diff options
author | Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> | 2018-06-26 13:44:17 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-06-28 09:22:35 +0100 |
commit | 1d2e5eed4095f0e1f458bfa1e086e39575cb3605 (patch) | |
tree | f7eda5f1b03305cda58070e447cd099e47abffb8 /meta/recipes-core/glibc/glibc | |
parent | ef143b3f16fea779422e5d4bd6213cb551aeaa8a (diff) | |
download | openembedded-core-contrib-1d2e5eed4095f0e1f458bfa1e086e39575cb3605.tar.gz |
glibc: fix CVE-2018-11237
glibc: fix CVE-2018-11237
(From OE-Core rev: b9b254da08c1db94ac9ded5f67d7e2e82e3b9be7)
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core/glibc/glibc')
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2018-11237.patch | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch b/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch new file mode 100644 index 0000000000..632aa565e4 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch @@ -0,0 +1,82 @@ +From 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e Mon Sep 17 00:00:00 2001 +From: Andreas Schwab <schwab@suse.de> +Date: Tue, 22 May 2018 10:37:59 +0200 +Subject: [PATCH] Don't write beyond destination in + __mempcpy_avx512_no_vzeroupper (bug 23196) + +When compiled as mempcpy, the return value is the end of the destination +buffer, thus it cannot be used to refer to the start of it. + +2018-05-23 Andreas Schwab <schwab@suse.de> + + [BZ #23196] + CVE-2018-11237 + * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S + (L(preloop_large)): Save initial destination pointer in %r11 and + use it instead of %rax after the loop. + * string/test-mempcpy.c (MIN_PAGE_SIZE): Define. + +CVE: CVE-2018-11237 +Upstream-Status: Backport +Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> +--- + ChangeLog | 9 +++++++++ + string/test-mempcpy.c | 1 + + sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | 5 +++-- + 3 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index fa0a07c..bc09dec 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,12 @@ ++2018-05-23 Andreas Schwab <schwab@suse.de> ++ ++ [BZ #23196] ++ CVE-2018-11237 ++ * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S ++ (L(preloop_large)): Save initial destination pointer in %r11 and ++ use it instead of %rax after the loop. ++ * string/test-mempcpy.c (MIN_PAGE_SIZE): Define. ++ + 2018-05-09 Paul Pluzhnikov <ppluzhnikov@google.com> + + [BZ #22786] +diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c +index c08fba8..d98ecdd 100644 +--- a/string/test-mempcpy.c ++++ b/string/test-mempcpy.c +@@ -18,6 +18,7 @@ + <http://www.gnu.org/licenses/>. */ + + #define MEMCPY_RESULT(dst, len) (dst) + (len) ++#define MIN_PAGE_SIZE 131072 + #define TEST_MAIN + #define TEST_NAME "mempcpy" + #include "test-string.h" +diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S +index 23c0f7a..a55cf6f 100644 +--- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S ++++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S +@@ -335,6 +335,7 @@ L(preloop_large): + ja L(preloop_large_bkw) + vmovups (%rsi), %zmm4 + vmovups 0x40(%rsi), %zmm5 ++ mov %rdi, %r11 + + /* Align destination for access with non-temporal stores in the loop. */ + mov %rdi, %r8 +@@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop): + cmp $256, %rdx + ja L(gobble_256bytes_nt_loop) + sfence +- vmovups %zmm4, (%rax) +- vmovups %zmm5, 0x40(%rax) ++ vmovups %zmm4, (%r11) ++ vmovups %zmm5, 0x40(%r11) + jmp L(check) + + L(preloop_large_bkw): +-- +2.7.4 + |