public inbox for libc-stable@sourceware.org
 help / color / mirror / Atom feed
* [2.24 COMMITTED 1/4] Fix i386 memmove issue (bug 22644).
@ 2018-01-01  0:00 Aurelien Jarno
  2018-01-01  0:00 ` [2.24 COMMITTED 2/4] Fix BZ 22786: integer addition overflow may cause stack buffer overflow when realpath() input length is close to SSIZE_MAX Aurelien Jarno
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Aurelien Jarno @ 2018-01-01  0:00 UTC (permalink / raw)
  To: libc-stable; +Cc: Andrew Senkevich

From: Andrew Senkevich <andrew.n.senkevich@gmail.com>

	[BZ #22644]
	* sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S: Fixed
	branch conditions.
	* string/test-memmove.c (do_test2): New testcase.

(cherry picked from commit cd66c0e584c6d692bc8347b5e72723d02b8a8ada)
---
 ChangeLog                                     |  8 +++
 NEWS                                          |  2 +
 string/test-memmove.c                         | 57 +++++++++++++++++++
 .../i686/multiarch/memcpy-sse2-unaligned.S    | 12 ++--
 4 files changed, 73 insertions(+), 6 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 3305107bca..63813de2d5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2018-03-23  Andrew Senkevich  <andrew.senkevich@intel.com>
+	    Max Horn  <max@quendi.de>
+
+	[BZ #22644]
+	* sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S: Fixed
+	branch conditions.
+	* string/test-memmove.c (do_test2): New testcase.
+
 2018-09-06  Stefan Liebler  <stli@linux.ibm.com>
 
 	* sysdeps/unix/sysv/linux/spawni.c (maybe_script_execute):
diff --git a/NEWS b/NEWS
index d11dfe1429..77f7f1ad0e 100644
--- a/NEWS
+++ b/NEWS
@@ -60,6 +60,8 @@ The following bugs are resolved with this release:
   [21609] x86-64: Align the stack in __tls_get_addr
   [21624] Unsafe alloca allows local attackers to alias stack and heap (CVE-2017-1000366)
   [21654] nss: Fix invalid cast in group merging
+  [22644] string: memmove-sse2-unaligned on 32bit x86 produces garbage when
+    crossing 2GB threshold (CVE-2017-18269)
   [22715] x86-64: Properly align La_x86_64_retval to VEC_SIZE
 \f
 Version 2.24
diff --git a/string/test-memmove.c b/string/test-memmove.c
index 43433297e5..f44c05d669 100644
--- a/string/test-memmove.c
+++ b/string/test-memmove.c
@@ -245,6 +245,60 @@ do_random_tests (void)
     }
 }
 
+static void
+do_test2 (void)
+{
+  size_t size = 0x20000000;
+  uint32_t * large_buf;
+
+  large_buf = mmap ((void*) 0x70000000, size, PROT_READ | PROT_WRITE,
+		    MAP_PRIVATE | MAP_ANON, -1, 0);
+
+  if (large_buf == MAP_FAILED)
+    error (77, errno, "Large mmap failed");
+
+  if ((uintptr_t) large_buf > 0x80000000 - 128
+      || 0x80000000 - (uintptr_t) large_buf > 0x20000000)
+    {
+      error (0, 0, "Large mmap allocated improperly");
+      ret = 77;
+      munmap ((void *) large_buf, size);
+      return;
+    }
+
+  size_t bytes_move = 0x80000000 - (uintptr_t) large_buf;
+  size_t arr_size = bytes_move / sizeof (uint32_t);
+  size_t i;
+
+  FOR_EACH_IMPL (impl, 0)
+    {
+      for (i = 0; i < arr_size; i++)
+        large_buf[i] = (uint32_t) i;
+
+      uint32_t * dst = &large_buf[33];
+
+#ifdef TEST_BCOPY
+      CALL (impl, (char *) large_buf, (char *) dst, bytes_move);
+#else
+      CALL (impl, (char *) dst, (char *) large_buf, bytes_move);
+#endif
+
+      for (i = 0; i < arr_size; i++)
+	{
+	  if (dst[i] != (uint32_t) i)
+	    {
+	      error (0, 0,
+		     "Wrong result in function %s dst \"%p\" src \"%p\" offset \"%zd\"",
+		     impl->name, dst, large_buf, i);
+	      ret = 1;
+	      break;
+	    }
+	}
+    }
+
+  munmap ((void *) large_buf, size);
+}
+
 int
 test_main (void)
 {
@@ -284,6 +338,9 @@ test_main (void)
     }
 
