This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]

From: Florian Weimer <fweimer at redhat dot com>
To: "H.J. Lu" <hjl dot tools at gmail dot com>
Cc: GNU C Library <libc-alpha at sourceware dot org>
Date: Fri, 18 Jan 2019 21:40:45 +0100
Subject: Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
References: <20190117165351.25914-1-hjl.tools@gmail.com> <87bm4ep7df.fsf@oldenburg2.str.redhat.com> <CAMe9rOq0wYwkXB_po_3CqMu7T=vJxtxGkXsxUuq-L5mghEPQCw@mail.gmail.com> <87r2d9loy4.fsf@oldenburg2.str.redhat.com> <CAMe9rOq00c2-bgMqsinU88_Jfi8+-Fsirpy3MWS2UQgCcXFaWw@mail.gmail.com> <87pnstk98r.fsf@oldenburg2.str.redhat.com> <CAMe9rOpNGBH7BJxgjVpL1BTUvVY4OQ9U4Cuap3rRoUDtqjNb1g@mail.gmail.com>

* H. J. Lu:

> On Fri, Jan 18, 2019 at 12:21 PM Florian Weimer <fweimer@redhat.com> wrote:
>>
>> * H. J. Lu:
>>
>> > On Fri, Jan 18, 2019 at 11:56 AM Florian Weimer <fweimer@redhat.com> wrote:
>> >>
>> >> * H. J. Lu:
>> >>
>> >> > On Fri, Jan 18, 2019 at 2:50 AM Florian Weimer <fweimer@redhat.com> wrote:
>> >> >>
>> >> >> * H. J. Lu:
>> >> >>
>> >> >> > On x32, the size_t parameter may be passed in the lower 32 bits of a
>> >> >> > 64-bit register with the non-zero upper 32 bits.  The string/memory
>> >> >> > functions written in assembly can only use the lower 32 bits of a
>> >> >> > 64-bit register as length or must clear the upper 32 bits before using
>> >> >> > the full 64-bit register for length.
>> >> >> >
>> >> >> > This pach fixes string/memory functions written in assembly for x32.
>> >> >> > Tested on x86-64 and x32.  On x86-64, libc.so is the same with and
>> >> >> > withou the fix.
>> >> >>
>> >> >> Can this bug result in buffer overflows?  Should we obtain a CVE
>> >> >
>> >> > Yes, definitely.
>> >> >
>> >> >> identifier?
>> >> >>
>> >> >
>> >> > Yes, please.  Can you do that for me?
>> >>
>> >> Done, MITRE gave us CVE-2019-6488.  Please reference this in the
>> >> ChangeLog and the commit message if you have not done so.  Please also
>> >
>> > Done.  I just regenerated and submitted the new patch set.
>> >
>> >> add short NEWS entry in the security section.  Thanks.
>> >>
>> >
>> > I added:
>> >
>> >   CVE-2019-6488: On x32, the size_t parameter may be passed in the lower
>> >   32 bits of a 64-bit register with the non-zero upper 32 bits.  When
>> >   it happens, the string/memory functions written in assembly will cause
>> >   buffer overflow if the full 64-bit register is used as the 32-bit
>>
>> I think we generally describe the faulty behavior in the past tense
>> (“When this happen*ed*, the string/memory functions written in assembly
>> *would* cause *a* buffer overflow if the full 64-bit register was
>> used”).  The first sentence is still current behavior, so it's okay.
>
> Like this?
>
>   CVE-2019-6488: On x32, the size_t parameter may be passed in the lower
>   32 bits of a 64-bit register with the non-zero upper 32 bits.  When

“with non-zero upper 32 bits”

>   it happened, the string/memory functions written in assembly would
>   cause a buffer overflow if the full 64-bit register was used as the

Hmm.  Maybe “because the full”?

>   32-bit size_t value.  Reported by H.J. Lu.

Rest of this descriptions looks okay to me.  (Not a native speaker.)

Thanks,
Florian

Follow-Ups:
- Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
  - From: H.J. Lu

References:
- [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
  - From: H.J. Lu
- Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
  - From: Florian Weimer
- Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
  - From: H.J. Lu
- Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
  - From: Florian Weimer
- Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
  - From: H.J. Lu
- Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
  - From: Florian Weimer
- Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
  - From: H.J. Lu

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]