Bug 24155 (CVE-2019-7309) - x32 memcmp can treat positive length as 0 (if sign bit in RDX is set) (CVE-2019-7309)
Summary: x32 memcmp can treat positive length as 0 (if sign bit in RDX is set) (CVE-20...
Status: RESOLVED FIXED
Alias: CVE-2019-7309
Product: glibc
Classification: Unclassified
Component: string (show other bugs)
Version: 2.30
: P2 normal
Target Milestone: 2.30
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-02-02 01:09 UTC by H.J. Lu
Modified: 2019-02-04 20:44 UTC (History)
1 user (show)

See Also:
Host:
Target: x86-64
Build:
Last reconfirmed:
fweimer: security+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description H.J. Lu 2019-02-02 01:09:53 UTC
sysdeps/x86_64/memcmp.S has

ENTRY (memcmp)
	test	%rdx, %rdx
	jz	L(finz)
	cmpq	$1, %rdx
	jle	L(finr1b) <<< signed Jcc
	subq	%rdi, %rsi
	movq	%rdx, %r10
	cmpq	$32, %r10
	jge	L(gt32) <<< signed Jcc

But size_t is unsigned.
Comment 1 Florian Weimer 2019-02-02 15:43:16 UTC
H.J. Lu reports:

“On x32, memcmp always returns 0 when the most significant bit of RDX is set
since it treats size as 0, like memcmp (a, b, 0).“

On x86-64, it is not possible to reach this error condition with valid input.
Comment 2 cvs-commit@gcc.gnu.org 2019-02-04 14:32:01 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  3f635fb43389b54f682fc9ed2acc0b2aaf4a923d (commit)
      from  2ab5741b8a96d02eb89e455b1971a19e7aef67bc (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3f635fb43389b54f682fc9ed2acc0b2aaf4a923d

commit 3f635fb43389b54f682fc9ed2acc0b2aaf4a923d
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Mon Feb 4 06:31:01 2019 -0800

    x86-64 memcmp: Use unsigned Jcc instructions on size [BZ #24155]
    
    Since the size argument is unsigned. we should use unsigned Jcc
    instructions, instead of signed, to check size.
    
    Tested on x86-64 and x32, with and without --disable-multi-arch.
    
    	[BZ #24155]
    	CVE-2019-7309
    	* NEWS: Updated for CVE-2019-7309.
    	* sysdeps/x86_64/memcmp.S: Use RDX_LP for size.  Clear the
    	upper 32 bits of RDX register for x32.  Use unsigned Jcc
    	instructions, instead of signed.
    	* sysdeps/x86_64/x32/Makefile (tests): Add tst-size_t-memcmp-2.
    	* sysdeps/x86_64/x32/tst-size_t-memcmp-2.c: New test.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                                          |   11 +++++++++++
 NEWS                                               |    8 +++++++-
 sysdeps/x86_64/memcmp.S                            |   20 ++++++++++++--------
 sysdeps/x86_64/x32/Makefile                        |    3 ++-
 .../{tst-size_t-memcmp.c => tst-size_t-memcmp-2.c} |    7 +++++--
 5 files changed, 37 insertions(+), 12 deletions(-)
 copy sysdeps/x86_64/x32/{tst-size_t-memcmp.c => tst-size_t-memcmp-2.c} (92%)
Comment 3 cvs-commit@gcc.gnu.org 2019-02-04 17:22:32 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.28/master has been updated
       via  9aaa083387fd1e19eb0bbd9f25444a5d5c91e210 (commit)
      from  d09b11cbe57c6434813ead18ff128012230bb614 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9aaa083387fd1e19eb0bbd9f25444a5d5c91e210

commit 9aaa083387fd1e19eb0bbd9f25444a5d5c91e210
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Mon Feb 4 08:55:52 2019 -0800

    x86-64 memcmp: Use unsigned Jcc instructions on size [BZ #24155]
    
    Since the size argument is unsigned. we should use unsigned Jcc
    instructions, instead of signed, to check size.
    
    Tested on x86-64 and x32, with and without --disable-multi-arch.
    
    	[BZ #24155]
    	CVE-2019-7309
    	* NEWS: Updated for CVE-2019-7309.
    	* sysdeps/x86_64/memcmp.S: Use RDX_LP for size.  Clear the
    	upper 32 bits of RDX register for x32.  Use unsigned Jcc
    	instructions, instead of signed.
    	* sysdeps/x86_64/x32/Makefile (tests): Add tst-size_t-memcmp-2.
    	* sysdeps/x86_64/x32/tst-size_t-memcmp-2.c: New test.
    
