glibc: Secruity fix for CVE-2020-6096

Source: glibc.org MR: 104799 Type: Security Fix Disposition: Backport from beea361050728138b82c57dda0c4810402d342b9 ChangeID: 29df826fb697fdd2742c3bace33388bda962c5f1 Description: (From OE-Core rev: 7ce425fa1295a9dca48f8474be58db3ac8aa540d) Signed-off-by: Armin Kuster <akuster@gmvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit ffa4fa35e1f6132b19788166a2b87517d9e17d95) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2020-07-20 14:49:36 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-07-31 22:02:52 +0100
commit: 856d4e9e6126dd1da3d0878677bf4a47f6394735 (patch)
tree: d5574c070815b7ff2a9d1a2fde0ff23a08937355
parent: bb048311202b2de473ded6ac48b2264fec45c8f1 (diff)
download: poky-856d4e9e6126dd1da3d0878677bf4a47f6394735.tar.gz
3 files changed, 308 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-6096.patch b/meta/recipes-core/glibc/glibc/CVE-2020-6096.patch
new file mode 100644
index 0000000000..9c26f76432
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2020-6096.patch
@@ -0,0 +1,112 @@
+From beea361050728138b82c57dda0c4810402d342b9 Mon Sep 17 00:00:00 2001
+From: Alexander Anisimov <a.anisimov@omprussia.ru>
+Date: Wed, 8 Jul 2020 14:18:31 +0200
+Subject: [PATCH] arm: CVE-2020-6096: Fix multiarch memcpy for negative length
+ [BZ #25620]
+Unsigned branch instructions could be used for r2 to fix the wrong
+behavior when a negative length is passed to memcpy.
+This commit fixes the armv7 version.
+Upstream-Status: Backport
+CVE: CVE-2020-6096 patch #1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ sysdeps/arm/armv7/multiarch/memcpy_impl.S | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+diff --git a/sysdeps/arm/armv7/multiarch/memcpy_impl.S b/sysdeps/arm/armv7/multiarch/memcpy_impl.S
+index bf4ac7077f..379bb56fc9 100644
+--- a/sysdeps/arm/armv7/multiarch/memcpy_impl.S
+++ b/sysdeps/arm/armv7/multiarch/memcpy_impl.S
+@@ -268,7 +268,7 @@ ENTRY(memcpy)
+ 
+        mov     dst, dstin      /* Preserve dstin, we need to return it.  */
+        cmp     count, #64
+-       bge     .Lcpy_not_short
+       bhs     .Lcpy_not_short
+        /* Deal with small copies quickly by dropping straight into the
+           exit block.  */
+ 
+@@ -351,10 +351,10 @@ ENTRY(memcpy)
+ 
+ 1:
+        subs    tmp2, count, #64        /* Use tmp2 for count.  */
+-       blt     .Ltail63aligned
+       blo     .Ltail63aligned
+ 
+        cmp     tmp2, #512
+-       bge     .Lcpy_body_long
+       bhs     .Lcpy_body_long
+ 
+ .Lcpy_body_medium:                     /* Count in tmp2.  */
+ #ifdef USE_VFP
+@@ -378,7 +378,7 @@ ENTRY(memcpy)
+        add     src, src, #64
+        vstr    d1, [dst, #56]
+        add     dst, dst, #64
+-       bge     1b
+       bhs     1b
+        tst     tmp2, #0x3f
+        beq     .Ldone
+ 
+@@ -412,7 +412,7 @@ ENTRY(memcpy)
+        ldrd    A_l, A_h, [src, #64]!
+        strd    A_l, A_h, [dst, #64]!
+        subs    tmp2, tmp2, #64
+-       bge     1b
+       bhs     1b
+        tst     tmp2, #0x3f
+        bne     1f
+        ldr     tmp2,[sp], #FRAME_SIZE
+@@ -482,7 +482,7 @@ ENTRY(memcpy)
+        add     src, src, #32
+ 
+        subs    tmp2, tmp2, #prefetch_lines * 64 * 2
+-       blt     2f
+       blo     2f
+ 1:
+        cpy_line_vfp    d3, 0
+        cpy_line_vfp    d4, 64
+@@ -494,7 +494,7 @@ ENTRY(memcpy)
+        add     dst, dst, #2 * 64
+        add     src, src, #2 * 64
+        subs    tmp2, tmp2, #prefetch_lines * 64
+-       bge     1b
+       bhs     1b
+ 
+ 2:
+        cpy_tail_vfp    d3, 0
+@@ -615,8 +615,8 @@ ENTRY(memcpy)
+ 1:
+        pld     [src, #(3 * 64)]
+        subs    count, count, #64
+-       ldrmi   tmp2, [sp], #FRAME_SIZE
+-       bmi     .Ltail63unaligned
+       ldrlo   tmp2, [sp], #FRAME_SIZE
+       blo     .Ltail63unaligned
+        pld     [src, #(4 * 64)]
+ 
+ #ifdef USE_NEON
+@@ -633,7 +633,7 @@ ENTRY(memcpy)
+        neon_load_multi d0-d3, src
+        neon_load_multi d4-d7, src
+        subs    count, count, #64
+-       bmi     2f
+       blo     2f
+ 1:
+        pld     [src, #(4 * 64)]
+        neon_store_multi d0-d3, dst
+@@ -641,7 +641,7 @@ ENTRY(memcpy)
+        neon_store_multi d4-d7, dst
+        neon_load_multi d4-d7, src
+        subs    count, count, #64
+-       bpl     1b
+       bhs     1b
+ 2:
+        neon_store_multi d0-d3, dst
+        neon_store_multi d4-d7, dst
+-- 
+2.17.1
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-6096_2.patch b/meta/recipes-core/glibc/glibc/CVE-2020-6096_2.patch
new file mode 100644
index 0000000000..905e44c8e3
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2020-6096_2.patch
@@ -0,0 +1,194 @@
+From 79a4fa341b8a89cb03f84564fd72abaa1a2db394 Mon Sep 17 00:00:00 2001
+From: Evgeny Eremin <e.eremin@omprussia.ru>
+Date: Wed, 8 Jul 2020 14:18:19 +0200
+Subject: [PATCH] arm: CVE-2020-6096: fix memcpy and memmove for negative
+ length [BZ #25620]
+Unsigned branch instructions could be used for r2 to fix the wrong
+behavior when a negative length is passed to memcpy and memmove.