   do_random_tests ();
+
+  do_test2 ();
+
   return ret;
 }
 
diff --git a/sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S b/sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S
index 76f34291a3..bb26708d67 100644
--- a/sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S
+++ b/sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S
@@ -72,7 +72,7 @@ ENTRY (MEMCPY)
 	cmp	%edx, %eax
 
 # ifdef USE_AS_MEMMOVE
-	jg	L(check_forward)
+	ja	L(check_forward)
 
 L(mm_len_0_or_more_backward):
 /* Now do checks for lengths. We do [0..16], [16..32], [32..64], [64..128]
@@ -81,7 +81,7 @@ L(mm_len_0_or_more_backward):
 	jbe	L(mm_len_0_16_bytes_backward)
 
 	cmpl	$32, %ecx
-	jg	L(mm_len_32_or_more_backward)
+	ja	L(mm_len_32_or_more_backward)
 
 /* Copy [0..32] and return.  */
 	movdqu	(%eax), %xmm0
@@ -92,7 +92,7 @@ L(mm_len_0_or_more_backward):
 
 L(mm_len_32_or_more_backward):
 	cmpl	$64, %ecx
-	jg	L(mm_len_64_or_more_backward)
+	ja	L(mm_len_64_or_more_backward)
 
 /* Copy [0..64] and return.  */
 	movdqu	(%eax), %xmm0
@@ -107,7 +107,7 @@ L(mm_len_32_or_more_backward):
 
 L(mm_len_64_or_more_backward):
 	cmpl	$128, %ecx
-	jg	L(mm_len_128_or_more_backward)
+	ja	L(mm_len_128_or_more_backward)
 
 /* Copy [0..128] and return.  */
 	movdqu	(%eax), %xmm0
@@ -132,7 +132,7 @@ L(mm_len_128_or_more_backward):
 	add	%ecx, %eax
 	cmp	%edx, %eax
 	movl	SRC(%esp), %eax
-	jle	L(forward)
+	jbe	L(forward)
 	PUSH (%esi)
 	PUSH (%edi)
 	PUSH (%ebx)
@@ -269,7 +269,7 @@ L(check_forward):
 	add	%edx, %ecx
 	cmp	%eax, %ecx
 	movl	LEN(%esp), %ecx
-	jle	L(forward)
+	jbe	L(forward)
 
 /* Now do checks for lengths. We do [0..16], [0..32], [0..64], [0..128]
 	separately.  */
-- 
2.19.2

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [2.24 COMMITTED 4/4] Add references to CVE-2017-18269, CVE-2018-11236, CVE-2018-11237
  2018-01-01  0:00 [2.24 COMMITTED 1/4] Fix i386 memmove issue (bug 22644) Aurelien Jarno
  2018-01-01  0:00 ` [2.24 COMMITTED 2/4] Fix BZ 22786: integer addition overflow may cause stack buffer overflow when realpath() input length is close to SSIZE_MAX Aurelien Jarno
@ 2018-01-01  0:00 ` Aurelien Jarno
  2018-01-01  0:00 ` [2.24 COMMITTED 3/4] Don't write beyond destination in __mempcpy_avx512_no_vzeroupper (bug 23196) Aurelien Jarno
  2 siblings, 0 replies; 4+ messages in thread
From: Aurelien Jarno @ 2018-01-01  0:00 UTC (permalink / raw)
  To: libc-stable; +Cc: Florian Weimer

From: Florian Weimer <fweimer@redhat.com>

(cherry picked from commit 43d4f3d5ad94e1fa5e56d7a7200d0e9f3d8e2f02)
---
 ChangeLog |  2 ++
 NEWS      | 11 +++++++++++
 2 files changed, 13 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index f650db1d59..988615f03b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -10,6 +10,7 @@
 2018-05-09  Paul Pluzhnikov  <ppluzhnikov@google.com>
 
 	[BZ #22786]
+	CVE-2018-11236
 	* stdlib/canonicalize.c (__realpath): Fix overflow in path length
 	computation.
 	* stdlib/Makefile (test-bz22786): New test.
@@ -19,6 +20,7 @@
 	    Max Horn  <max@quendi.de>
 
 	[BZ #22644]
+	CVE-2017-18269
 	* sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S: Fixed
 	branch conditions.
 	* string/test-memmove.c (do_test2): New testcase.
diff --git a/NEWS b/NEWS
index 7e1859b78e..13ac8dd911 100644
--- a/NEWS
+++ b/NEWS
@@ -49,6 +49,17 @@ Security related changes:
   for AT_SECURE or SUID binaries could be used to load libraries from the
   current directory.
 
+  CVE-2017-18269: An SSE2-based memmove implementation for the i386
+  architecture could corrupt memory.  Reported by Max Horn.
+
+  CVE-2018-11236: Very long pathname arguments to realpath function could
+  result in an integer overflow and buffer overflow.  Reported by Alexey
+  Izbyshev.
+
+  CVE-2018-11237: The mempcpy implementation for the Intel Xeon Phi
+  architecture could write beyond the target buffer, resulting in a buffer
+  overflow.  Reported by Andreas Schwab.
+
 The following bugs are resolved with this release:
 
   [20790] Fix rpcgen buffer overrun
-- 
2.19.2

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [2.24 COMMITTED 2/4] Fix BZ 22786: integer addition overflow may cause stack buffer overflow when realpath() input length is close to SSIZE_MAX.
  2018-01-01  0:00 [2.24 COMMITTED 1/4] Fix i386 memmove issue (bug 22644) Aurelien Jarno
@ 2018-01-01  0:00 ` Aurelien Jarno
  2018-01-01  0:00 ` [2.24 COMMITTED 4/4] Add references to CVE-2017-18269, CVE-2018-11236, CVE-2018-11237 Aurelien Jarno
  2018-01-01  0:00 ` [2.24 COMMITTED 3/4] Don't write beyond destination in __mempcpy_avx512_no_vzeroupper (bug 23196) Aurelien Jarno
  2 siblings, 0 replies; 4+ messages in thread
From: Aurelien Jarno @ 2018-01-01  0:00 UTC (permalink / raw)
  To: libc-stable; +Cc: Paul Pluzhnikov

From: Paul Pluzhnikov <ppluzhnikov@google.com>

2018-05-09  Paul Pluzhnikov  <ppluzhnikov@google.com>

	[BZ #22786]
	* stdlib/canonicalize.c (__realpath): Fix overflow in path length
	computation.
	* stdlib/Makefile (test-bz22786): New test.
	* stdlib/test-bz22786.c: New test.

(cherry picked from commit 5460617d1567657621107d895ee2dd83bc1f88f2)
---
 ChangeLog             |  8 ++++
 NEWS                  |  2 +
 stdlib/Makefile       |  2 +-
 stdlib/canonicalize.c |  2 +-
 stdlib/test-bz22786.c | 90 +++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 102 insertions(+), 2 deletions(-)
 create mode 100644 stdlib/test-bz22786.c

diff --git a/ChangeLog b/ChangeLog
index 63813de2d5..699e8e510e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2018-05-09  Paul Pluzhnikov  <ppluzhnikov@google.com>
+
+	[BZ #22786]
+	* stdlib/canonicalize.c (__realpath): Fix overflow in path length
+	computation.
+	* stdlib/Makefile (test-bz22786): New test.
+	* stdlib/test-bz22786.c: New test.
+
 2018-03-23  Andrew Senkevich  <andrew.senkevich@intel.com>
 	    Max Horn  <max@quendi.de>
 
diff --git a/NEWS b/NEWS
index 77f7f1ad0e..0ff775e578 100644
--- a/NEWS
+++ b/NEWS
@@ -63,6 +63,8 @@ The following bugs are resolved with this release:
   [22644] string: memmove-sse2-unaligned on 32bit x86 produces garbage when
     crossing 2GB threshold (CVE-2017-18269)
   [22715] x86-64: Properly align La_x86_64_retval to VEC_SIZE
+  [22786] libc: Stack buffer overflow in realpath() if input size is close
+    to SSIZE_MAX (CVE-2018-11236)
 \f
 Version 2.24
 
