This is the mail archive of the glibc-cvs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

GNU C Library master sources branch release/2.24/master updated. glibc-2.24-93-g659b3df


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.24/master has been updated
       via  659b3df5db97948f4c6042203163873fb96ec512 (commit)
       via  b501c7b09eb941dc7ff21f9939c322d2c9c32ec0 (commit)
       via  ff52a12250bd381aaef91edc0269f6e3e79d20ac (commit)
       via  3f949b03473b4ca8b8e69a4e540511dfee39e493 (commit)
      from  682f24d0f3995689f407dee842002099d3604586 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=659b3df5db97948f4c6042203163873fb96ec512

commit 659b3df5db97948f4c6042203163873fb96ec512
Author: Florian Weimer <fweimer@redhat.com>
Date:   Thu May 24 12:19:11 2018 +0200

    Add references to CVE-2017-18269, CVE-2018-11236, CVE-2018-11237
    
    (cherry picked from commit 43d4f3d5ad94e1fa5e56d7a7200d0e9f3d8e2f02)

diff --git a/ChangeLog b/ChangeLog
index f650db1..988615f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -10,6 +10,7 @@
 2018-05-09  Paul Pluzhnikov  <ppluzhnikov@google.com>
 
 	[BZ #22786]
+	CVE-2018-11236
 	* stdlib/canonicalize.c (__realpath): Fix overflow in path length
 	computation.
 	* stdlib/Makefile (test-bz22786): New test.
@@ -19,6 +20,7 @@
 	    Max Horn  <max@quendi.de>
 
 	[BZ #22644]
+	CVE-2017-18269
 	* sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S: Fixed
 	branch conditions.
 	* string/test-memmove.c (do_test2): New testcase.
diff --git a/NEWS b/NEWS
index 7e1859b..13ac8dd 100644
--- a/NEWS
+++ b/NEWS
@@ -49,6 +49,17 @@ Security related changes:
   for AT_SECURE or SUID binaries could be used to load libraries from the
   current directory.
 
+  CVE-2017-18269: An SSE2-based memmove implementation for the i386
+  architecture could corrupt memory.  Reported by Max Horn.
+
+  CVE-2018-11236: Very long pathname arguments to realpath function could
+  result in an integer overflow and buffer overflow.  Reported by Alexey
+  Izbyshev.
+
+  CVE-2018-11237: The mempcpy implementation for the Intel Xeon Phi
+  architecture could write beyond the target buffer, resulting in a buffer
+  overflow.  Reported by Andreas Schwab.
+
 The following bugs are resolved with this release:
 
   [20790] Fix rpcgen buffer overrun

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=b501c7b09eb941dc7ff21f9939c322d2c9c32ec0

commit b501c7b09eb941dc7ff21f9939c322d2c9c32ec0
Author: Andreas Schwab <schwab@suse.de>
Date:   Tue May 22 10:37:59 2018 +0200

    Don't write beyond destination in __mempcpy_avx512_no_vzeroupper (bug 23196)
    
    When compiled as mempcpy, the return value is the end of the destination
    buffer, thus it cannot be used to refer to the start of it.
    
    (cherry picked from commit 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e)

diff --git a/ChangeLog b/ChangeLog
index 699e8e5..f650db1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2018-05-23  Andreas Schwab  <schwab@suse.de>
+
+	[BZ #23196]
+	CVE-2018-11237
+	* sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+	(L(preloop_large)): Save initial destination pointer in %r11 and
+	use it instead of %rax after the loop.
+	* string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
+
 2018-05-09  Paul Pluzhnikov  <ppluzhnikov@google.com>
 
 	[BZ #22786]
diff --git a/NEWS b/NEWS
index 0ff775e..7e1859b 100644
--- a/NEWS
+++ b/NEWS
@@ -65,6 +65,8 @@ The following bugs are resolved with this release:
   [22715] x86-64: Properly align La_x86_64_retval to VEC_SIZE
   [22786] libc: Stack buffer overflow in realpath() if input size is close
     to SSIZE_MAX (CVE-2018-11236)
+  [23196] string: __mempcpy_avx512_no_vzeroupper mishandles large copies
+    (CVE-2018-11237)
 
 Version 2.24
 
diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c
index f4969c2..d180230 100644
--- a/string/test-mempcpy.c
+++ b/string/test-mempcpy.c
@@ -18,6 +18,7 @@
    <http://www.gnu.org/licenses/>.  */
 
