From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 65332 invoked by alias); 20 Dec 2018 23:39:39 -0000 Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Subscribe: List-Archive: Sender: libc-stable-owner@sourceware.org Received: (qmail 65231 invoked by uid 89); 20 Dec 2018 23:39:38 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.100.2 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-25.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,KAM_SHORT autolearn=ham version=3.3.2 spammy= X-Spam-Status: No, score=-25.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,KAM_SHORT autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: hall.aurel32.net Received: from hall.aurel32.net (HELO hall.aurel32.net) (163.172.24.10) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Thu, 20 Dec 2018 23:39:36 +0000 Received: from [2a01:e35:2e4c:a861:655e:aef3:f589:b897] (helo=ohm.rr44.fr) by hall.aurel32.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1ga7ug-0002hQ-0y; Fri, 21 Dec 2018 00:39:34 +0100 Received: from aurel32 by ohm.rr44.fr with local (Exim 4.91) (envelope-from ) id 1ga7uf-0005Qb-Ew; Fri, 21 Dec 2018 00:39:33 +0100 From: Aurelien Jarno To: libc-stable@sourceware.org Cc: Andreas Schwab Subject: [2.24 COMMITTED 3/4] Don't write beyond destination in __mempcpy_avx512_no_vzeroupper (bug 23196) Date: Mon, 01 Jan 2018 00:00:00 -0000 Message-Id: <20181220233902.20796-3-aurelien@aurel32.net> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20181220233902.20796-1-aurelien@aurel32.net> References: <20181220233902.20796-1-aurelien@aurel32.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-IsSubscribed: yes X-SW-Source: 2018-12/txt/msg00023.txt.bz2 From: Andreas Schwab When compiled as mempcpy, the return value is the end of the destination buffer, thus it cannot be used to refer to the start of it. (cherry picked from commit 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e) --- ChangeLog | 9 +++++++++ NEWS | 2 ++ string/test-mempcpy.c | 1 + sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | 5 +++-- 4 files changed, 15 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 699e8e510e..f650db1d59 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +2018-05-23 Andreas Schwab + + [BZ #23196] + CVE-2018-11237 + * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S + (L(preloop_large)): Save initial destination pointer in %r11 and + use it instead of %rax after the loop. + * string/test-mempcpy.c (MIN_PAGE_SIZE): Define. + 2018-05-09 Paul Pluzhnikov [BZ #22786] diff --git a/NEWS b/NEWS index 0ff775e578..7e1859b78e 100644 --- a/NEWS +++ b/NEWS @@ -65,6 +65,8 @@ The following bugs are resolved with this release: [22715] x86-64: Properly align La_x86_64_retval to VEC_SIZE [22786] libc: Stack buffer overflow in realpath() if input size is close to SSIZE_MAX (CVE-2018-11236) + [23196] string: __mempcpy_avx512_no_vzeroupper mishandles large copies + (CVE-2018-11237) Version 2.24 diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c index f4969c24a5..d1802308a1 100644 --- a/string/test-mempcpy.c +++ b/string/test-mempcpy.c @@ -18,6 +18,7 @@ . */ #define MEMCPY_RESULT(dst, len) (dst) + (len) +#define MIN_PAGE_SIZE 131072 #define TEST_MAIN #define TEST_NAME "mempcpy" #include "test-string.h" diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S index 664b74de49..90ac9eaff4 100644 --- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S +++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S @@ -340,6 +340,7 @@ L(preloop_large): vmovups (%rsi), %zmm4 vmovups 0x40(%rsi), %zmm5 + mov %rdi, %r11 /* Align destination for access with non-temporal stores in the loop. */ mov %rdi, %r8 and $-0x80, %rdi @@ -370,8 +371,8 @@ L(gobble_256bytes_nt_loop): cmp $256, %rdx ja L(gobble_256bytes_nt_loop) sfence - vmovups %zmm4, (%rax) - vmovups %zmm5, 0x40(%rax) + vmovups %zmm4, (%r11) + vmovups %zmm5, 0x40(%r11) jmp L(check) L(preloop_large_bkw): -- 2.19.2