[Backport] [PATCH] x86-64 memcmp: Use unsigned Jcc instructions on size [BZ #24155]

public inbox for libc-stable@sourceware.org
 help / color / mirror / Atom feed

From: "H.J. Lu" <hjl.tools@gmail.com>
To: Libc-stable Mailing List <libc-stable@sourceware.org>
Subject: [Backport] [PATCH] x86-64 memcmp: Use unsigned Jcc instructions on size [BZ #24155]
Date: Tue, 01 Jan 2019 00:00:00 -0000	[thread overview]
Message-ID: <CAMe9rOr4a80C_Tv46EO1Brkn3YJa_pnRAf_O2R=SPyVZaFfBQQ@mail.gmail.com> (raw)
In-Reply-To: <20190204010338.GA4441@gmail.com>

I am backporting this to release branches.

---------- Forwarded message ---------
From: H.J. Lu <hjl.tools@gmail.com>
Date: Sun, Feb 3, 2019 at 5:03 PM
Subject: [PATCH] x86-64 memcmp: Use unsigned Jcc instructions on size
[BZ #24155]
To: Florian Weimer <fweimer@redhat.com>
Cc: GNU C Library <libc-alpha@sourceware.org>


On Sun, Feb 03, 2019 at 09:33:35AM +0100, Florian Weimer wrote:
> * H. J. Lu:
>
> > On Sat, Feb 2, 2019 at 7:32 AM Florian Weimer <fweimer@redhat.com> wrote:
> >>
> >> * H. J. Lu:
> >>
> >> > On Sat, Feb 2, 2019 at 6:57 AM Florian Weimer <fweimer@redhat.com> wrote:
> >> >>
> >> >> * H. J. Lu:
> >> >>
> >> >> > Since the size argument is unsigned. we should use unsigned Jcc
> >> >> > instructions, instead of signed to check size.
> >> >> >
> >> >> > Tested on x86-64 and x32, with and without --disable-multi-arch.
> >> >>
> >> >> Does this impact x86-64 at all (technically), consider that an object
> >> >> size larger than SSIZE_MAX would be undefined anyway?
> >> >
> >> > I don't think we will hit it on x86-64.
> >> >
> >> >> It seems that on x32, it can give incorrect results if the sign bit on
> >> >> the 64-bit register is set.  In this sense, it is similar to
> >> >> CVE-2019-6488 in impact, right?  If we decide to treat this as a
> >> >
> >> > For x32, there is no invalid memory access.  It just gives the wrong
> >> > result.
> >>
> >> Well, that could be problematic as well.
> >>
> >> Does the comparison stop early, only checking a prefix?
> >
> > On x32, memcmp always returns 0 when the most significant bit of RDX is set
> > since it treats size as 0, like memcmp (a, b, 0).
> >
> >> >> security vulnerability, we need a new CVE ID because the version range
> >> >> is different (bug 24155 was not fixed in the 2.29 release).
> >> >>
> >> >
> >> > Since the wrong result from memcmp may lead to security vulnerability, we
> >> > should apply for CVE.
> >>
> >> Sure, I'll take care of it.
>
> MITRE has assigned CVE-2019-7309.  Please mention it in the appropriate
> places.
>

This is the patch I am going to check in tomorow.

Thanks.


H.J.
---
Since the size argument is unsigned. we should use unsigned Jcc
instructions, instead of signed, to check size.

Tested on x86-64 and x32, with and without --disable-multi-arch.

        [BZ #24155]
        CVE-2019-7309
        * NEWS: Updated for CVE-2019-7309.
        * sysdeps/x86_64/memcmp.S: Use RDX_LP for size.  Clear the
        upper 32 bits of RDX register for x32.  Use unsigned Jcc
        instructions, instead of signed.
        * sysdeps/x86_64/x32/Makefile (tests): Add tst-size_t-memcmp-2.
        * sysdeps/x86_64/x32/tst-size_t-memcmp-2.c: New test.
---
 NEWS                                     |  8 ++-
 sysdeps/x86_64/memcmp.S                  | 20 +++---
 sysdeps/x86_64/x32/Makefile              |  3 +-
 sysdeps/x86_64/x32/tst-size_t-memcmp-2.c | 79 ++++++++++++++++++++++++
 4 files changed, 100 insertions(+), 10 deletions(-)
 create mode 100644 sysdeps/x86_64/x32/tst-size_t-memcmp-2.c

diff --git a/NEWS b/NEWS
index 5cf568aed9..bc0b2bc3df 100644
--- a/NEWS
+++ b/NEWS
@@ -24,7 +24,13 @@ Changes to build and runtime requirements:

 Security related changes:

-  [Add security related changes here]
+  CVE-2019-7309: x86-64 memcmp used signed Jcc instructions to check
+  size.  For x86-64, memcmp on an object size larger than SSIZE_MAX
+  has undefined behavior.  On x32, the size_t argument may be passed
+  in the lower 32 bits of the 64-bit RDX register with non-zero upper
+  32 bits.  When it happened with the sign bit of RDX register set,
+  memcmp gave the wrong result since it treated the size argument as
+  zero.  Reported by H.J. Lu.