 #define MEMCPY_RESULT(dst, len) (dst) + (len)
+#define MIN_PAGE_SIZE 131072
 #define TEST_MAIN
 #define TEST_NAME "mempcpy"
 #include "test-string.h"
diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
index 664b74d..90ac9ea 100644
--- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
@@ -340,6 +340,7 @@ L(preloop_large):
 	vmovups	(%rsi), %zmm4
 	vmovups	0x40(%rsi), %zmm5
 
+	mov	%rdi, %r11
 /* Align destination for access with non-temporal stores in the loop.  */
 	mov	%rdi, %r8
 	and	$-0x80, %rdi
@@ -370,8 +371,8 @@ L(gobble_256bytes_nt_loop):
 	cmp	$256, %rdx
 	ja	L(gobble_256bytes_nt_loop)
 	sfence
-	vmovups	%zmm4, (%rax)
-	vmovups	%zmm5, 0x40(%rax)
+	vmovups	%zmm4, (%r11)
+	vmovups	%zmm5, 0x40(%r11)
 	jmp	L(check)
 
 L(preloop_large_bkw):

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ff52a12250bd381aaef91edc0269f6e3e79d20ac

commit ff52a12250bd381aaef91edc0269f6e3e79d20ac
Author: Paul Pluzhnikov <ppluzhnikov@google.com>
Date:   Tue May 8 18:12:41 2018 -0700

    Fix BZ 22786: integer addition overflow may cause stack buffer overflow
    when realpath() input length is close to SSIZE_MAX.
    
    2018-05-09  Paul Pluzhnikov  <ppluzhnikov@google.com>
    
    	[BZ #22786]
    	* stdlib/canonicalize.c (__realpath): Fix overflow in path length
    	computation.
    	* stdlib/Makefile (test-bz22786): New test.
    	* stdlib/test-bz22786.c: New test.
    
    (cherry picked from commit 5460617d1567657621107d895ee2dd83bc1f88f2)

diff --git a/ChangeLog b/ChangeLog
index 63813de..699e8e5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2018-05-09  Paul Pluzhnikov  <ppluzhnikov@google.com>
+
+	[BZ #22786]
+	* stdlib/canonicalize.c (__realpath): Fix overflow in path length
+	computation.
+	* stdlib/Makefile (test-bz22786): New test.
+	* stdlib/test-bz22786.c: New test.
+
 2018-03-23  Andrew Senkevich  <andrew.senkevich@intel.com>
 	    Max Horn  <max@quendi.de>
 
diff --git a/NEWS b/NEWS
index 77f7f1a..0ff775e 100644
--- a/NEWS
+++ b/NEWS
@@ -63,6 +63,8 @@ The following bugs are resolved with this release:
   [22644] string: memmove-sse2-unaligned on 32bit x86 produces garbage when
     crossing 2GB threshold (CVE-2017-18269)
   [22715] x86-64: Properly align La_x86_64_retval to VEC_SIZE
+  [22786] libc: Stack buffer overflow in realpath() if input size is close
+    to SSIZE_MAX (CVE-2018-11236)
 
 Version 2.24
 
diff --git a/stdlib/Makefile b/stdlib/Makefile
index fc6f23d..23f2d6e 100644
--- a/stdlib/Makefile
+++ b/stdlib/Makefile
@@ -77,7 +77,7 @@ tests		:= tst-strtol tst-strtod testmb testrand testsort testdiv   \
 		   tst-tininess tst-strtod-underflow tst-tls-atexit	    \
 		   tst-setcontext3 tst-tls-atexit-nodelete		    \
 		   tst-strtol-locale tst-strtod-nan-locale tst-strfmon_l    \
-		   tst-quick_exit tst-thread-quick_exit
+		   tst-quick_exit tst-thread-quick_exit test-bz22786
 tests-static	:= tst-secure-getenv
 ifeq ($(have-cxx-thread_local),yes)
 CFLAGS-tst-quick_exit.o = -std=c++11
diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c
index 58bb8de..59a7b94 100644
--- a/stdlib/canonicalize.c
+++ b/stdlib/canonicalize.c
@@ -181,7 +181,7 @@ __realpath (const char *name, char *resolved)
 		extra_buf = __alloca (path_max);
 
