This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]

From: Florian Weimer <fweimer at redhat dot com>
To: Rical Jasan <rj at 2c3t dot io>
Cc: "H.J. Lu" <hjl dot tools at gmail dot com>, GNU C Library <libc-alpha at sourceware dot org>
Date: Sat, 19 Jan 2019 11:38:13 +0100
Subject: Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
References: <20190117165351.25914-1-hjl.tools@gmail.com> <87bm4ep7df.fsf@oldenburg2.str.redhat.com> <CAMe9rOq0wYwkXB_po_3CqMu7T=vJxtxGkXsxUuq-L5mghEPQCw@mail.gmail.com> <87r2d9loy4.fsf@oldenburg2.str.redhat.com> <CAMe9rOq00c2-bgMqsinU88_Jfi8+-Fsirpy3MWS2UQgCcXFaWw@mail.gmail.com> <87pnstk98r.fsf@oldenburg2.str.redhat.com> <CAMe9rOpNGBH7BJxgjVpL1BTUvVY4OQ9U4Cuap3rRoUDtqjNb1g@mail.gmail.com> <87lg3hk8c2.fsf@oldenburg2.str.redhat.com> <CAMe9rOqUARg+zYPTodYXYJ0k0e4UJrK02QwS+_ZgoKse8N1Tuw@mail.gmail.com> <ec30b11e-5273-ee3d-72eb-b482247b394d@2c3t.io>

* Rical Jasan:

> On 01/18/2019 12:47 PM, H.J. Lu wrote:
>> Now it has:
>> 
>>   CVE-2019-6488: On x32, the size_t parameter may be passed in the lower
>>   32 bits of a 64-bit register with with non-zero upper 32 bit.  When it
>>   happened, the string/memory functions written in assembly would cause a
>>   buffer overflow because the full 64-bit register was used as the 32-bit
>>   size_t value.  Reported by H.J. Lu.
>
> How about:
>
> CVE-2019-6488: On x32, the size_t parameter may be passed in the lower
> 32 bits of a 64-bit register with non-zero upper 32 bits, causing a
> buffer overflow in string and memory functions written in assembly when
> the full 64-bit register was used as the 32-bit size_t value.

The problem is not the first part (the undefined upper half of the
register, that's part of the ABI).  It's that the string functions did
not account for this ABI property.

Thanks,
Florian

Follow-Ups:
- Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
  - From: H.J. Lu

References:
- [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
  - From: H.J. Lu
- Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
  - From: Florian Weimer
- Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
  - From: H.J. Lu
- Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
  - From: Florian Weimer
- Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
  - From: H.J. Lu
- Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
  - From: Florian Weimer
- Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
  - From: H.J. Lu
- Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
  - From: Florian Weimer
- Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
  - From: H.J. Lu
- Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
  - From: Rical Jasan

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]