This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
On Sat, Jan 19, 2019 at 2:38 AM Florian Weimer <fweimer@redhat.com> wrote:
>
> * Rical Jasan:
>
> > On 01/18/2019 12:47 PM, H.J. Lu wrote:
> >> Now it has:
> >>
> >> CVE-2019-6488: On x32, the size_t parameter may be passed in the lower
> >> 32 bits of a 64-bit register with with non-zero upper 32 bit. When it
> >> happened, the string/memory functions written in assembly would cause a
> >> buffer overflow because the full 64-bit register was used as the 32-bit
> >> size_t value. Reported by H.J. Lu.
> >
> > How about:
> >
> > CVE-2019-6488: On x32, the size_t parameter may be passed in the lower
> > 32 bits of a 64-bit register with non-zero upper 32 bits, causing a
> > buffer overflow in string and memory functions written in assembly when
> > the full 64-bit register was used as the 32-bit size_t value.
>
> The problem is not the first part (the undefined upper half of the
> register, that's part of the ABI). It's that the string functions did
> not account for this ABI property.
>
How about this one?
CVE-2019-6488: On x32, the size_t parameter may be passed in the lower
32 bits of a 64-bit register with with non-zero upper 32 bit. When it
happened, accessing the 32-bit size_t value as the full 64-bit register
in the assembly string/memory functions would cause a buffer overflow.
Reported by H.J. Lu.
--
H.J.