 	      len = strlen (end);
-	      if ((long int) (n + len) >= path_max)
+	      if (path_max - n <= len)
 		{
 		  __set_errno (ENAMETOOLONG);
 		  goto error;
diff --git a/stdlib/test-bz22786.c b/stdlib/test-bz22786.c
new file mode 100644
index 0000000..e445034
--- /dev/null
+++ b/stdlib/test-bz22786.c
@@ -0,0 +1,90 @@
+/* Bug 22786: test for buffer overflow in realpath.
+   Copyright (C) 2018 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+/* This file must be run from within a directory called "stdlib".  */
+
+#include <errno.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <support/test-driver.h>
+#include <libc-internal.h>
+
+static int
+do_test (void)
+{
+  const char dir[] = "bz22786";
+  const char lnk[] = "bz22786/symlink";
+
+  rmdir (dir);
+  if (mkdir (dir, 0755) != 0 && errno != EEXIST)
+    {
+      printf ("mkdir %s: %m\n", dir);
+      return EXIT_FAILURE;
+    }
+  if (symlink (".", lnk) != 0 && errno != EEXIST)
+    {
+      printf ("symlink (%s, %s): %m\n", dir, lnk);
+      return EXIT_FAILURE;
+    }
+
+  const size_t path_len = (size_t) INT_MAX + 1;
+
+  DIAG_PUSH_NEEDS_COMMENT;
+#if __GNUC_PREREQ (7, 0)
+  /* GCC 7 warns about too-large allocations; here we need such
+     allocation to succeed for the test to work.  */
+  DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");
+#endif
+  char *path = malloc (path_len);
+  DIAG_POP_NEEDS_COMMENT;
+
+  if (path == NULL)
+    {
+      printf ("malloc (%zu): %m\n", path_len);
+      return EXIT_UNSUPPORTED;
+    }
+
+  /* Construct very long path = "bz22786/symlink/aaaa....."  */
+  char *p = mempcpy (path, lnk, sizeof (lnk) - 1);
+  *(p++) = '/';
+  memset (p, 'a', path_len - (path - p) - 2);
+  p[path_len - (path - p) - 1] = '\0';
+
+  /* This call crashes before the fix for bz22786 on 32-bit platforms.  */
+  p = realpath (path, NULL);
+
+  if (p != NULL || errno != ENAMETOOLONG)
+    {
+      printf ("realpath: %s (%m)", p);
+      return EXIT_FAILURE;
+    }
+
+  /* Cleanup.  */
+  unlink (lnk);
+  rmdir (dir);
+
+  return 0;
+}
+
+#define TEST_FUNCTION do_test
+#include <support/test-driver.c>

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3f949b03473b4ca8b8e69a4e540511dfee39e493

commit 3f949b03473b4ca8b8e69a4e540511dfee39e493
Author: Andrew Senkevich <andrew.n.senkevich@gmail.com>
Date:   Fri Mar 23 16:19:45 2018 +0100

    Fix i386 memmove issue (bug 22644).
    
    	[BZ #22644]
    	* sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S: Fixed
    	branch conditions.
    	* string/test-memmove.c (do_test2): New testcase.
    
    (cherry picked from commit cd66c0e584c6d692bc8347b5e72723d02b8a8ada)

diff --git a/ChangeLog b/ChangeLog
index 3305107..63813de 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2018-03-23  Andrew Senkevich  <andrew.senkevich@intel.com>
+	    Max Horn  <max@quendi.de>
+
+	[BZ #22644]
+	* sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S: Fixed
+	branch conditions.
+	* string/test-memmove.c (do_test2): New testcase.
+
 2018-09-06  Stefan Liebler  <stli@linux.ibm.com>
 
 	* sysdeps/unix/sysv/linux/spawni.c (maybe_script_execute):
diff --git a/NEWS b/NEWS
index d11dfe1..77f7f1a 100644
--- a/NEWS
+++ b/NEWS
@@ -60,6 +60,8 @@ The following bugs are resolved with this release:
   [21609] x86-64: Align the stack in __tls_get_addr
   [21624] Unsafe alloca allows local attackers to alias stack and heap (CVE-2017-1000366)
   [21654] nss: Fix invalid cast in group merging
+  [22644] string: memmove-sse2-unaligned on 32bit x86 produces garbage when
+    crossing 2GB threshold (CVE-2017-18269)
   [22715] x86-64: Properly align La_x86_64_retval to VEC_SIZE
 
 Version 2.24
diff --git a/string/test-memmove.c b/string/test-memmove.c
index 4343329..f44c05d 100644
--- a/string/test-memmove.c
+++ b/string/test-memmove.c
@@ -245,6 +245,60 @@ do_random_tests (void)
     }
 }
 