diff --git a/stdlib/Makefile b/stdlib/Makefile
index fc6f23dcaf..23f2d6e326 100644
--- a/stdlib/Makefile
+++ b/stdlib/Makefile
@@ -77,7 +77,7 @@ tests		:= tst-strtol tst-strtod testmb testrand testsort testdiv   \
 		   tst-tininess tst-strtod-underflow tst-tls-atexit	    \
 		   tst-setcontext3 tst-tls-atexit-nodelete		    \
 		   tst-strtol-locale tst-strtod-nan-locale tst-strfmon_l    \
-		   tst-quick_exit tst-thread-quick_exit
+		   tst-quick_exit tst-thread-quick_exit test-bz22786
 tests-static	:= tst-secure-getenv
 ifeq ($(have-cxx-thread_local),yes)
 CFLAGS-tst-quick_exit.o = -std=c++11
diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c
index 58bb8de949..59a7b942e0 100644
--- a/stdlib/canonicalize.c
+++ b/stdlib/canonicalize.c
@@ -181,7 +181,7 @@ __realpath (const char *name, char *resolved)
 		extra_buf = __alloca (path_max);
 
 	      len = strlen (end);
-	      if ((long int) (n + len) >= path_max)
+	      if (path_max - n <= len)
 		{
 		  __set_errno (ENAMETOOLONG);
 		  goto error;
diff --git a/stdlib/test-bz22786.c b/stdlib/test-bz22786.c
new file mode 100644
index 0000000000..e445034a8d
--- /dev/null
+++ b/stdlib/test-bz22786.c
@@ -0,0 +1,90 @@
+/* Bug 22786: test for buffer overflow in realpath.
+   Copyright (C) 2018 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+/* This file must be run from within a directory called "stdlib".  */
+
+#include <errno.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <support/test-driver.h>
+#include <libc-internal.h>
+
+static int
+do_test (void)
+{
+  const char dir[] = "bz22786";
+  const char lnk[] = "bz22786/symlink";
+
+  rmdir (dir);
+  if (mkdir (dir, 0755) != 0 && errno != EEXIST)
+    {
+      printf ("mkdir %s: %m\n", dir);
+      return EXIT_FAILURE;
+    }
+  if (symlink (".", lnk) != 0 && errno != EEXIST)
+    {
+      printf ("symlink (%s, %s): %m\n", dir, lnk);
+      return EXIT_FAILURE;
+    }
+
+  const size_t path_len = (size_t) INT_MAX + 1;
+
+  DIAG_PUSH_NEEDS_COMMENT;
+#if __GNUC_PREREQ (7, 0)
+  /* GCC 7 warns about too-large allocations; here we need such
+     allocation to succeed for the test to work.  */
+  DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");
+#endif
+  char *path = malloc (path_len);
+  DIAG_POP_NEEDS_COMMENT;
+
+  if (path == NULL)
+    {
+      printf ("malloc (%zu): %m\n", path_len);
+      return EXIT_UNSUPPORTED;
+    }
+
+  /* Construct very long path = "bz22786/symlink/aaaa....."  */
+  char *p = mempcpy (path, lnk, sizeof (lnk) - 1);
+  *(p++) = '/';
+  memset (p, 'a', path_len - (path - p) - 2);
+  p[path_len - (path - p) - 1] = '\0';
+
+  /* This call crashes before the fix for bz22786 on 32-bit platforms.  */
+  p = realpath (path, NULL);
+
+  if (p != NULL || errno != ENAMETOOLONG)
+    {
+      printf ("realpath: %s (%m)", p);
+      return EXIT_FAILURE;
+    }
+
+  /* Cleanup.  */
+  unlink (lnk);
+  rmdir (dir);
+
+  return 0;
+}
+
+#define TEST_FUNCTION do_test
+#include <support/test-driver.c>
-- 
2.19.2

