mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-06-02 13:29:49 +00:00
Code Issues Projects Releases Wiki Activity

glibc: fix CVE-2018-11237

Browse Source 
glibc: fix CVE-2018-11237

(From OE-Core rev: b9b254da08c1db94ac9ded5f67d7e2e82e3b9be7)

(From OE-Core rev: 361c40d4bea101875747eac9c8cc46e92ced173f)

Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Zheng Ruoqin
2018-06-26 13:44:17 +08:00
committed by Richard Purdie
parent a36165011e
commit 3b8dc3a88e
2 changed files with 83 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-core/glibc/glibc/CVE-2018-11237.patch
+82
View File
@@ -0,0 +1,82 @@
From 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@suse.de>
Date: Tue, 22 May 2018 10:37:59 +0200
Subject: [PATCH] Don't write beyond destination in
__mempcpy_avx512_no_vzeroupper (bug 23196)
When compiled as mempcpy, the return value is the end of the destination
buffer, thus it cannot be used to refer to the start of it.
2018-05-23 Andreas Schwab <schwab@suse.de>
[BZ #23196]
CVE-2018-11237
* sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
(L(preloop_large)): Save initial destination pointer in %r11 and
use it instead of %rax after the loop.
* string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
CVE: CVE-2018-11237
Upstream-Status: Backport
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
---
ChangeLog | 9 +++++++++
string/test-mempcpy.c | 1 +
sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | 5 +++--
3 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index fa0a07c..bc09dec 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2018-05-23 Andreas Schwab <schwab@suse.de>
+
+ [BZ #23196]
+ CVE-2018-11237
+ * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+ (L(preloop_large)): Save initial destination pointer in %r11 and
+ use it instead of %rax after the loop.
+ * string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
+
2018-05-09 Paul Pluzhnikov <ppluzhnikov@google.com>
[BZ #22786]
diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c
index c08fba8..d98ecdd 100644
--- a/string/test-mempcpy.c
+++ b/string/test-mempcpy.c
@@ -18,6 +18,7 @@
<http://www.gnu.org/licenses/>. */
#define MEMCPY_RESULT(dst, len) (dst) + (len)
+#define MIN_PAGE_SIZE 131072
#define TEST_MAIN
#define TEST_NAME "mempcpy"
#include "test-string.h"
diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
index 23c0f7a..a55cf6f 100644
--- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
@@ -335,6 +335,7 @@ L(preloop_large):
ja L(preloop_large_bkw)
vmovups (%rsi), %zmm4
vmovups 0x40(%rsi), %zmm5
+ mov %rdi, %r11
/* Align destination for access with non-temporal stores in the loop. */
mov %rdi, %r8
@@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop):
cmp $256, %rdx
ja L(gobble_256bytes_nt_loop)
sfence
- vmovups %zmm4, (%rax)
- vmovups %zmm5, 0x40(%rax)
+ vmovups %zmm4, (%r11)
+ vmovups %zmm5, 0x40(%r11)
jmp L(check)
L(preloop_large_bkw):
--
2.7.4
meta/recipes-core/glibc/glibc_2.27.bb
+1
View File
@@ -47,6 +47,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
file://0030-plural_c_no_preprocessor_lines.patch \ file://0030-plural_c_no_preprocessor_lines.patch \
file://CVE-2017-18269.patch \ file://CVE-2017-18269.patch \
file://CVE-2018-11236.patch \ file://CVE-2018-11236.patch \
file://CVE-2018-11237.patch \
" "
NATIVESDKFIXES ?= "" NATIVESDKFIXES ?= ""