This is the mail archive of the
glibc-cvs@sourceware.org
mailing list for the glibc project.
GNU C Library master sources branch release/2.27/master updated. glibc-2.27-55-g0cf8a53
- From: fw at sourceware dot org
- To: glibc-cvs at sourceware dot org
- Date: 24 May 2018 13:06:55 -0000
- Subject: GNU C Library master sources branch release/2.27/master updated. glibc-2.27-55-g0cf8a53
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, release/2.27/master has been updated
via 0cf8a53e5f2ce7f71787537cf206228727afe256 (commit)
via f51c8367685dc888a02f7304c729ed5277904aff (commit)
from 0cd4a5e87f6885a2f15fe8e7eb7378d010cdb606 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0cf8a53e5f2ce7f71787537cf206228727afe256
commit 0cf8a53e5f2ce7f71787537cf206228727afe256
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Wed May 23 03:59:56 2018 -0700
Add a test case for [BZ #23196]
[BZ #23196]
* string/test-memcpy.c (do_test1): New function.
(test_main): Call it.
(cherry picked from commit ed983107bbc62245b06b99f02e69acf36a0baa3e)
diff --git a/ChangeLog b/ChangeLog
index 0cccfa2..4aa9ff7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2018-05-23 H.J. Lu <hongjiu.lu@intel.com>
+
+ [BZ #23196]
+ * string/test-memcpy.c (do_test1): New function.
+ (test_main): Call it.
+
2018-05-23 Andreas Schwab <schwab@suse.de>
[BZ #23196]
diff --git a/string/test-memcpy.c b/string/test-memcpy.c
index 45f20a6..3c8066d 100644
--- a/string/test-memcpy.c
+++ b/string/test-memcpy.c
@@ -212,6 +212,50 @@ do_random_tests (void)
}
}
+static void
+do_test1 (void)
+{
+ size_t size = 0x100000;
+ void *large_buf;
+
+ large_buf = mmap (NULL, size * 2 + page_size, PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANON, -1, 0);
+ if (large_buf == MAP_FAILED)
+ {
+ puts ("Failed to allocat large_buf, skipping do_test1");
+ return;
+ }
+
+ if (mprotect (large_buf + size, page_size, PROT_NONE))
+ error (EXIT_FAILURE, errno, "mprotect failed");
+
+ size_t arrary_size = size / sizeof (uint32_t);
+ uint32_t *dest = large_buf;
+ uint32_t *src = large_buf + size + page_size;
+ size_t i;
+
+ for (i = 0; i < arrary_size; i++)
+ src[i] = (uint32_t) i;
+
+ FOR_EACH_IMPL (impl, 0)
+ {
+ memset (dest, -1, size);
+ CALL (impl, (char *) dest, (char *) src, size);
+ for (i = 0; i < arrary_size; i++)
+ if (dest[i] != src[i])
+ {
+ error (0, 0,
+ "Wrong result in function %s dst \"%p\" src \"%p\" offset \"%zd\"",
+ impl->name, dest, src, i);
+ ret = 1;
+ break;
+ }
+ }
+
+ munmap ((void *) dest, size);
+ munmap ((void *) src, size);
+}
+
int
test_main (void)
{
@@ -253,6 +297,9 @@ test_main (void)
do_test (0, 0, getpagesize ());
do_random_tests ();
+
+ do_test1 ();
+
return ret;
}
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f51c8367685dc888a02f7304c729ed5277904aff
commit f51c8367685dc888a02f7304c729ed5277904aff
Author: Andreas Schwab <schwab@suse.de>
Date: Thu May 24 14:39:18 2018 +0200
Don't write beyond destination in __mempcpy_avx512_no_vzeroupper (bug 23196)
When compiled as mempcpy, the return value is the end of the destination
buffer, thus it cannot be used to refer to the start of it.
(cherry picked from commit 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e)
diff --git a/ChangeLog b/ChangeLog
index fa0394c..0cccfa2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2018-05-23 Andreas Schwab <schwab@suse.de>
+
+ [BZ #23196]
+ CVE-2018-11237
+ * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+ (L(preloop_large)): Save initial destination pointer in %r11 and
+ use it instead of %rax after the loop.
+ * string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
+
2018-05-11 Florian Weimer <fweimer@redhat.com>
[BZ #23166]
diff --git a/NEWS b/NEWS
index 57f6714..ee08fc3 100644
--- a/NEWS
+++ b/NEWS
@@ -48,6 +48,13 @@ The following bugs are resolved with this release:
build with -Os)
[23152] gd_GB: Fix typo in "May" (abbreviated)
[23166] sunrpc: Remove stray exports without --enable-obsolete-rpc
+ [23196] __mempcpy_avx512_no_vzeroupper mishandles large copies
+
+Security related changes:
+
+ CVE-2018-11237: The mempcpy implementation for the Intel Xeon Phi
+ architecture could write beyond the target buffer, resulting in a buffer
+ overflow. Reported by Andreas Schwab.
Version 2.27
diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c
index c08fba8..d98ecdd 100644
--- a/string/test-mempcpy.c
+++ b/string/test-mempcpy.c
@@ -18,6 +18,7 @@
<http://www.gnu.org/licenses/>. */
#define MEMCPY_RESULT(dst, len) (dst) + (len)
+#define MIN_PAGE_SIZE 131072
#define TEST_MAIN
#define TEST_NAME "mempcpy"
#include "test-string.h"
diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
index 23c0f7a..effc3ac 100644
--- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
@@ -336,6 +336,7 @@ L(preloop_large):
vmovups (%rsi), %zmm4
vmovups 0x40(%rsi), %zmm5
+ mov %rdi, %r11
/* Align destination for access with non-temporal stores in the loop. */
mov %rdi, %r8
and $-0x80, %rdi
@@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop):
cmp $256, %rdx
ja L(gobble_256bytes_nt_loop)
sfence
- vmovups %zmm4, (%rax)
- vmovups %zmm5, 0x40(%rax)
+ vmovups %zmm4, (%r11)
+ vmovups %zmm5, 0x40(%r11)
jmp L(check)
L(preloop_large_bkw):
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 15 ++++++
NEWS | 7 +++
string/test-memcpy.c | 47 ++++++++++++++++++++
string/test-mempcpy.c | 1 +
.../multiarch/memmove-avx512-no-vzeroupper.S | 5 +-
5 files changed, 73 insertions(+), 2 deletions(-)
hooks/post-receive
--
GNU C Library master sources