From: Andreas Schwab Date: Tue, 22 May 2018 08:37:59 +0000 (+0200) Subject: Don't write beyond destination in __mempcpy_avx512_no_vzeroupper (bug 23196) X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b501c7b09eb941dc7ff21f9939c322d2c9c32ec0;p=thirdparty%2Fglibc.git Don't write beyond destination in __mempcpy_avx512_no_vzeroupper (bug 23196) When compiled as mempcpy, the return value is the end of the destination buffer, thus it cannot be used to refer to the start of it. (cherry picked from commit 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e) --- diff --git a/ChangeLog b/ChangeLog index 699e8e510ed..f650db1d59a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +2018-05-23 Andreas Schwab + + [BZ #23196] + CVE-2018-11237 + * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S + (L(preloop_large)): Save initial destination pointer in %r11 and + use it instead of %rax after the loop. + * string/test-mempcpy.c (MIN_PAGE_SIZE): Define. + 2018-05-09 Paul Pluzhnikov [BZ #22786] diff --git a/NEWS b/NEWS index 0ff775e578f..7e1859b78ef 100644 --- a/NEWS +++ b/NEWS @@ -65,6 +65,8 @@ The following bugs are resolved with this release: [22715] x86-64: Properly align La_x86_64_retval to VEC_SIZE [22786] libc: Stack buffer overflow in realpath() if input size is close to SSIZE_MAX (CVE-2018-11236) + [23196] string: __mempcpy_avx512_no_vzeroupper mishandles large copies + (CVE-2018-11237) Version 2.24 diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c index f4969c24a5b..d1802308a1b 100644 --- a/string/test-mempcpy.c +++ b/string/test-mempcpy.c @@ -18,6 +18,7 @@ . */ #define MEMCPY_RESULT(dst, len) (dst) + (len) +#define MIN_PAGE_SIZE 131072 #define TEST_MAIN #define TEST_NAME "mempcpy" #include "test-string.h" diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S index 664b74de491..90ac9eaff45 100644 --- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S +++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S @@ -340,6 +340,7 @@ L(preloop_large): vmovups (%rsi), %zmm4 vmovups 0x40(%rsi), %zmm5 + mov %rdi, %r11 /* Align destination for access with non-temporal stores in the loop. */ mov %rdi, %r8 and $-0x80, %rdi @@ -370,8 +371,8 @@ L(gobble_256bytes_nt_loop): cmp $256, %rdx ja L(gobble_256bytes_nt_loop) sfence - vmovups %zmm4, (%rax) - vmovups %zmm5, 0x40(%rax) + vmovups %zmm4, (%r11) + vmovups %zmm5, 0x40(%r11) jmp L(check) L(preloop_large_bkw):