'GNU C Library master sources branch release/2.26/master updated. glibc-2.26-158-g58ad5f8'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       glibc-cvs
Subject:    GNU C Library master sources branch release/2.26/master updated. glibc-2.26-158-g58ad5f8
From:       fw () sourceware ! org
Date:       2018-05-24 14:13:17
Message-ID: 20180524141317.12441.qmail () sourceware ! org
[Download RAW message or body]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.26/master has been updated
       via  58ad5f8a646338b2ee3f2136336dcf731e97ab4d (commit)
       via  6b4362f2cbb6ef6e265d9f216f3c13d84405a1c0 (commit)
      from  af7519f7b35024224c163e32a89fb247b0c446fc (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=58ad5f8a646338b2ee3f2136336dcf731e97ab4d


commit 58ad5f8a646338b2ee3f2136336dcf731e97ab4d
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Wed May 23 03:59:56 2018 -0700

    Add a test case for [BZ #23196]
    
    	[BZ #23196]
    	* string/test-memcpy.c (do_test1): New function.
    	(test_main): Call it.
    
    (cherry picked from commit ed983107bbc62245b06b99f02e69acf36a0baa3e)

diff --git a/ChangeLog b/ChangeLog
index e956dd3..41b4dae 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2018-05-23  H.J. Lu  <hongjiu.lu@intel.com>
+
+	[BZ #23196]
+	* string/test-memcpy.c (do_test1): New function.
+	(test_main): Call it.
+
 2018-05-23  Andreas Schwab  <schwab@suse.de>
 
 	[BZ #23196]
diff --git a/string/test-memcpy.c b/string/test-memcpy.c
index 49f0a76..dfc94b2 100644
--- a/string/test-memcpy.c
+++ b/string/test-memcpy.c
@@ -212,6 +212,50 @@ do_random_tests (void)
     }
 }
 
+static void
+do_test1 (void)
+{
+  size_t size = 0x100000;
+  void *large_buf;
+
+  large_buf = mmap (NULL, size * 2 + page_size, PROT_READ | PROT_WRITE,
+		    MAP_PRIVATE | MAP_ANON, -1, 0);
+  if (large_buf == MAP_FAILED)
+    {
+      puts ("Failed to allocat large_buf, skipping do_test1");
+      return;
+    }
+
+  if (mprotect (large_buf + size, page_size, PROT_NONE))
+    error (EXIT_FAILURE, errno, "mprotect failed");
+
+  size_t arrary_size = size / sizeof (uint32_t);
+  uint32_t *dest = large_buf;
+  uint32_t *src = large_buf + size + page_size;
+  size_t i;
+
+  for (i = 0; i < arrary_size; i++)
+    src[i] = (uint32_t) i;
+
+  FOR_EACH_IMPL (impl, 0)
+    {
+      memset (dest, -1, size);
+      CALL (impl, (char *) dest, (char *) src, size);
+      for (i = 0; i < arrary_size; i++)
+	if (dest[i] != src[i])
+	  {
+	    error (0, 0,
+		   "Wrong result in function %s dst \"%p\" src \"%p\" offset \"%zd\"",
+		   impl->name, dest, src, i);
+	    ret = 1;
+	    break;
+	  }
+    }
+
+  munmap ((void *) dest, size);
+  munmap ((void *) src, size);
+}
+
 int
 test_main (void)
 {
@@ -253,6 +297,9 @@ test_main (void)
   do_test (0, 0, getpagesize ());
 
   do_random_tests ();
+
+  do_test1 ();
+
   return ret;
 }
 

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=6b4362f2cbb6ef6e265d9f216f3c13d84405a1c0


commit 6b4362f2cbb6ef6e265d9f216f3c13d84405a1c0
Author: Andreas Schwab <schwab@suse.de>
Date:   Thu May 24 14:39:18 2018 +0200

    Don't write beyond destination in __mempcpy_avx512_no_vzeroupper (bug 23196)
    
    When compiled as mempcpy, the return value is the end of the destination
    buffer, thus it cannot be used to refer to the start of it.
    
    (cherry picked from commit 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e)

diff --git a/ChangeLog b/ChangeLog
index f92be13..e956dd3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2018-05-23  Andreas Schwab  <schwab@suse.de>
+
+	[BZ #23196]
+	CVE-2018-11237
+	* sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+	(L(preloop_large)): Save initial destination pointer in %r11 and
+	use it instead of %rax after the loop.
+	* string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
+
 2018-05-09  Paul Pluzhnikov  <ppluzhnikov@google.com>
 
 	[BZ #22786]
diff --git a/NEWS b/NEWS
index d5daa3a..c3c6aff 100644
--- a/NEWS
+++ b/NEWS
@@ -71,6 +71,10 @@ Security related changes:
   the value of SIZE_MAX, would return a pointer to a buffer which is too
   small, instead of NULL.
 
+  CVE-2018-11237: The mempcpy implementation for the Intel Xeon Phi
+  architecture could write beyond the target buffer, resulting in a buffer
+  overflow.  Reported by Andreas Schwab.
+
 The following bugs are resolved with this release:
 
   [16750] ldd: Never run file directly.
@@ -128,6 +132,7 @@ The following bugs are resolved with this release:
   [23024] getlogin_r: return early when linux sentinel value is set
   [23037] resolv: Fully initialize struct mmsghdr in send_dg
   [23137] s390: Fix blocking pthread_join
+  [23196] __mempcpy_avx512_no_vzeroupper mishandles large copies
 
 Version 2.26
 
diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c
index 364a811..ec11c9f 100644
--- a/string/test-mempcpy.c
+++ b/string/test-mempcpy.c
@@ -18,6 +18,7 @@
    <http://www.gnu.org/licenses/>.  */
 
 #define MEMCPY_RESULT(dst, len) (dst) + (len)
+#define MIN_PAGE_SIZE 131072
 #define TEST_MAIN
 #define TEST_NAME "mempcpy"
 #include "test-string.h"
diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S \
b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S index f3ef105..ae84ddc \
                100644
--- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
@@ -340,6 +340,7 @@ L(preloop_large):
 	vmovups	(%rsi), %zmm4
 	vmovups	0x40(%rsi), %zmm5
 
+	mov	%rdi, %r11
 /* Align destination for access with non-temporal stores in the loop.  */
 	mov	%rdi, %r8
 	and	$-0x80, %rdi
@@ -370,8 +371,8 @@ L(gobble_256bytes_nt_loop):
 	cmp	$256, %rdx
 	ja	L(gobble_256bytes_nt_loop)
 	sfence
-	vmovups	%zmm4, (%rax)
-	vmovups	%zmm5, 0x40(%rax)
+	vmovups	%zmm4, (%r11)
+	vmovups	%zmm5, 0x40(%r11)
 	jmp	L(check)
 
 L(preloop_large_bkw):

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                                          |   15 ++++++
 NEWS                                               |    5 ++
 string/test-memcpy.c                               |   47 ++++++++++++++++++++
 string/test-mempcpy.c                              |    1 +
 .../multiarch/memmove-avx512-no-vzeroupper.S       |    5 +-
 5 files changed, 71 insertions(+), 2 deletions(-)


hooks/post-receive
-- 
GNU C Library master sources


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic