1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
|
From 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@suse.de>
Date: Tue, 22 May 2018 10:37:59 +0200
Subject: [PATCH] Don't write beyond destination in
__mempcpy_avx512_no_vzeroupper (bug 23196)
When compiled as mempcpy, the return value is the end of the destination
buffer, thus it cannot be used to refer to the start of it.
2018-05-23 Andreas Schwab <schwab@suse.de>
[BZ #23196]
CVE-2018-11237
* sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
(L(preloop_large)): Save initial destination pointer in %r11 and
use it instead of %rax after the loop.
* string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
CVE: CVE-2018-11237
Upstream-Status: Backport
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
---
ChangeLog | 9 +++++++++
string/test-mempcpy.c | 1 +
sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | 5 +++--
3 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index fa0a07c..bc09dec 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2018-05-23 Andreas Schwab <schwab@suse.de>
+
+ [BZ #23196]
+ CVE-2018-11237
+ * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+ (L(preloop_large)): Save initial destination pointer in %r11 and
+ use it instead of %rax after the loop.
+ * string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
+
2018-05-09 Paul Pluzhnikov <ppluzhnikov@google.com>
[BZ #22786]
diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c
index c08fba8..d98ecdd 100644
--- a/string/test-mempcpy.c
+++ b/string/test-mempcpy.c
@@ -18,6 +18,7 @@
<http://www.gnu.org/licenses/>. */
#define MEMCPY_RESULT(dst, len) (dst) + (len)
+#define MIN_PAGE_SIZE 131072
#define TEST_MAIN
#define TEST_NAME "mempcpy"
#include "test-string.h"
diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
index 23c0f7a..a55cf6f 100644
--- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
@@ -335,6 +335,7 @@ L(preloop_large):
ja L(preloop_large_bkw)
vmovups (%rsi), %zmm4
vmovups 0x40(%rsi), %zmm5
+ mov %rdi, %r11
/* Align destination for access with non-temporal stores in the loop. */
mov %rdi, %r8
@@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop):
cmp $256, %rdx
ja L(gobble_256bytes_nt_loop)
sfence
- vmovups %zmm4, (%rax)
- vmovups %zmm5, 0x40(%rax)
+ vmovups %zmm4, (%r11)
+ vmovups %zmm5, 0x40(%r11)
jmp L(check)
L(preloop_large_bkw):
--
2.7.4
|
