This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]

From: "H.J. Lu" <hjl dot tools at gmail dot com>
To: libc-alpha at sourceware dot org
Date: Fri, 18 Jan 2019 12:12:29 -0800
Subject: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]

On x32, the size_t parameter may be passed in the lower 32 bits of a
64-bit register with the non-zero upper 32 bits.  The string/memory
functions written in assembly can only use the lower 32 bits of a
64-bit register as length or must clear the upper 32 bits before using
the full 64-bit register for length.

This pach fixes string/memory functions written in assembly for x32.
Tested on x86-64 and x32.  On x86-64, libc.so is the same with and
withou the fix.

This fixes CVE-2019-6488.

H.J. Lu (8):
  x86-64 memchr/wmemchr: Properly handle the length parameter [BZ#
    24097]
  x86-64 memcmp/wmemcmp: Properly handle the length parameter [BZ#
    24097]
  x86-64 memcpy: Properly handle the length parameter [BZ# 24097]
  x86-64 memrchr: Properly handle the length parameter [BZ# 24097]
  x86-64 memset/wmemset: Properly handle the length parameter [BZ#
    24097]
  x86-64 strncmp family: Properly handle the length parameter [BZ#
    24097]
  x86-64 strncpy: Properly handle the length parameter [BZ# 24097]
  x86-64 strnlen/wcsnlen: Properly handle the length parameter [BZ#
    24097]

 NEWS                                          |  6 ++
 sysdeps/x86_64/memchr.S                       | 10 ++-
 sysdeps/x86_64/memrchr.S                      |  4 +-
 sysdeps/x86_64/multiarch/memchr-avx2.S        |  8 +-
 sysdeps/x86_64/multiarch/memcmp-avx2-movbe.S  |  7 +-
 sysdeps/x86_64/multiarch/memcmp-sse4.S        |  9 ++-
 sysdeps/x86_64/multiarch/memcmp-ssse3.S       |  7 +-
 sysdeps/x86_64/multiarch/memcpy-ssse3-back.S  | 17 ++--
 sysdeps/x86_64/multiarch/memcpy-ssse3.S       | 17 ++--
 .../multiarch/memmove-avx512-no-vzeroupper.S  | 16 ++--
 .../multiarch/memmove-vec-unaligned-erms.S    | 54 +++++++------
 sysdeps/x86_64/multiarch/memrchr-avx2.S       |  4 +-
 .../multiarch/memset-avx512-no-vzeroupper.S   |  6 +-
 .../multiarch/memset-vec-unaligned-erms.S     | 34 ++++----
 sysdeps/x86_64/multiarch/strcmp-avx2.S        |  6 +-
 sysdeps/x86_64/multiarch/strcmp-sse42.S       |  6 +-
 sysdeps/x86_64/multiarch/strcpy-avx2.S        |  4 +-
 .../x86_64/multiarch/strcpy-sse2-unaligned.S  |  4 +-
 sysdeps/x86_64/multiarch/strcpy-ssse3.S       |  6 +-
 sysdeps/x86_64/multiarch/strlen-avx2.S        |  9 ++-
 sysdeps/x86_64/strcmp.S                       |  6 +-
 sysdeps/x86_64/strlen.S                       | 12 +--
 sysdeps/x86_64/x32/Makefile                   | 11 +++
 sysdeps/x86_64/x32/test-size_t.h              | 35 +++++++++
 sysdeps/x86_64/x32/tst-size_t-memchr.c        | 72 +++++++++++++++++
 sysdeps/x86_64/x32/tst-size_t-memcmp.c        | 76 ++++++++++++++++++
 sysdeps/x86_64/x32/tst-size_t-memcpy.c        | 58 ++++++++++++++
 sysdeps/x86_64/x32/tst-size_t-memrchr.c       | 57 ++++++++++++++
 sysdeps/x86_64/x32/tst-size_t-memset.c        | 73 +++++++++++++++++
 sysdeps/x86_64/x32/tst-size_t-strncasecmp.c   | 59 ++++++++++++++
 sysdeps/x86_64/x32/tst-size_t-strncmp.c       | 78 +++++++++++++++++++
 sysdeps/x86_64/x32/tst-size_t-strncpy.c       | 58 ++++++++++++++
 sysdeps/x86_64/x32/tst-size_t-strnlen.c       | 72 +++++++++++++++++
 sysdeps/x86_64/x32/tst-size_t-wcsncmp.c       | 20 +++++
 sysdeps/x86_64/x32/tst-size_t-wcsnlen.c       | 20 +++++
 sysdeps/x86_64/x32/tst-size_t-wmemchr.c       | 20 +++++
 sysdeps/x86_64/x32/tst-size_t-wmemcmp.c       | 20 +++++
 sysdeps/x86_64/x32/tst-size_t-wmemset.c       | 20 +++++
 38 files changed, 905 insertions(+), 96 deletions(-)
 create mode 100644 sysdeps/x86_64/x32/test-size_t.h
 create mode 100644 sysdeps/x86_64/x32/tst-size_t-memchr.c
 create mode 100644 sysdeps/x86_64/x32/tst-size_t-memcmp.c
 create mode 100644 sysdeps/x86_64/x32/tst-size_t-memcpy.c
 create mode 100644 sysdeps/x86_64/x32/tst-size_t-memrchr.c
 create mode 100644 sysdeps/x86_64/x32/tst-size_t-memset.c
 create mode 100644 sysdeps/x86_64/x32/tst-size_t-strncasecmp.c
 create mode 100644 sysdeps/x86_64/x32/tst-size_t-strncmp.c
 create mode 100644 sysdeps/x86_64/x32/tst-size_t-strncpy.c
 create mode 100644 sysdeps/x86_64/x32/tst-size_t-strnlen.c
 create mode 100644 sysdeps/x86_64/x32/tst-size_t-wcsncmp.c
 create mode 100644 sysdeps/x86_64/x32/tst-size_t-wcsnlen.c
 create mode 100644 sysdeps/x86_64/x32/tst-size_t-wmemchr.c
 create mode 100644 sysdeps/x86_64/x32/tst-size_t-wmemcmp.c
 create mode 100644 sysdeps/x86_64/x32/tst-size_t-wmemset.c

-- 
2.20.1

Follow-Ups:
- [PATCH 1/8] x86-64 memchr/wmemchr: Properly handle the length parameter [BZ# 24097]
  - From: H.J. Lu
- [PATCH 2/8] x86-64 memcmp/wmemcmp: Properly handle the length parameter [BZ# 24097]
  - From: H.J. Lu
- [PATCH 4/8] x86-64 memrchr: Properly handle the length parameter [BZ# 24097]
  - From: H.J. Lu
- [PATCH 3/8] x86-64 memcpy: Properly handle the length parameter [BZ# 24097]
  - From: H.J. Lu
- [PATCH 5/8] x86-64 memset/wmemset: Properly handle the length parameter [BZ# 24097]
  - From: H.J. Lu
- [PATCH 7/8] x86-64 strncpy: Properly handle the length parameter [BZ# 24097]
  - From: H.J. Lu
- [PATCH 6/8] x86-64 strncmp family: Properly handle the length parameter [BZ# 24097]
  - From: H.J. Lu
- [PATCH 8/8] x86-64 strnlen/wcsnlen: Properly handle the length parameter [BZ# 24097]
  - From: H.J. Lu

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]