_large): vmovups (%rsi), %zmm4 vmovups 0x40(%rsi), %zmm5 + mov %rdi, %r11 /* Align destination for access with non-temporal stores in the loop. */ mov %rdi, %r8 and $-0x80, %rdi @@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop): cmp $256, %rdx ja L(gobble_256bytes_nt_loop) sfence - vmovups %zmm4, (%rax) - vmovups %zmm5, 0x40(%rax) + vmovups %zmm4, (%r11) + vmovups %zmm5, 0x40(%r11) jmp L(check) L(preloop_large_bkw):