Brad Bishop | bba38f3 | 2018-08-23 16:11:46 +0800 | [diff] [blame] | 1 | From 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e Mon Sep 17 00:00:00 2001 |
| 2 | From: Andreas Schwab <schwab@suse.de> |
| 3 | Date: Tue, 22 May 2018 10:37:59 +0200 |
| 4 | Subject: [PATCH] Don't write beyond destination in |
| 5 | __mempcpy_avx512_no_vzeroupper (bug 23196) |
| 6 | |
| 7 | When compiled as mempcpy, the return value is the end of the destination |
| 8 | buffer, thus it cannot be used to refer to the start of it. |
| 9 | |
| 10 | 2018-05-23 Andreas Schwab <schwab@suse.de> |
| 11 | |
| 12 | [BZ #23196] |
| 13 | CVE-2018-11237 |
| 14 | * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S |
| 15 | (L(preloop_large)): Save initial destination pointer in %r11 and |
| 16 | use it instead of %rax after the loop. |
| 17 | * string/test-mempcpy.c (MIN_PAGE_SIZE): Define. |
| 18 | |
| 19 | CVE: CVE-2018-11237 |
| 20 | Upstream-Status: Backport |
| 21 | Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> |
| 22 | --- |
| 23 | ChangeLog | 9 +++++++++ |
| 24 | string/test-mempcpy.c | 1 + |
| 25 | sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | 5 +++-- |
| 26 | 3 files changed, 13 insertions(+), 2 deletions(-) |
| 27 | |
| 28 | diff --git a/ChangeLog b/ChangeLog |
| 29 | index fa0a07c..bc09dec 100644 |
| 30 | --- a/ChangeLog |
| 31 | +++ b/ChangeLog |
| 32 | @@ -1,3 +1,12 @@ |
| 33 | +2018-05-23 Andreas Schwab <schwab@suse.de> |
| 34 | + |
| 35 | + [BZ #23196] |
| 36 | + CVE-2018-11237 |
| 37 | + * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S |
| 38 | + (L(preloop_large)): Save initial destination pointer in %r11 and |
| 39 | + use it instead of %rax after the loop. |
| 40 | + * string/test-mempcpy.c (MIN_PAGE_SIZE): Define. |
| 41 | + |
| 42 | 2018-05-09 Paul Pluzhnikov <ppluzhnikov@google.com> |
| 43 | |
| 44 | [BZ #22786] |
| 45 | diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c |
| 46 | index c08fba8..d98ecdd 100644 |
| 47 | --- a/string/test-mempcpy.c |
| 48 | +++ b/string/test-mempcpy.c |
| 49 | @@ -18,6 +18,7 @@ |
| 50 | <http://www.gnu.org/licenses/>. */ |
| 51 | |
| 52 | #define MEMCPY_RESULT(dst, len) (dst) + (len) |
| 53 | +#define MIN_PAGE_SIZE 131072 |
| 54 | #define TEST_MAIN |
| 55 | #define TEST_NAME "mempcpy" |
| 56 | #include "test-string.h" |
| 57 | diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S |
| 58 | index 23c0f7a..a55cf6f 100644 |
| 59 | --- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S |
| 60 | +++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S |
| 61 | @@ -335,6 +335,7 @@ L(preloop_large): |
| 62 | ja L(preloop_large_bkw) |
| 63 | vmovups (%rsi), %zmm4 |
| 64 | vmovups 0x40(%rsi), %zmm5 |
| 65 | + mov %rdi, %r11 |
| 66 | |
| 67 | /* Align destination for access with non-temporal stores in the loop. */ |
| 68 | mov %rdi, %r8 |
| 69 | @@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop): |
| 70 | cmp $256, %rdx |
| 71 | ja L(gobble_256bytes_nt_loop) |
| 72 | sfence |
| 73 | - vmovups %zmm4, (%rax) |
| 74 | - vmovups %zmm5, 0x40(%rax) |
| 75 | + vmovups %zmm4, (%r11) |
| 76 | + vmovups %zmm5, 0x40(%r11) |
| 77 | jmp L(check) |
| 78 | |
| 79 | L(preloop_large_bkw): |
| 80 | -- |
| 81 | 2.7.4 |
| 82 | |