git.ipfire.org Git - thirdparty/glibc.git/commit

author	H.J. Lu <hjl.tools@gmail.com>
	Fri, 1 Feb 2019 20:21:41 +0000 (12:21 -0800)
committer	H.J. Lu <hjl.tools@gmail.com>
	Fri, 1 Feb 2019 20:21:50 +0000 (12:21 -0800)
commit	17fc7debccbf7efeaead08073b5ae23ba5197a43
tree	c4a201715d7f7583cf94ce3bcb36af23fe018337	tree
parent	eee0a3d04b8226abd8a6ca077094afbb3559dddb	commit \| diff

x86-64 memset/wmemset: Properly handle the length parameter [BZ #24097]

On x32, the size_t parameter may be passed in the lower 32 bits of a
64-bit register with the non-zero upper 32 bits.  The string/memory
functions written in assembly can only use the lower 32 bits of a
64-bit register as length or must clear the upper 32 bits before using
the full 64-bit register for length.

This pach fixes memset/wmemset for x32.  Tested on x86-64 and x32.  On
x86-64, libc.so is the same with and withou the fix.

[BZ #24097]
CVE-2019-6488
* sysdeps/x86_64/multiarch/memset-avx512-no-vzeroupper.S: Use
RDX_LP for length.  Clear the upper 32 bits of RDX register.
* sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S: Likewise.
* sysdeps/x86_64/x32/Makefile (tests): Add tst-size_t-wmemset.
* sysdeps/x86_64/x32/tst-size_t-memset.c: New file.
* sysdeps/x86_64/x32/tst-size_t-wmemset.c: Likewise.

(cherry picked from commit 82d0b4a4d76db554eb6757acb790fcea30b19965)

ChangeLog		diff \| blob \| blame \| history
sysdeps/x86_64/multiarch/memset-avx512-no-vzeroupper.S		diff \| blob \| blame \| history
sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S		diff \| blob \| blame \| history
sysdeps/x86_64/x32/Makefile		diff \| blob \| blame \| history
sysdeps/x86_64/x32/tst-size_t-memset.c	[new file with mode: 0644]	blob
sysdeps/x86_64/x32/tst-size_t-wmemset.c	[new file with mode: 0644]	blob