From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.81]) by sourceware.org (Postfix) with ESMTP id 6DA733857C7C for ; Wed, 15 Jul 2020 16:54:25 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 6DA733857C7C Received: from mail-io1-f70.google.com (mail-io1-f70.google.com [209.85.166.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-39-eG1LACXMMKGV0oUVG9ZteQ-1; Wed, 15 Jul 2020 12:54:22 -0400 X-MC-Unique: eG1LACXMMKGV0oUVG9ZteQ-1 Received: by mail-io1-f70.google.com with SMTP id r19so1743296iod.6 for ; Wed, 15 Jul 2020 09:54:22 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=61OB0PQ7rS2Srfq6osCCVd6J5Ija3P/+TWDTUlvX+Gg=; b=AslLgHeulCT2I42pSGI8XyvOhgxwKGaIC8SsVrfvqSWoDtTohD9ew5hoZGrnBOoTGP 9SmXA0qX6JN7K1v+xyug3OTVXIpL4rijhQcR7lS/mi9HOJ3k5CgHmGyH8X9reH25gdNd hweLkvErtyoe5EOgoHdwsHpkXqOQMCNIsYLeBWYFRHPKHTDDlZKpRBUzIlxRG8uE7nQD cXMxVSFvi3ciSdFI3ZVNpDBsxPMSld4/tVl6pqUKO3on8jSFfTq0iwtav7+qCu9GPGK1 AZG+8tHHx6H8vX7O44c+kwrQnogmkpomfrquUzxT0uEeBytBBqSqmok1gaeBUPng0JtT 8Img== X-Gm-Message-State: AOAM533pCcsZofY/39Z+DV0dYIaNDlaO4YN72gRLeIRgs/JBh0tqbKvv ej6hy/pcP+7wQevzUBBGvdjFbf5zb/dfAFyvF8SxdMCTNJqMPYF7/cQRHf7R+erhGx5/ppiQngu +XgjchZem+G+5SjjqAlSicgais/FkoQULLbhEPQ== X-Received: by 2002:a92:77d2:: with SMTP id s201mr421891ilc.256.1594832061829; Wed, 15 Jul 2020 09:54:21 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyDjDKDxCjhnMcqKxcL2hZrHkzMA9p+TzjP8IlfYDVwVggMQEDzbejPxRMn+1j4diWaXKrK2XGb24ImAZNpLBU= X-Received: by 2002:a92:77d2:: with SMTP id s201mr421862ilc.256.1594832061471; Wed, 15 Jul 2020 09:54:21 -0700 (PDT) MIME-Version: 1.0 From: Patsy Griffin Date: Wed, 15 Jul 2020 12:53:45 -0400 Message-ID: Subject: [2.31 COMMITTED 1/2] arm: CVE-2020-6096: fix memcpy and memmove for negative length [BZ #25620] To: libc-stable@sourceware.org X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-Spam-Status: No, score=-10.4 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, HTML_MESSAGE, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SCC_10_SHORT_WORD_LINES, SCC_5_SHORT_WORD_LINES, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: libc-stable@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-stable mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2020 16:54:27 -0000 >From 9bbd2b61729de6ea23e3463523210aa2829e3da0 Mon Sep 17 00:00:00 2001 From: Evgeny Eremin Date: Wed, 8 Jul 2020 14:18:19 +0200 Subject: [PATCH 1/2] arm: CVE-2020-6096: fix memcpy and memmove for negative length [BZ #25620] Unsigned branch instructions could be used for r2 to fix the wrong behavior when a negative length is passed to memcpy and memmove. This commit fixes the generic arm implementation of memcpy amd memmove. (cherry picked from commit 79a4fa341b8a89cb03f84564fd72abaa1a2db394) --- sysdeps/arm/memcpy.S | 24 ++++++++++-------------- sysdeps/arm/memmove.S | 24 ++++++++++-------------- 2 files changed, 20 insertions(+), 28 deletions(-) diff --git a/sysdeps/arm/memcpy.S b/sysdeps/arm/memcpy.S index 510e8adaf2..bcfbc51d99 100644 --- a/sysdeps/arm/memcpy.S +++ b/sysdeps/arm/memcpy.S @@ -68,7 +68,7 @@ ENTRY(memcpy) cfi_remember_state subs r2, r2, #4 - blt 8f + blo 8f ands ip, r0, #3 PLD( pld [r1, #0] ) bne 9f @@ -82,7 +82,7 @@ ENTRY(memcpy) cfi_rel_offset (r6, 4) cfi_rel_offset (r7, 8) cfi_rel_offset (r8, 12) - blt 5f + blo 5f CALGN( ands ip, r1, #31 ) CALGN( rsb r3, ip, #32 ) @@ -98,9 +98,9 @@ ENTRY(memcpy) #endif PLD( pld [r1, #0] ) -2: PLD( subs r2, r2, #96 ) +2: PLD( cmp r2, #96 ) PLD( pld [r1, #28] ) - PLD( blt 4f ) + PLD( blo 4f ) PLD( pld [r1, #60] ) PLD( pld [r1, #92] ) @@ -108,9 +108,7 @@ ENTRY(memcpy) 4: ldmia r1!, {r3, r4, r5, r6, r7, r8, ip, lr} subs r2, r2, #32 stmia r0!, {r3, r4, r5, r6, r7, r8, ip, lr} - bge 3b - PLD( cmn r2, #96 ) - PLD( bge 4b ) + bhs 3b 5: ands ip, r2, #28 rsb ip, ip, #32 @@ -222,7 +220,7 @@ ENTRY(memcpy) strbge r4, [r0], #1 subs r2, r2, ip strb lr, [r0], #1 - blt 8b + blo 8b ands ip, r1, #3 beq 1b @@ -236,7 +234,7 @@ ENTRY(memcpy) .macro forward_copy_shift pull push subs r2, r2, #28 - blt 14f + blo 14f CALGN( ands ip, r1, #31 ) CALGN( rsb ip, ip, #32 ) @@ -253,9 +251,9 @@ ENTRY(memcpy) cfi_rel_offset (r10, 16) PLD( pld [r1, #0] ) - PLD( subs r2, r2, #96 ) + PLD( cmp r2, #96 ) PLD( pld [r1, #28] ) - PLD( blt 13f ) + PLD( blo 13f ) PLD( pld [r1, #60] ) PLD( pld [r1, #92] ) @@ -280,9 +278,7 @@ ENTRY(memcpy) mov ip, ip, PULL #\pull orr ip, ip, lr, PUSH #\push stmia r0!, {r3, r4, r5, r6, r7, r8, r10, ip} - bge 12b - PLD( cmn r2, #96 ) - PLD( bge 13b ) + bhs 12b pop {r5 - r8, r10} cfi_adjust_cfa_offset (-20) diff --git a/sysdeps/arm/memmove.S b/sysdeps/arm/memmove.S index 954037ef3a..0d07b76ee6 100644 --- a/sysdeps/arm/memmove.S +++ b/sysdeps/arm/memmove.S @@ -85,7 +85,7 @@ ENTRY(memmove) add r1, r1, r2 add r0, r0, r2 subs r2, r2, #4 - blt 8f + blo 8f ands ip, r0, #3 PLD( pld [r1, #-4] ) bne 9f @@ -99,7 +99,7 @@ ENTRY(memmove) cfi_rel_offset (r6, 4) cfi_rel_offset (r7, 8) cfi_rel_offset (r8, 12) - blt 5f + blo 5f CALGN( ands ip, r1, #31 ) CALGN( sbcsne r4, ip, r2 ) @ C is always set here @@ -114,9 +114,9 @@ ENTRY(memmove) #endif PLD( pld [r1, #-4] ) -2: PLD( subs r2, r2, #96 ) +2: PLD( cmp r2, #96 ) PLD( pld [r1, #-32] ) - PLD( blt 4f ) + PLD( blo 4f ) PLD( pld [r1, #-64] ) PLD( pld [r1, #-96] ) @@ -124,9 +124,7 @@ ENTRY(memmove) 4: ldmdb r1!, {r3, r4, r5, r6, r7, r8, ip, lr} subs r2, r2, #32 stmdb r0!, {r3, r4, r5, r6, r7, r8, ip, lr} - bge 3b - PLD( cmn r2, #96 ) - PLD( bge 4b ) + bhs 3b 5: ands ip, r2, #28 rsb ip, ip, #32 @@ -237,7 +235,7 @@ ENTRY(memmove) strbge r4, [r0, #-1]! subs r2, r2, ip strb lr, [r0, #-1]! - blt 8b + blo 8b ands ip, r1, #3 beq 1b @@ -251,7 +249,7 @@ ENTRY(memmove) .macro backward_copy_shift push pull subs r2, r2, #28 - blt 14f + blo 14f CALGN( ands ip, r1, #31 ) CALGN( rsb ip, ip, #32 ) @@ -268,9 +266,9 @@ ENTRY(memmove) cfi_rel_offset (r10, 16) PLD( pld [r1, #-4] ) - PLD( subs r2, r2, #96 ) + PLD( cmp r2, #96 ) PLD( pld [r1, #-32] ) - PLD( blt 13f ) + PLD( blo 13f ) PLD( pld [r1, #-64] ) PLD( pld [r1, #-96] ) @@ -295,9 +293,7 @@ ENTRY(memmove) mov r4, r4, PUSH #\push orr r4, r4, r3, PULL #\pull stmdb r0!, {r4 - r8, r10, ip, lr} - bge 12b - PLD( cmn r2, #96 ) - PLD( bge 13b ) + bhs 12b pop {r5 - r8, r10} cfi_adjust_cfa_offset (-20) -- 2.21.1