This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]

From: "H.J. Lu" <hjl dot tools at gmail dot com>
To: Florian Weimer <fweimer at redhat dot com>
Cc: GNU C Library <libc-alpha at sourceware dot org>
Date: Fri, 18 Jan 2019 12:47:05 -0800
Subject: Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
References: <20190117165351.25914-1-hjl.tools@gmail.com> <87bm4ep7df.fsf@oldenburg2.str.redhat.com> <CAMe9rOq0wYwkXB_po_3CqMu7T=vJxtxGkXsxUuq-L5mghEPQCw@mail.gmail.com> <87r2d9loy4.fsf@oldenburg2.str.redhat.com> <CAMe9rOq00c2-bgMqsinU88_Jfi8+-Fsirpy3MWS2UQgCcXFaWw@mail.gmail.com> <87pnstk98r.fsf@oldenburg2.str.redhat.com> <CAMe9rOpNGBH7BJxgjVpL1BTUvVY4OQ9U4Cuap3rRoUDtqjNb1g@mail.gmail.com> <87lg3hk8c2.fsf@oldenburg2.str.redhat.com>

On Fri, Jan 18, 2019 at 12:40 PM Florian Weimer <fweimer@redhat.com> wrote:
>
> * H. J. Lu:
>
> > On Fri, Jan 18, 2019 at 12:21 PM Florian Weimer <fweimer@redhat.com> wrote:
> >>
> >> * H. J. Lu:
> >>
> >> > On Fri, Jan 18, 2019 at 11:56 AM Florian Weimer <fweimer@redhat.com> wrote:
> >> >>
> >> >> * H. J. Lu:
> >> >>
> >> >> > On Fri, Jan 18, 2019 at 2:50 AM Florian Weimer <fweimer@redhat.com> wrote:
> >> >> >>
> >> >> >> * H. J. Lu:
> >> >> >>
> >> >> >> > On x32, the size_t parameter may be passed in the lower 32 bits of a
> >> >> >> > 64-bit register with the non-zero upper 32 bits.  The string/memory
> >> >> >> > functions written in assembly can only use the lower 32 bits of a
> >> >> >> > 64-bit register as length or must clear the upper 32 bits before using
> >> >> >> > the full 64-bit register for length.
> >> >> >> >
> >> >> >> > This pach fixes string/memory functions written in assembly for x32.
> >> >> >> > Tested on x86-64 and x32.  On x86-64, libc.so is the same with and
> >> >> >> > withou the fix.
> >> >> >>
> >> >> >> Can this bug result in buffer overflows?  Should we obtain a CVE
> >> >> >
> >> >> > Yes, definitely.
> >> >> >
> >> >> >> identifier?
> >> >> >>
> >> >> >
> >> >> > Yes, please.  Can you do that for me?
> >> >>
> >> >> Done, MITRE gave us CVE-2019-6488.  Please reference this in the
> >> >> ChangeLog and the commit message if you have not done so.  Please also
> >> >
> >> > Done.  I just regenerated and submitted the new patch set.
> >> >
> >> >> add short NEWS entry in the security section.  Thanks.
> >> >>
> >> >
> >> > I added:
> >> >
> >> >   CVE-2019-6488: On x32, the size_t parameter may be passed in the lower
> >> >   32 bits of a 64-bit register with the non-zero upper 32 bits.  When
> >> >   it happens, the string/memory functions written in assembly will cause
> >> >   buffer overflow if the full 64-bit register is used as the 32-bit
> >>
> >> I think we generally describe the faulty behavior in the past tense
> >> (“When this happen*ed*, the string/memory functions written in assembly
> >> *would* cause *a* buffer overflow if the full 64-bit register was
> >> used”).  The first sentence is still current behavior, so it's okay.
> >
> > Like this?
> >
> >   CVE-2019-6488: On x32, the size_t parameter may be passed in the lower
> >   32 bits of a 64-bit register with the non-zero upper 32 bits.  When
>
> “with non-zero upper 32 bits”
>
> >   it happened, the string/memory functions written in assembly would
> >   cause a buffer overflow if the full 64-bit register was used as the
>
> Hmm.  Maybe “because the full”?
>
> >   32-bit size_t value.  Reported by H.J. Lu.
>
> Rest of this descriptions looks okay to me.  (Not a native speaker.)
>

Now it has:

  CVE-2019-6488: On x32, the size_t parameter may be passed in the lower
  32 bits of a 64-bit register with with non-zero upper 32 bit.  When it
  happened, the string/memory functions written in assembly would cause a
  buffer overflow because the full 64-bit register was used as the 32-bit
  size_t value.  Reported by H.J. Lu.

Thanks.

-- 
H.J.

Follow-Ups:
- Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
  - From: Rical Jasan

References:
- [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
  - From: H.J. Lu
- Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
  - From: Florian Weimer
- Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
  - From: H.J. Lu
- Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
  - From: Florian Weimer
- Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
  - From: H.J. Lu
- Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
  - From: Florian Weimer
- Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
  - From: H.J. Lu
- Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
  - From: Florian Weimer

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]