poky/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch - openbmc/openbmc - Gitiles

 From 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e Mon Sep 17 00:00:00 2001
 From: Andreas Schwab <schwab@suse.de>
 Date: Tue, 22 May 2018 10:37:59 +0200
 Subject: [PATCH] Don't write beyond destination in
  __mempcpy_avx512_no_vzeroupper (bug 23196)

 When compiled as mempcpy, the return value is the end of the destination
 buffer, thus it cannot be used to refer to the start of it.

 2018-05-23  Andreas Schwab  <schwab@suse.de>

        [BZ #23196]
        CVE-2018-11237
        * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
        (L(preloop_large)): Save initial destination pointer in %r11 and
        use it instead of %rax after the loop.
        * string/test-mempcpy.c (MIN_PAGE_SIZE): Define.

 CVE: CVE-2018-11237
 Upstream-Status: Backport
 Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
 ---
  ChangeLog                                               | 9 +++++++++
  string/test-mempcpy.c                                   | 1 +
  sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | 5 +++--
  3 files changed, 13 insertions(+), 2 deletions(-)

 diff --git a/ChangeLog b/ChangeLog
 index fa0a07c..bc09dec 100644
 --- a/ChangeLog
 +++ b/ChangeLog
 @@ -1,3 +1,12 @@
 +2018-05-23  Andreas Schwab  <schwab@suse.de>
 +
 +	[BZ #23196]
 +	CVE-2018-11237
 +	* sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
 +	(L(preloop_large)): Save initial destination pointer in %r11 and
 +	use it instead of %rax after the loop.
 +	* string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
 +
  2018-05-09  Paul Pluzhnikov  <ppluzhnikov@google.com>

  	[BZ #22786]
 diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c
 index c08fba8..d98ecdd 100644
 --- a/string/test-mempcpy.c
 +++ b/string/test-mempcpy.c
 @@ -18,6 +18,7 @@
     <http://www.gnu.org/licenses/>.  */

  #define MEMCPY_RESULT(dst, len) (dst) + (len)
 +#define MIN_PAGE_SIZE 131072
  #define TEST_MAIN
  #define TEST_NAME "mempcpy"
  #include "test-string.h"
 diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
 index 23c0f7a..a55cf6f 100644
 --- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
 +++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
 @@ -335,6 +335,7 @@ L(preloop_large):
  	ja	L(preloop_large_bkw)
  	vmovups	(%rsi), %zmm4
  	vmovups	0x40(%rsi), %zmm5
 +	mov     %rdi, %r11

  /* Align destination for access with non-temporal stores in the loop.  */
  	mov	%rdi, %r8
 @@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop):
  	cmp	$256, %rdx
  	ja	L(gobble_256bytes_nt_loop)
  	sfence
 -	vmovups	%zmm4, (%rax)
 -	vmovups	%zmm5, 0x40(%rax)
 +	vmovups %zmm4, (%r11)
 +	vmovups %zmm5, 0x40(%r11)
  	jmp	L(check)

  L(preloop_large_bkw):
 --
 2.7.4
	From 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e Mon Sep 17 00:00:00 2001
	From: Andreas Schwab <schwab@suse.de>
	Date: Tue, 22 May 2018 10:37:59 +0200
	Subject: [PATCH] Don't write beyond destination in
	__mempcpy_avx512_no_vzeroupper (bug 23196)

	When compiled as mempcpy, the return value is the end of the destination
	buffer, thus it cannot be used to refer to the start of it.

	2018-05-23 Andreas Schwab <schwab@suse.de>

	[BZ #23196]
	CVE-2018-11237
	* sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
	(L(preloop_large)): Save initial destination pointer in %r11 and
	use it instead of %rax after the loop.
	* string/test-mempcpy.c (MIN_PAGE_SIZE): Define.

	CVE: CVE-2018-11237
	Upstream-Status: Backport
	Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
	---
	ChangeLog \| 9 +++++++++
	string/test-mempcpy.c \| 1 +
	sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S \| 5 +++--
	3 files changed, 13 insertions(+), 2 deletions(-)

	diff --git a/ChangeLog b/ChangeLog
	index fa0a07c..bc09dec 100644
	--- a/ChangeLog
	+++ b/ChangeLog
	@@ -1,3 +1,12 @@
	+2018-05-23 Andreas Schwab <schwab@suse.de>
	+
	+ [BZ #23196]
	+ CVE-2018-11237
	+ * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
	+ (L(preloop_large)): Save initial destination pointer in %r11 and
	+ use it instead of %rax after the loop.
	+ * string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
	+
	2018-05-09 Paul Pluzhnikov <ppluzhnikov@google.com>

	[BZ #22786]
	diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c
	index c08fba8..d98ecdd 100644
	--- a/string/test-mempcpy.c
	+++ b/string/test-mempcpy.c
	@@ -18,6 +18,7 @@
	<http://www.gnu.org/licenses/>. */

	#define MEMCPY_RESULT(dst, len) (dst) + (len)
	+#define MIN_PAGE_SIZE 131072
	#define TEST_MAIN
	#define TEST_NAME "mempcpy"
	#include "test-string.h"
	diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
	index 23c0f7a..a55cf6f 100644
	--- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
	+++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
	@@ -335,6 +335,7 @@ L(preloop_large):
	ja L(preloop_large_bkw)
	vmovups (%rsi), %zmm4
	vmovups 0x40(%rsi), %zmm5
	+ mov %rdi, %r11

	/* Align destination for access with non-temporal stores in the loop. */
	mov %rdi, %r8
	@@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop):
	cmp $256, %rdx
	ja L(gobble_256bytes_nt_loop)
	sfence
	- vmovups %zmm4, (%rax)
	- vmovups %zmm5, 0x40(%rax)
	+ vmovups %zmm4, (%r11)
	+ vmovups %zmm5, 0x40(%r11)
	jmp L(check)

	L(preloop_large_bkw):
	--
	2.7.4