From: Aurelien Jarno <aurelien@aurel32.net>
To: libc-stable@sourceware.org
Cc: Andreas Schwab <schwab@suse.de>
Subject: [2.24 COMMITTED 3/4] Don't write beyond destination in __mempcpy_avx512_no_vzeroupper (bug 23196)
Date: Mon, 01 Jan 2018 00:00:00 -0000 [thread overview]
Message-ID: <20181220233902.20796-3-aurelien@aurel32.net> (raw)
In-Reply-To: <20181220233902.20796-1-aurelien@aurel32.net>
From: Andreas Schwab <schwab@suse.de>
When compiled as mempcpy, the return value is the end of the destination
buffer, thus it cannot be used to refer to the start of it.
(cherry picked from commit 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e)
---
ChangeLog | 9 +++++++++
NEWS | 2 ++
string/test-mempcpy.c | 1 +
sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | 5 +++--
4 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 699e8e510e..f650db1d59 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2018-05-23 Andreas Schwab <schwab@suse.de>
+
+ [BZ #23196]
+ CVE-2018-11237
+ * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+ (L(preloop_large)): Save initial destination pointer in %r11 and
+ use it instead of %rax after the loop.
+ * string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
+
2018-05-09 Paul Pluzhnikov <ppluzhnikov@google.com>
[BZ #22786]
diff --git a/NEWS b/NEWS
index 0ff775e578..7e1859b78e 100644
--- a/NEWS
+++ b/NEWS
@@ -65,6 +65,8 @@ The following bugs are resolved with this release:
[22715] x86-64: Properly align La_x86_64_retval to VEC_SIZE
[22786] libc: Stack buffer overflow in realpath() if input size is close
to SSIZE_MAX (CVE-2018-11236)
+ [23196] string: __mempcpy_avx512_no_vzeroupper mishandles large copies
+ (CVE-2018-11237)
\f
Version 2.24
diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c
index f4969c24a5..d1802308a1 100644
--- a/string/test-mempcpy.c
+++ b/string/test-mempcpy.c
@@ -18,6 +18,7 @@
<http://www.gnu.org/licenses/>. */
#define MEMCPY_RESULT(dst, len) (dst) + (len)
+#define MIN_PAGE_SIZE 131072
#define TEST_MAIN
#define TEST_NAME "mempcpy"
#include "test-string.h"
diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
index 664b74de49..90ac9eaff4 100644
--- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
@@ -340,6 +340,7 @@ L(preloop_large):
vmovups (%rsi), %zmm4
vmovups 0x40(%rsi), %zmm5
+ mov %rdi, %r11
/* Align destination for access with non-temporal stores in the loop. */
mov %rdi, %r8
and $-0x80, %rdi
@@ -370,8 +371,8 @@ L(gobble_256bytes_nt_loop):
cmp $256, %rdx
ja L(gobble_256bytes_nt_loop)
sfence
- vmovups %zmm4, (%rax)
- vmovups %zmm5, 0x40(%rax)
+ vmovups %zmm4, (%r11)
+ vmovups %zmm5, 0x40(%r11)
jmp L(check)
L(preloop_large_bkw):
--
2.19.2
next prev parent reply other threads:[~2018-12-20 23:39 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-01 0:00 [2.24 COMMITTED 1/4] Fix i386 memmove issue (bug 22644) Aurelien Jarno
2018-01-01 0:00 ` [2.24 COMMITTED 2/4] Fix BZ 22786: integer addition overflow may cause stack buffer overflow when realpath() input length is close to SSIZE_MAX Aurelien Jarno
2018-01-01 0:00 ` Aurelien Jarno [this message]
2018-01-01 0:00 ` [2.24 COMMITTED 4/4] Add references to CVE-2017-18269, CVE-2018-11236, CVE-2018-11237 Aurelien Jarno
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181220233902.20796-3-aurelien@aurel32.net \
--to=aurelien@aurel32.net \
--cc=libc-stable@sourceware.org \
--cc=schwab@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).