glibc_2.27: Fix for CVE-2018-11237sumo

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-11237

Change-Id: I703ff10f4c95d85eb183ee791d7be2a450353616
Signed-off-by: Adrian Mangeac <Adrian.Mangeac@enea.com>

2 files changed, 80 insertions, 0 deletions

diff --git a/recipes-core/glibc/glibc/CVE-2018-11237.patch b/recipes-core/glibc/glibc/CVE-2018-11237.patch
new file mode 100644
index 0000000..41bd002
--- /dev/null
+++ b/recipes-core/glibc/glibc/CVE-2018-11237.patch
@@ -0,0 +1,74 @@
+From 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@suse.de>
+Date: Tue, 22 May 2018 10:37:59 +0200
+Subject: [PATCH] Don't write beyond destination in
+ __mempcpy_avx512_no_vzeroupper (bug 23196)
+
+When compiled as mempcpy, the return value is the end of the destination
+buffer, thus it cannot be used to refer to the start of it.
+
+CVE: CVE-2018-11237
+Upstream-Status: Backport
+
+Signed-off-by: Adrian Mangeac <Adrian.Mangeac@enea.com>
+---
+ ChangeLog                                               | 9 +++++++++
+ string/test-mempcpy.c                                   | 1 +
+ sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | 5 +++--
+ 3 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 252b099..8032adf 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,12 @@
++2018-05-23  Andreas Schwab  <schwab@suse.de>
++
++       [BZ #23196]
++       CVE-2018-11237
++       * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
++       (L(preloop_large)): Save initial destination pointer in %r11 and
++       use it instead of %rax after the loop.
++       * string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
++
+ 2018-05-09  Paul Pluzhnikov  <ppluzhnikov@google.com>
+
+        [BZ #22786]
+diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c
+index c08fba8..d98ecdd 100644
+--- a/string/test-mempcpy.c
++++ b/string/test-mempcpy.c
+@@ -18,6 +18,7 @@
+    <http://www.gnu.org/licenses/>.  */
+ 
+ #define MEMCPY_RESULT(dst, len) (dst) + (len)
++#define MIN_PAGE_SIZE 131072
+ #define TEST_MAIN
+ #define TEST_NAME "mempcpy"
+ #include "test-string.h"
+diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+index 23c0f7a..effc3ac 100644
+--- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
++++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+@@ -336,6 +336,7 @@ L(preloop_large):
+        vmovups (%rsi), %zmm4
+        vmovups 0x40(%rsi), %zmm5
+ 
++       mov     %rdi, %r11
+ /* Align destination for access with non-temporal stores in the loop.  */
+        mov     %rdi, %r8
+        and     $-0x80, %rdi
+@@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop):
+        cmp     $256, %rdx
+        ja      L(gobble_256bytes_nt_loop)
+        sfence
+-       vmovups %zmm4, (%rax)
+-       vmovups %zmm5, 0x40(%rax)
++       vmovups %zmm4, (%r11)
++       vmovups %zmm5, 0x40(%r11)
+        jmp     L(check)
+ 
+ L(preloop_large_bkw):
+-- 
+2.9.3
+
diff --git a/recipes-core/glibc/glibc_2.27.bbappend b/recipes-core/glibc/glibc_2.27.bbappend
new file mode 100644
index 0000000..1ab2d4a
--- /dev/null
+++ b/recipes-core/glibc/glibc_2.27.bbappend
@@ -0,0 +1,6 @@
+# look for files in the layer first
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += " \
+    file://CVE-2018-11237.patch \
+    "