From: Aurelien Jarno <aurelien@aurel32.net>
To: libc-stable@sourceware.org
Cc: Florian Weimer <fweimer@redhat.com>, Carlos O'Donell <carlos@redhat.com>
Subject: [2.31 COMMITTED] powerpc: Fix incorrect cache line size load in memset (bug 26332)
Date: Mon, 3 Aug 2020 23:33:08 +0200 [thread overview]
Message-ID: <20200803213308.3767107-1-aurelien@aurel32.net> (raw)
From: Florian Weimer <fweimer@redhat.com>
__GLRO loaded the word after the requested variable on big-endian
PowerPC, where LOWORD is 4. This can cause the memset implement
go wrong because the masking with the cache line size produces
wrong results, particularly if the loaded value happens to be 1.
The __GLRO macro is not used in any place where loading the lower
32-bit word of a 64-bit value is desired, so the +4 offset is always
wrong.
Fixes commit 18363b4f010da9ba459b13310b113ac0647c2fcc
("powerpc: Move cache line size to rtld_global_ro") and bug 26332.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
(cherry picked from commit 7650321ce037302bfc2f026aa19e0213b8d02fe6)
---
NEWS | 1 +
sysdeps/powerpc/powerpc32/sysdep.h | 4 ++--
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/NEWS b/NEWS
index 8a857061e11..17cde19e28a 100644
--- a/NEWS
+++ b/NEWS
@@ -25,6 +25,7 @@ The following bugs are resolved with this release:
[25966] Incorrect access of __x86_shared_non_temporal_threshold for x32
[25976] nss_compat: internal_end*ent may clobber errno, hiding ERANGE
[26248] Incorrect argument types for INLINE_SETXID_SYSCALL
+ [26332] Incorrect cache line size load causes memory corruption in memset
Security related changes:
diff --git a/sysdeps/powerpc/powerpc32/sysdep.h b/sysdeps/powerpc/powerpc32/sysdep.h
index 2ba009e919b..829eec266af 100644
--- a/sysdeps/powerpc/powerpc32/sysdep.h
+++ b/sysdeps/powerpc/powerpc32/sysdep.h
@@ -179,8 +179,8 @@ GOT_LABEL: ; \
#else
/* Position-dependent code does not require access to the GOT. */
# define __GLRO(rOUT, rGOT, member, offset) \
- lis rOUT,(member+LOWORD)@ha; \
- lwz rOUT,(member+LOWORD)@l(rOUT)
+ lis rOUT,(member)@ha; \
+ lwz rOUT,(member)@l(rOUT)
#endif /* PIC */
#endif /* __ASSEMBLER__ */
--
2.27.0
reply other threads:[~2020-08-03 21:33 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200803213308.3767107-1-aurelien@aurel32.net \
--to=aurelien@aurel32.net \
--cc=carlos@redhat.com \
--cc=fweimer@redhat.com \
--cc=libc-stable@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).