 The following bugs are resolved with this release:

diff --git a/sysdeps/x86_64/memcmp.S b/sysdeps/x86_64/memcmp.S
index 1fc487caa5..1322bb3b92 100644
--- a/sysdeps/x86_64/memcmp.S
+++ b/sysdeps/x86_64/memcmp.S
@@ -21,14 +21,18 @@

        .text
 ENTRY (memcmp)
-       test    %rdx, %rdx
+#ifdef __ILP32__
+       /* Clear the upper 32 bits.  */
+       movl    %edx, %edx
+#endif
+       test    %RDX_LP, %RDX_LP
        jz      L(finz)
        cmpq    $1, %rdx
-       jle     L(finr1b)
+       jbe     L(finr1b)
        subq    %rdi, %rsi
        movq    %rdx, %r10
        cmpq    $32, %r10
-       jge     L(gt32)
+       jae     L(gt32)
        /* Handle small chunks and last block of less than 32 bytes.  */
 L(small):
        testq   $1, %r10
@@ -156,7 +160,7 @@ L(A32):
        movq    %r11, %r10
        andq    $-32, %r10
        cmpq    %r10, %rdi
-        jge    L(mt16)
+        jae    L(mt16)
        /* Pre-unroll to be ready for unrolled 64B loop.  */
        testq   $32, %rdi
        jz      L(A64)
@@ -178,7 +182,7 @@ L(A64):
        movq    %r11, %r10
        andq    $-64, %r10
        cmpq    %r10, %rdi
-        jge    L(mt32)
+        jae    L(mt32)

 L(A64main):
        movdqu    (%rdi,%rsi), %xmm0
@@ -216,7 +220,7 @@ L(mt32):
        movq    %r11, %r10
        andq    $-32, %r10
        cmpq    %r10, %rdi
-        jge    L(mt16)
+        jae    L(mt16)

 L(A32main):
        movdqu    (%rdi,%rsi), %xmm0
@@ -254,7 +258,7 @@ L(ATR):
        movq    %r11, %r10
        andq    $-32, %r10
        cmpq    %r10, %rdi
-        jge    L(mt16)
+        jae    L(mt16)
        testq   $16, %rdi
        jz      L(ATR32)

@@ -325,7 +329,7 @@ L(ATR64main):
        movq    %r11, %r10
        andq    $-32, %r10
        cmpq    %r10, %rdi
-        jge    L(mt16)
+        jae    L(mt16)

 L(ATR32res):
        movdqa    (%rdi,%rsi), %xmm0
diff --git a/sysdeps/x86_64/x32/Makefile b/sysdeps/x86_64/x32/Makefile
index 1557724b0c..8748956563 100644
--- a/sysdeps/x86_64/x32/Makefile
+++ b/sysdeps/x86_64/x32/Makefile
@@ -8,7 +8,8 @@ endif
 ifeq ($(subdir),string)
 tests += tst-size_t-memchr tst-size_t-memcmp tst-size_t-memcpy \
         tst-size_t-memrchr tst-size_t-memset tst-size_t-strncasecmp \
-        tst-size_t-strncmp tst-size_t-strncpy tst-size_t-strnlen
+        tst-size_t-strncmp tst-size_t-strncpy tst-size_t-strnlen \
+        tst-size_t-memcmp-2
 endif

 ifeq ($(subdir),wcsmbs)
diff --git a/sysdeps/x86_64/x32/tst-size_t-memcmp-2.c
b/sysdeps/x86_64/x32/tst-size_t-memcmp-2.c
new file mode 100644
index 0000000000..d8ae1a0813
--- /dev/null
+++ b/sysdeps/x86_64/x32/tst-size_t-memcmp-2.c
@@ -0,0 +1,79 @@
+/* Test memcmp with size_t in the lower 32 bits of 64-bit register.
+   Copyright (C) 2019 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#define TEST_MAIN
+#ifdef WIDE
+# define TEST_NAME "wmemcmp"
+#else
+# define TEST_NAME "memcmp"
+#endif
+
+#include "test-size_t.h"
+
+#ifdef WIDE
+# include <inttypes.h>
+# include <wchar.h>
+
+# define MEMCMP wmemcmp
+# define CHAR wchar_t
+#else
+# define MEMCMP memcmp
+# define CHAR char
+#endif
+
+IMPL (MEMCMP, 1)
+
+typedef int (*proto_t) (const CHAR *, const CHAR *, size_t);
+
+static int
+__attribute__ ((noinline, noclone))
+do_memcmp (parameter_t a, parameter_t b)
+{
+  return CALL (&b, a.p, b.p, a.len);
+}
+
+static int
+test_main (void)
+{
+  test_init ();
+
+  parameter_t dest = { { page_size / sizeof (CHAR) }, buf1 };
+  parameter_t src = { { 0 }, buf2 };
+
+  memcpy (buf1, buf2, page_size);
+
+  CHAR *p = (CHAR *) buf1;
+  p[page_size / sizeof (CHAR) - 1] = (CHAR) 1;
+
+  int ret = 0;
+  FOR_EACH_IMPL (impl, 0)
+    {
+      src.fn = impl->fn;
+      int res = do_memcmp (dest, src);
+      if (res >= 0)
+       {
+         error (0, 0, "Wrong result in function %s: %i >= 0",
+                impl->name, res);
+         ret = 1;
+       }
+    }
+
+  return ret ? EXIT_FAILURE : EXIT_SUCCESS;
+}
+
+#include <support/test-driver.c>
--
2.20.1



-- 
H.J.

          parent reply	other threads:[~2019-02-04 16:06 UTC|newest]

Thread overview: expand[flat|nested]  mbox.gz  Atom feed
 [parent not found: <20190204010338.GA4441@gmail.com>]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAMe9rOr4a80C_Tv46EO1Brkn3YJa_pnRAf_O2R=SPyVZaFfBQQ@mail.gmail.com' \
    --to=hjl.tools@gmail.com \
    --cc=libc-stable@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).