* [2.26 COMMITTED] Don't write beyond destination in __mempcpy_avx512_no_vzeroupper (bug 23196)
@ 2018-01-01 0:00 Florian Weimer
0 siblings, 0 replies; only message in thread
From: Florian Weimer @ 2018-01-01 0:00 UTC (permalink / raw)
To: libc-stable
From: Andreas Schwab <schwab@suse.de>
When compiled as mempcpy, the return value is the end of the destination
buffer, thus it cannot be used to refer to the start of it.
(cherry picked from commit 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e)
2018-05-23 Andreas Schwab <schwab@suse.de>
[BZ #23196]
CVE-2018-11237
* sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
(L(preloop_large)): Save initial destination pointer in %r11 and
use it instead of %rax after the loop.
* string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
diff --git a/NEWS b/NEWS
index d5daa3adc5..c3c6aff8fc 100644
--- a/NEWS
+++ b/NEWS
@@ -71,6 +71,10 @@ Security related changes:
the value of SIZE_MAX, would return a pointer to a buffer which is too
small, instead of NULL.
+ CVE-2018-11237: The mempcpy implementation for the Intel Xeon Phi
+ architecture could write beyond the target buffer, resulting in a buffer
+ overflow. Reported by Andreas Schwab.
+
The following bugs are resolved with this release:
[16750] ldd: Never run file directly.
@@ -128,6 +132,7 @@ The following bugs are resolved with this release:
[23024] getlogin_r: return early when linux sentinel value is set
[23037] resolv: Fully initialize struct mmsghdr in send_dg
[23137] s390: Fix blocking pthread_join
+ [23196] __mempcpy_avx512_no_vzeroupper mishandles large copies
\f
Version 2.26
diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c
index 364a811c62..ec11c9f6e6 100644
--- a/string/test-mempcpy.c
+++ b/string/test-mempcpy.c
@@ -18,6 +18,7 @@
<http://www.gnu.org/licenses/>. */
#define MEMCPY_RESULT(dst, len) (dst) + (len)
+#define MIN_PAGE_SIZE 131072
#define TEST_MAIN
#define TEST_NAME "mempcpy"
#include "test-string.h"
diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
index f3ef10577c..ae84ddc667 100644
--- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
@@ -340,6 +340,7 @@ L(preloop_large):
vmovups (%rsi), %zmm4
vmovups 0x40(%rsi), %zmm5
+ mov %rdi, %r11
/* Align destination for access with non-temporal stores in the loop. */
mov %rdi, %r8
and $-0x80, %rdi
@@ -370,8 +371,8 @@ L(gobble_256bytes_nt_loop):
cmp $256, %rdx
ja L(gobble_256bytes_nt_loop)
sfence
- vmovups %zmm4, (%rax)
- vmovups %zmm5, 0x40(%rax)
+ vmovups %zmm4, (%r11)
+ vmovups %zmm5, 0x40(%r11)
jmp L(check)
L(preloop_large_bkw):
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2018-05-24 14:13 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-01-01 0:00 [2.26 COMMITTED] Don't write beyond destination in __mempcpy_avx512_no_vzeroupper (bug 23196) Florian Weimer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).