+static void
+do_test2 (void)
+{
+  size_t size = 0x20000000;
+  uint32_t * large_buf;
+
+  large_buf = mmap ((void*) 0x70000000, size, PROT_READ | PROT_WRITE,
+		    MAP_PRIVATE | MAP_ANON, -1, 0);
+
+  if (large_buf == MAP_FAILED)
+    error (77, errno, "Large mmap failed");
+
+  if ((uintptr_t) large_buf > 0x80000000 - 128
+      || 0x80000000 - (uintptr_t) large_buf > 0x20000000)
+    {
+      error (0, 0, "Large mmap allocated improperly");
+      ret = 77;
+      munmap ((void *) large_buf, size);
+      return;
+    }
+
+  size_t bytes_move = 0x80000000 - (uintptr_t) large_buf;
+  size_t arr_size = bytes_move / sizeof (uint32_t);
+  size_t i;
+
+  FOR_EACH_IMPL (impl, 0)
+    {
+      for (i = 0; i < arr_size; i++)
+        large_buf[i] = (uint32_t) i;
+
+      uint32_t * dst = &large_buf[33];
+
+#ifdef TEST_BCOPY
+      CALL (impl, (char *) large_buf, (char *) dst, bytes_move);
+#else
+      CALL (impl, (char *) dst, (char *) large_buf, bytes_move);
+#endif
+
+      for (i = 0; i < arr_size; i++)
+	{
+	  if (dst[i] != (uint32_t) i)
+	    {
+	      error (0, 0,
+		     "Wrong result in function %s dst \"%p\" src \"%p\" offset \"%zd\"",
+		     impl->name, dst, large_buf, i);
+	      ret = 1;
+	      break;
+	    }
+	}
+    }
+
+  munmap ((void *) large_buf, size);
+}
+
 int
 test_main (void)
 {
@@ -284,6 +338,9 @@ test_main (void)
     }
 
   do_random_tests ();
+
+  do_test2 ();
+
   return ret;
 }
 
diff --git a/sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S b/sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S
index 76f3429..bb26708 100644
--- a/sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S
+++ b/sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S
@@ -72,7 +72,7 @@ ENTRY (MEMCPY)
 	cmp	%edx, %eax
 
 # ifdef USE_AS_MEMMOVE
-	jg	L(check_forward)
+	ja	L(check_forward)
 
 L(mm_len_0_or_more_backward):
 /* Now do checks for lengths. We do [0..16], [16..32], [32..64], [64..128]
@@ -81,7 +81,7 @@ L(mm_len_0_or_more_backward):
 	jbe	L(mm_len_0_16_bytes_backward)
 
 	cmpl	$32, %ecx
-	jg	L(mm_len_32_or_more_backward)
+	ja	L(mm_len_32_or_more_backward)
 
 /* Copy [0..32] and return.  */
 	movdqu	(%eax), %xmm0
@@ -92,7 +92,7 @@ L(mm_len_0_or_more_backward):
 
 L(mm_len_32_or_more_backward):
 	cmpl	$64, %ecx
-	jg	L(mm_len_64_or_more_backward)
+	ja	L(mm_len_64_or_more_backward)
 
 /* Copy [0..64] and return.  */
 	movdqu	(%eax), %xmm0
@@ -107,7 +107,7 @@ L(mm_len_32_or_more_backward):
 
 L(mm_len_64_or_more_backward):
 	cmpl	$128, %ecx
-	jg	L(mm_len_128_or_more_backward)
+	ja	L(mm_len_128_or_more_backward)
 
 /* Copy [0..128] and return.  */
 	movdqu	(%eax), %xmm0
@@ -132,7 +132,7 @@ L(mm_len_128_or_more_backward):
 	add	%ecx, %eax
 	cmp	%edx, %eax
 	movl	SRC(%esp), %eax
-	jle	L(forward)
+	jbe	L(forward)
 	PUSH (%esi)
 	PUSH (%edi)
 	PUSH (%ebx)
@@ -269,7 +269,7 @@ L(check_forward):
 	add	%edx, %ecx
 	cmp	%eax, %ecx
 	movl	LEN(%esp), %ecx
-	jle	L(forward)
+	jbe	L(forward)
 
 /* Now do checks for lengths. We do [0..16], [0..32], [0..64], [0..128]
 	separately.  */

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                                          |   27 ++++++
 NEWS                                               |   17 ++++
 stdlib/Makefile                                    |    2 +-
 stdlib/canonicalize.c                              |    2 +-
 stdlib/test-bz22786.c                              |   90 ++++++++++++++++++++
 string/test-memmove.c                              |   57 ++++++++++++
 string/test-mempcpy.c                              |    1 +
 .../i386/i686/multiarch/memcpy-sse2-unaligned.S    |   12 ++--
 .../multiarch/memmove-avx512-no-vzeroupper.S       |    5 +-
 9 files changed, 203 insertions(+), 10 deletions(-)
 create mode 100644 stdlib/test-bz22786.c


hooks/post-receive
-- 
GNU C Library master sources


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]