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [2.24 COMMITTED 3/4] Don't write beyond destination in __mempcpy_avx512_no_vzeroupper (bug 23196)
  2018-01-01  0:00 [2.24 COMMITTED 1/4] Fix i386 memmove issue (bug 22644) Aurelien Jarno
  2018-01-01  0:00 ` [2.24 COMMITTED 2/4] Fix BZ 22786: integer addition overflow may cause stack buffer overflow when realpath() input length is close to SSIZE_MAX Aurelien Jarno
  2018-01-01  0:00 ` [2.24 COMMITTED 4/4] Add references to CVE-2017-18269, CVE-2018-11236, CVE-2018-11237 Aurelien Jarno
@ 2018-01-01  0:00 ` Aurelien Jarno
  2 siblings, 0 replies; 4+ messages in thread
From: Aurelien Jarno @ 2018-01-01  0:00 UTC (permalink / raw)
  To: libc-stable; +Cc: Andreas Schwab

From: Andreas Schwab <schwab@suse.de>

When compiled as mempcpy, the return value is the end of the destination
buffer, thus it cannot be used to refer to the start of it.

(cherry picked from commit 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e)
---
 ChangeLog                                               | 9 +++++++++
 NEWS                                                    | 2 ++
 string/test-mempcpy.c                                   | 1 +
 sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | 5 +++--
 4 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 699e8e510e..f650db1d59 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2018-05-23  Andreas Schwab  <schwab@suse.de>
+
+	[BZ #23196]
+	CVE-2018-11237
+	* sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+	(L(preloop_large)): Save initial destination pointer in %r11 and
+	use it instead of %rax after the loop.
+	* string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
+
 2018-05-09  Paul Pluzhnikov  <ppluzhnikov@google.com>
 
 	[BZ #22786]
diff --git a/NEWS b/NEWS
index 0ff775e578..7e1859b78e 100644
--- a/NEWS
+++ b/NEWS
@@ -65,6 +65,8 @@ The following bugs are resolved with this release:
   [22715] x86-64: Properly align La_x86_64_retval to VEC_SIZE
   [22786] libc: Stack buffer overflow in realpath() if input size is close
     to SSIZE_MAX (CVE-2018-11236)
+  [23196] string: __mempcpy_avx512_no_vzeroupper mishandles large copies
+    (CVE-2018-11237)
 \f
 Version 2.24
 
diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c
index f4969c24a5..d1802308a1 100644
--- a/string/test-mempcpy.c
+++ b/string/test-mempcpy.c
@@ -18,6 +18,7 @@
    <http://www.gnu.org/licenses/>.  */
 
 #define MEMCPY_RESULT(dst, len) (dst) + (len)
+#define MIN_PAGE_SIZE 131072
 #define TEST_MAIN
 #define TEST_NAME "mempcpy"
 #include "test-string.h"
diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
index 664b74de49..90ac9eaff4 100644
--- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
@@ -340,6 +340,7 @@ L(preloop_large):
 	vmovups	(%rsi), %zmm4
 	vmovups	0x40(%rsi), %zmm5
 
+	mov	%rdi, %r11
 /* Align destination for access with non-temporal stores in the loop.  */
 	mov	%rdi, %r8
 	and	$-0x80, %rdi
@@ -370,8 +371,8 @@ L(gobble_256bytes_nt_loop):
 	cmp	$256, %rdx
 	ja	L(gobble_256bytes_nt_loop)
 	sfence
-	vmovups	%zmm4, (%rax)
-	vmovups	%zmm5, 0x40(%rax)
+	vmovups	%zmm4, (%r11)
+	vmovups	%zmm5, 0x40(%r11)
 	jmp	L(check)
 
 L(preloop_large_bkw):
-- 
2.19.2

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2018-12-20 23:39 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-01-01  0:00 [2.24 COMMITTED 1/4] Fix i386 memmove issue (bug 22644) Aurelien Jarno
2018-01-01  0:00 ` [2.24 COMMITTED 2/4] Fix BZ 22786: integer addition overflow may cause stack buffer overflow when realpath() input length is close to SSIZE_MAX Aurelien Jarno
2018-01-01  0:00 ` [2.24 COMMITTED 4/4] Add references to CVE-2017-18269, CVE-2018-11236, CVE-2018-11237 Aurelien Jarno
2018-01-01  0:00 ` [2.24 COMMITTED 3/4] Don't write beyond destination in __mempcpy_avx512_no_vzeroupper (bug 23196) Aurelien Jarno

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).