mirror/glibc
2
0
Fork 0
mirror of git://sourceware.org/git/glibc.git synced 2025-04-12 14:21:18 +08:00
Code Issues Packages Projects Releases Wiki Activity

Don't write beyond destination in __mempcpy_avx512_no_vzeroupper (bug 23196)

Browse Source 
When compiled as mempcpy, the return value is the end of the destination
buffer, thus it cannot be used to refer to the start of it.

(cherry picked from commit 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e)
This commit is contained in:
Andreas Schwab 2018-05-24 14:39:18 +02:00 committed by Florian Weimer
parent af7519f7b3
commit 6b4362f2cb
4 changed files with 18 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
ChangeLog
View File

@ -1,3 +1,12 @@
2018-05-23 Andreas Schwab <schwab@suse.de>
[BZ #23196]
CVE-2018-11237
* sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
(L(preloop_large)): Save initial destination pointer in %r11 and
use it instead of %rax after the loop.
* string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
2018-05-09 Paul Pluzhnikov <ppluzhnikov@google.com>
[BZ #22786]

5
NEWS
View File

@ -71,6 +71,10 @@ Security related changes:
the value of SIZE_MAX, would return a pointer to a buffer which is too
small, instead of NULL.
CVE-2018-11237: The mempcpy implementation for the Intel Xeon Phi
architecture could write beyond the target buffer, resulting in a buffer
overflow. Reported by Andreas Schwab.
The following bugs are resolved with this release:
[16750] ldd: Never run file directly.
@ -128,6 +132,7 @@ The following bugs are resolved with this release:
[23024] getlogin_r: return early when linux sentinel value is set
[23037] resolv: Fully initialize struct mmsghdr in send_dg
[23137] s390: Fix blocking pthread_join
[23196] __mempcpy_avx512_no_vzeroupper mishandles large copies
Version 2.26

1
string/test-mempcpy.c
View File

@ -18,6 +18,7 @@
<http://www.gnu.org/licenses/>. */
#define MEMCPY_RESULT(dst, len) (dst) + (len)
#define MIN_PAGE_SIZE 131072
#define TEST_MAIN
#define TEST_NAME "mempcpy"
#include "test-string.h"

5
sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
View File

@ -340,6 +340,7 @@ L(preloop_large):
vmovups (%rsi), %zmm4
vmovups 0x40(%rsi), %zmm5
mov %rdi, %r11
/* Align destination for access with non-temporal stores in the loop. */
mov %rdi, %r8
and $-0x80, %rdi
@ -370,8 +371,8 @@ L(gobble_256bytes_nt_loop):
cmp $256, %rdx
ja L(gobble_256bytes_nt_loop)
sfence
vmovups %zmm4, (%rax)
vmovups %zmm5, 0x40(%rax)
vmovups %zmm4, (%r11)
vmovups %zmm5, 0x40(%r11)
jmp L(check)
L(preloop_large_bkw):