This is the mail archive of the glibc-cvs@sourceware.org mailing list for the glibc project.
Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]
GNU C Library master sources branch master updated. glibc-2.28.9000-576-gc7c54f6

From: hjl at sourceware dot org
To: glibc-cvs at sourceware dot org
Date: 21 Jan 2019 19:35:45 -0000
Subject: GNU C Library master sources branch master updated. glibc-2.28.9000-576-gc7c54f6
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  c7c54f65b080affb87a1513dee449c8ad6143c8b (commit)
      from  ee915088a0231cd421054dbd8abab7aadf331153 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c7c54f65b080affb87a1513dee449c8ad6143c8b

commit c7c54f65b080affb87a1513dee449c8ad6143c8b
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Mon Jan 21 11:35:18 2019 -0800

    x86-64 strncpy: Properly handle the length parameter [BZ# 24097]
    
    On x32, the size_t parameter may be passed in the lower 32 bits of a
    64-bit register with the non-zero upper 32 bits.  The string/memory
    functions written in assembly can only use the lower 32 bits of a
    64-bit register as length or must clear the upper 32 bits before using
    the full 64-bit register for length.
    
    This pach fixes strncpy for x32.  Tested on x86-64 and x32.  On x86-64,
    libc.so is the same with and withou the fix.
    
    	[BZ# 24097]
    	CVE-2019-6488
    	* sysdeps/x86_64/multiarch/strcpy-avx2.S: Use RDX_LP for length.
    	* sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S: Likewise.
    	* sysdeps/x86_64/multiarch/strcpy-ssse3.S: Likewise.
    	* sysdeps/x86_64/x32/Makefile (tests): Add tst-size_t-strncpy.
    	* sysdeps/x86_64/x32/tst-size_t-strncpy.c: New file.

diff --git a/ChangeLog b/ChangeLog
index 7be0a2e..a0412f7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,16 @@
 
 	[BZ# 24097]
 	CVE-2019-6488
+	* sysdeps/x86_64/multiarch/strcpy-avx2.S: Use RDX_LP for length.
+	* sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S: Likewise.
+	* sysdeps/x86_64/multiarch/strcpy-ssse3.S: Likewise.
+	* sysdeps/x86_64/x32/Makefile (tests): Add tst-size_t-strncpy.
+	* sysdeps/x86_64/x32/tst-size_t-strncpy.c: New file.
+
+2019-01-21  H.J. Lu  <hongjiu.lu@intel.com>
+
+	[BZ# 24097]
+	CVE-2019-6488
 	* sysdeps/x86_64/multiarch/strcmp-avx2.S: Use RDX_LP for length.
 	* sysdeps/x86_64/multiarch/strcmp-sse42.S: Likewise.
 	* sysdeps/x86_64/strcmp.S: Likewise.
diff --git a/sysdeps/x86_64/multiarch/strcpy-avx2.S b/sysdeps/x86_64/multiarch/strcpy-avx2.S
index 81677f9..e72a0ca 100644
--- a/sysdeps/x86_64/multiarch/strcpy-avx2.S
+++ b/sysdeps/x86_64/multiarch/strcpy-avx2.S
@@ -49,8 +49,8 @@
 	.section .text.avx,"ax",@progbits
 ENTRY (STRCPY)
 #  ifdef USE_AS_STRNCPY
-	mov	%rdx, %r8
-	test	%r8, %r8
+	mov	%RDX_LP, %R8_LP
+	test	%R8_LP, %R8_LP
 	jz	L(ExitZero)
 #  endif
 	mov	%rsi, %rcx
diff --git a/sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S b/sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S
index b7c7997..0d6914e 100644
--- a/sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S
+++ b/sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S
@@ -40,8 +40,8 @@
 .text
 ENTRY (STRCPY)
 #  ifdef USE_AS_STRNCPY
-	mov	%rdx, %r8
-	test	%r8, %r8
+	mov	%RDX_LP, %R8_LP
+	test	%R8_LP, %R8_LP
 	jz	L(ExitZero)
 #  endif
 	mov	%rsi, %rcx
diff --git a/sysdeps/x86_64/multiarch/strcpy-ssse3.S b/sysdeps/x86_64/multiarch/strcpy-ssse3.S
index ec53f2a..39e6ad7 100644
--- a/sysdeps/x86_64/multiarch/strcpy-ssse3.S
+++ b/sysdeps/x86_64/multiarch/strcpy-ssse3.S
@@ -31,13 +31,13 @@ ENTRY (STRCPY)
 