    (cherry picked from commit 3f635fb43389b54f682fc9ed2acc0b2aaf4a923d)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                                          |   11 +++++++++++
 NEWS                                               |    9 +++++++++
 sysdeps/x86_64/memcmp.S                            |   20 ++++++++++++--------
 sysdeps/x86_64/x32/Makefile                        |    3 ++-
 .../{tst-size_t-memcmp.c => tst-size_t-memcmp-2.c} |    7 +++++--
 5 files changed, 39 insertions(+), 11 deletions(-)
 copy sysdeps/x86_64/x32/{tst-size_t-memcmp.c => tst-size_t-memcmp-2.c} (92%)
Comment 4 cvs-commit@gcc.gnu.org 2019-02-04 18:24:26 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.27/master has been updated
       via  2ebadb6451eda1d518d70e26cf4ceeb0362e2456 (commit)
      from  3a5ae8db6829d4c7f004fb1cda716f5ecfb3e97f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2ebadb6451eda1d518d70e26cf4ceeb0362e2456

commit 2ebadb6451eda1d518d70e26cf4ceeb0362e2456
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Mon Feb 4 08:55:52 2019 -0800

    x86-64 memcmp: Use unsigned Jcc instructions on size [BZ #24155]
    
    Since the size argument is unsigned. we should use unsigned Jcc
    instructions, instead of signed, to check size.
    
    Tested on x86-64 and x32, with and without --disable-multi-arch.
    
    	[BZ #24155]
    	CVE-2019-7309
    	* NEWS: Updated for CVE-2019-7309.
    	* sysdeps/x86_64/memcmp.S: Use RDX_LP for size.  Clear the
    	upper 32 bits of RDX register for x32.  Use unsigned Jcc
    	instructions, instead of signed.
    	* sysdeps/x86_64/x32/Makefile (tests): Add tst-size_t-memcmp-2.
    	* sysdeps/x86_64/x32/tst-size_t-memcmp-2.c: New test.
    
    (cherry picked from commit 3f635fb43389b54f682fc9ed2acc0b2aaf4a923d)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                                          |   11 +++++++++++
 NEWS                                               |    9 +++++++++
 sysdeps/x86_64/memcmp.S                            |   20 ++++++++++++--------
 sysdeps/x86_64/x32/Makefile                        |    3 ++-
 .../{tst-size_t-memcmp.c => tst-size_t-memcmp-2.c} |    7 +++++--
 5 files changed, 39 insertions(+), 11 deletions(-)
 copy sysdeps/x86_64/x32/{tst-size_t-memcmp.c => tst-size_t-memcmp-2.c} (92%)
Comment 5 cvs-commit@gcc.gnu.org 2019-02-04 18:59:59 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.26/master has been updated
       via  04e767b59b16befce93c6086362acbc1fae63f4e (commit)
      from  dc968f557398565d416dab69224f722c1d2beb9b (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=04e767b59b16befce93c6086362acbc1fae63f4e

commit 04e767b59b16befce93c6086362acbc1fae63f4e
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Mon Feb 4 08:55:52 2019 -0800

    x86-64 memcmp: Use unsigned Jcc instructions on size [BZ #24155]
    
    Since the size argument is unsigned. we should use unsigned Jcc
    instructions, instead of signed, to check size.
    
    Tested on x86-64 and x32, with and without --disable-multi-arch.
    
    	[BZ #24155]
    	CVE-2019-7309
    	* NEWS: Updated for CVE-2019-7309.
    	* sysdeps/x86_64/memcmp.S: Use RDX_LP for size.  Clear the
    	upper 32 bits of RDX register for x32.  Use unsigned Jcc
    	instructions, instead of signed.
    	* sysdeps/x86_64/x32/Makefile (tests): Add tst-size_t-memcmp-2.
    	* sysdeps/x86_64/x32/tst-size_t-memcmp-2.c: New test.
    
    (cherry picked from commit 3f635fb43389b54f682fc9ed2acc0b2aaf4a923d)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                                          |   11 +++++++++++
 NEWS                                               |   10 ++++++++++
 sysdeps/x86_64/memcmp.S                            |   20 ++++++++++++--------
 sysdeps/x86_64/x32/Makefile                        |    3 ++-
 .../{tst-size_t-memcmp.c => tst-size_t-memcmp-2.c} |    7 +++++--
 5 files changed, 40 insertions(+), 11 deletions(-)
 copy sysdeps/x86_64/x32/{tst-size_t-memcmp.c => tst-size_t-memcmp-2.c} (92%)
Comment 6 cvs-commit@gcc.gnu.org 2019-02-04 19:43:50 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.25/master has been updated
       via  2ad78b78d382c5e4bd805334617ac17f35ecff7e (commit)
      from  f728a542bf8f9f30709f8d16a5cfceaa060956ce (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2ad78b78d382c5e4bd805334617ac17f35ecff7e

commit 2ad78b78d382c5e4bd805334617ac17f35ecff7e
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Mon Feb 4 08:55:52 2019 -0800

    x86-64 memcmp: Use unsigned Jcc instructions on size [BZ #24155]
    
    Since the size argument is unsigned. we should use unsigned Jcc
    instructions, instead of signed, to check size.
    
    Tested on x86-64 and x32, with and without --disable-multi-arch.
    
