From 27753e6e297fc6f17490cf700f4da10d0df1855e Mon Sep 17 00:00:00 2001 From: Adrian Mangeac Date: Wed, 26 Sep 2018 13:50:42 +0200 Subject: glibc_2.27: Fix for CVE-2018-11237 Reference: https://nvd.nist.gov/vuln/detail/CVE-2018-11237 Change-Id: I703ff10f4c95d85eb183ee791d7be2a450353616 Signed-off-by: Adrian Mangeac --- recipes-core/glibc/glibc/CVE-2018-11237.patch | 74 +++++++++++++++++++++++++++ recipes-core/glibc/glibc_2.27.bbappend | 6 +++ 2 files changed, 80 insertions(+) create mode 100644 recipes-core/glibc/glibc/CVE-2018-11237.patch create mode 100644 recipes-core/glibc/glibc_2.27.bbappend diff --git a/recipes-core/glibc/glibc/CVE-2018-11237.patch b/recipes-core/glibc/glibc/CVE-2018-11237.patch new file mode 100644 index 0000000..41bd002 --- /dev/null +++ b/recipes-core/glibc/glibc/CVE-2018-11237.patch @@ -0,0 +1,74 @@ +From 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e Mon Sep 17 00:00:00 2001 +From: Andreas Schwab +Date: Tue, 22 May 2018 10:37:59 +0200 +Subject: [PATCH] Don't write beyond destination in + __mempcpy_avx512_no_vzeroupper (bug 23196) + +When compiled as mempcpy, the return value is the end of the destination +buffer, thus it cannot be used to refer to the start of it. + +CVE: CVE-2018-11237 +Upstream-Status: Backport + +Signed-off-by: Adrian Mangeac +--- + ChangeLog | 9 +++++++++ + string/test-mempcpy.c | 1 + + sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | 5 +++-- + 3 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index 252b099..8032adf 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,12 @@ ++2018-05-23 Andreas Schwab ++ ++ [BZ #23196] ++ CVE-2018-11237 ++ * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S ++ (L(preloop_large)): Save initial destination pointer in %r11 and ++ use it instead of %rax after the loop. ++ * string/test-mempcpy.c (MIN_PAGE_SIZE): Define. ++ + 2018-05-09 Paul Pluzhnikov + + [BZ #22786] +diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c +index c08fba8..d98ecdd 100644 +--- a/string/test-mempcpy.c ++++ b/string/test-mempcpy.c +@@ -18,6 +18,7 @@ + . */ + + #define MEMCPY_RESULT(dst, len) (dst) + (len) ++#define MIN_PAGE_SIZE 131072 + #define TEST_MAIN + #define TEST_NAME "mempcpy" + #include "test-string.h" +diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S +index 23c0f7a..effc3ac 100644 +--- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S ++++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S +@@ -336,6 +336,7 @@ L(preloop_large): + vmovups (%rsi), %zmm4 + vmovups 0x40(%rsi), %zmm5 + ++ mov %rdi, %r11 + /* Align destination for access with non-temporal stores in the loop. */ + mov %rdi, %r8 + and $-0x80, %rdi +@@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop): + cmp $256, %rdx + ja L(gobble_256bytes_nt_loop) + sfence +- vmovups %zmm4, (%rax) +- vmovups %zmm5, 0x40(%rax) ++ vmovups %zmm4, (%r11) ++ vmovups %zmm5, 0x40(%r11) + jmp L(check) + + L(preloop_large_bkw): +-- +2.9.3 + diff --git a/recipes-core/glibc/glibc_2.27.bbappend b/recipes-core/glibc/glibc_2.27.bbappend new file mode 100644 index 0000000..1ab2d4a --- /dev/null +++ b/recipes-core/glibc/glibc_2.27.bbappend @@ -0,0 +1,6 @@ +# look for files in the layer first +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +SRC_URI += " \ + file://CVE-2018-11237.patch \ + " -- cgit v1.2.3-54-g00ecf