 	mov	%rsi, %rcx
 #  ifdef USE_AS_STRNCPY
-	mov	%rdx, %r8
+	mov	%RDX_LP, %R8_LP
 #  endif
 	mov	%rdi, %rdx
 #  ifdef USE_AS_STRNCPY
-	test	%r8, %r8
+	test	%R8_LP, %R8_LP
 	jz	L(Exit0)
-	cmp	$8, %r8
+	cmp	$8, %R8_LP
 	jbe	L(StrncpyExit8Bytes)
 # endif
 	cmpb	$0, (%rcx)
diff --git a/sysdeps/x86_64/x32/Makefile b/sysdeps/x86_64/x32/Makefile
index db30283..2a9e20a 100644
--- a/sysdeps/x86_64/x32/Makefile
+++ b/sysdeps/x86_64/x32/Makefile
@@ -8,7 +8,7 @@ endif
 ifeq ($(subdir),string)
 tests += tst-size_t-memchr tst-size_t-memcmp tst-size_t-memcpy \
 	 tst-size_t-memrchr tst-size_t-memset tst-size_t-strncasecmp \
-	 tst-size_t-strncmp
+	 tst-size_t-strncmp tst-size_t-strncpy
 endif
 
 ifeq ($(subdir),wcsmbs)
diff --git a/sysdeps/x86_64/x32/tst-size_t-strncpy.c b/sysdeps/x86_64/x32/tst-size_t-strncpy.c
new file mode 100644
index 0000000..4dec71e
--- /dev/null
+++ b/sysdeps/x86_64/x32/tst-size_t-strncpy.c
@@ -0,0 +1,58 @@
+/* Test strncpy with size_t in the lower 32 bits of 64-bit register.
+   Copyright (C) 2019 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#define TEST_NAME "strncpy"
+#include "test-size_t.h"
+
+IMPL (strncpy, 1)
+
+typedef char *(*proto_t) (char *, const char*, size_t);
+
+static void *
+__attribute__ ((noinline, noclone))
+do_strncpy (parameter_t a, parameter_t b)
+{
+  return CALL (&b, a.p, b.p, a.len);
+}
+
+static int
+test_main (void)
+{
+  test_init ();
+
+  parameter_t dest = { { page_size }, buf1 };
+  parameter_t src = { { 0 }, buf2 };
+
+  int ret = 0;
+  FOR_EACH_IMPL (impl, 0)
+    {
+      src.fn = impl->fn;
+      do_strncpy (dest, src);
+      int res = strncmp (dest.p, src.p, dest.len);
+      if (res)
+	{
+	  error (0, 0, "Wrong result in function %s: %i != 0",
+		 impl->name, res);
+	  ret = 1;
+	}
+    }
+
+  return ret ? EXIT_FAILURE : EXIT_SUCCESS;
+}
+
+#include <support/test-driver.c>

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                                          |   10 ++++++++++
 sysdeps/x86_64/multiarch/strcpy-avx2.S             |    4 ++--
 sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S   |    4 ++--
 sysdeps/x86_64/multiarch/strcpy-ssse3.S            |    6 +++---
 sysdeps/x86_64/x32/Makefile                        |    2 +-
 .../{tst-size_t-memcpy.c => tst-size_t-strncpy.c}  |   14 +++++++-------
 6 files changed, 25 insertions(+), 15 deletions(-)
 copy sysdeps/x86_64/x32/{tst-size_t-memcpy.c => tst-size_t-strncpy.c} (81%)


hooks/post-receive
-- 
GNU C Library master sources
Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]