    	[BZ #24155]
    	CVE-2019-7309
    	* NEWS: Updated for CVE-2019-7309.
    	* sysdeps/x86_64/memcmp.S: Use RDX_LP for size.  Clear the
    	upper 32 bits of RDX register for x32.  Use unsigned Jcc
    	instructions, instead of signed.
    	* sysdeps/x86_64/x32/Makefile (tests): Add tst-size_t-memcmp-2.
    	* sysdeps/x86_64/x32/tst-size_t-memcmp-2.c: New test.
    
    (cherry picked from commit 3f635fb43389b54f682fc9ed2acc0b2aaf4a923d)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                                          |   11 +++++++++++
 NEWS                                               |   10 ++++++++++
 sysdeps/x86_64/memcmp.S                            |   20 ++++++++++++--------
 sysdeps/x86_64/x32/Makefile                        |    3 ++-
 .../{tst-size_t-memcmp.c => tst-size_t-memcmp-2.c} |    7 +++++--
 5 files changed, 40 insertions(+), 11 deletions(-)
 copy sysdeps/x86_64/x32/{tst-size_t-memcmp.c => tst-size_t-memcmp-2.c} (92%)
Comment 7 cvs-commit@gcc.gnu.org 2019-02-04 20:27:52 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.29/master has been updated
       via  726a78867b3144e9b9da10197bcf59bde3d8b2a4 (commit)
      from  86013ef5cea322b8f4b9c22f230c22cce369e947 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=726a78867b3144e9b9da10197bcf59bde3d8b2a4

commit 726a78867b3144e9b9da10197bcf59bde3d8b2a4
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Mon Feb 4 08:55:52 2019 -0800

    x86-64 memcmp: Use unsigned Jcc instructions on size [BZ #24155]
    
    Since the size argument is unsigned. we should use unsigned Jcc
    instructions, instead of signed, to check size.
    
    Tested on x86-64 and x32, with and without --disable-multi-arch.
    
    	[BZ #24155]
    	CVE-2019-7309
    	* NEWS: Updated for CVE-2019-7309.
    	* sysdeps/x86_64/memcmp.S: Use RDX_LP for size.  Clear the
    	upper 32 bits of RDX register for x32.  Use unsigned Jcc
    	instructions, instead of signed.
    	* sysdeps/x86_64/x32/Makefile (tests): Add tst-size_t-memcmp-2.
    	* sysdeps/x86_64/x32/tst-size_t-memcmp-2.c: New test.
    
    (cherry picked from commit 3f635fb43389b54f682fc9ed2acc0b2aaf4a923d)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                                          |   11 +++++++++++
 NEWS                                               |   17 +++++++++++++++++
 sysdeps/x86_64/memcmp.S                            |   20 ++++++++++++--------
 sysdeps/x86_64/x32/Makefile                        |    3 ++-
 .../{tst-size_t-memcmp.c => tst-size_t-memcmp-2.c} |    7 +++++--
 5 files changed, 47 insertions(+), 11 deletions(-)
 copy sysdeps/x86_64/x32/{tst-size_t-memcmp.c => tst-size_t-memcmp-2.c} (92%)
Comment 8 cvs-commit@gcc.gnu.org 2019-02-04 20:43:53 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.24/master has been updated
       via  9146dc9d73aba08cf3fc2613a3f946c219dd2a52 (commit)
      from  fc4a25e8148f6aa1afd510a7d4dc57a4c597fb96 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9146dc9d73aba08cf3fc2613a3f946c219dd2a52

commit 9146dc9d73aba08cf3fc2613a3f946c219dd2a52
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Mon Feb 4 08:55:52 2019 -0800

    x86-64 memcmp: Use unsigned Jcc instructions on size [BZ #24155]
    
    Since the size argument is unsigned. we should use unsigned Jcc
    instructions, instead of signed, to check size.
    
    Tested on x86-64 and x32, with and without --disable-multi-arch.
    
    	[BZ #24155]
    	CVE-2019-7309
    	* NEWS: Updated for CVE-2019-7309.
    	* sysdeps/x86_64/memcmp.S: Use RDX_LP for size.  Clear the
    	upper 32 bits of RDX register for x32.  Use unsigned Jcc
    	instructions, instead of signed.
    	* sysdeps/x86_64/x32/Makefile (tests): Add tst-size_t-memcmp-2.
    	* sysdeps/x86_64/x32/tst-size_t-memcmp-2.c: New test.
    
    (cherry picked from commit 3f635fb43389b54f682fc9ed2acc0b2aaf4a923d)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                                          |   11 +++++++++++
 NEWS                                               |   10 ++++++++++
 sysdeps/x86_64/memcmp.S                            |   20 ++++++++++++--------
 sysdeps/x86_64/x32/Makefile                        |    3 ++-
 .../{tst-size_t-memcmp.c => tst-size_t-memcmp-2.c} |    7 +++++--
 5 files changed, 40 insertions(+), 11 deletions(-)
 copy sysdeps/x86_64/x32/{tst-size_t-memcmp.c => tst-size_t-memcmp-2.c} (92%)
Comment 9 H.J. Lu 2019-02-04 20:44:46 UTC
Fixed for 2.30 and backported to 2.24/2.25/2.26/2.27/2.28/2.29 release
branches.