+This commit fixes the generic arm implementation of memcpy amd memmove.
+Upstream-Status: Backport
+CVE: CVE-2020-6096 patch #2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ sysdeps/arm/memcpy.S  | 24 ++++++++++--------------
+ sysdeps/arm/memmove.S | 24 ++++++++++--------------
+ 2 files changed, 20 insertions(+), 28 deletions(-)
+diff --git a/sysdeps/arm/memcpy.S b/sysdeps/arm/memcpy.S
+index 510e8adaf2..bcfbc51d99 100644
+--- a/sysdeps/arm/memcpy.S
+++ b/sysdeps/arm/memcpy.S
+@@ -68,7 +68,7 @@ ENTRY(memcpy)
+                cfi_remember_state
+ 
+                subs    r2, r2, #4
+-               blt     8f
+               blo     8f
+                ands    ip, r0, #3
+        PLD(    pld     [r1, #0]                )
+                bne     9f
+@@ -82,7 +82,7 @@ ENTRY(memcpy)
+                cfi_rel_offset (r6, 4)
+                cfi_rel_offset (r7, 8)
+                cfi_rel_offset (r8, 12)
+-               blt     5f
+               blo     5f
+ 
+        CALGN(  ands    ip, r1, #31             )
+        CALGN(  rsb     r3, ip, #32             )
+@@ -98,9 +98,9 @@ ENTRY(memcpy)
+ #endif
+ 
+        PLD(    pld     [r1, #0]                )
+-2:     PLD(    subs    r2, r2, #96             )
+2:     PLD(    cmp     r2, #96                 )
+        PLD(    pld     [r1, #28]               )
+-       PLD(    blt     4f                      )
+       PLD(    blo     4f                      )
+        PLD(    pld     [r1, #60]               )
+        PLD(    pld     [r1, #92]               )
+ 
+@@ -108,9 +108,7 @@ ENTRY(memcpy)
+ 4:             ldmia   r1!, {r3, r4, r5, r6, r7, r8, ip, lr}
+                subs    r2, r2, #32
+                stmia   r0!, {r3, r4, r5, r6, r7, r8, ip, lr}
+-               bge     3b
+-       PLD(    cmn     r2, #96                 )
+-       PLD(    bge     4b                      )
+               bhs     3b
+ 
+ 5:             ands    ip, r2, #28
+                rsb     ip, ip, #32
+@@ -222,7 +220,7 @@ ENTRY(memcpy)
+                strbge  r4, [r0], #1
+                subs    r2, r2, ip
+                strb    lr, [r0], #1
+-               blt     8b
+               blo     8b
+                ands    ip, r1, #3
+                beq     1b
+ 
+@@ -236,7 +234,7 @@ ENTRY(memcpy)
+                .macro  forward_copy_shift pull push
+ 
+                subs    r2, r2, #28
+-               blt     14f
+               blo     14f
+ 
+        CALGN(  ands    ip, r1, #31             )
+        CALGN(  rsb     ip, ip, #32             )
+@@ -253,9 +251,9 @@ ENTRY(memcpy)
+                cfi_rel_offset (r10, 16)
+ 
+        PLD(    pld     [r1, #0]                )
+-       PLD(    subs    r2, r2, #96             )
+       PLD(    cmp     r2, #96                 )
+        PLD(    pld     [r1, #28]               )
+-       PLD(    blt     13f                     )
+       PLD(    blo     13f                     )
+        PLD(    pld     [r1, #60]               )
+        PLD(    pld     [r1, #92]               )
+ 
+@@ -280,9 +278,7 @@ ENTRY(memcpy)
+                mov     ip, ip, PULL #\pull
+                orr     ip, ip, lr, PUSH #\push
+                stmia   r0!, {r3, r4, r5, r6, r7, r8, r10, ip}
+-               bge     12b
+-       PLD(    cmn     r2, #96                 )
+-       PLD(    bge     13b                     )
+               bhs     12b
+ 
+                pop     {r5 - r8, r10}
+                cfi_adjust_cfa_offset (-20)
+diff --git a/sysdeps/arm/memmove.S b/sysdeps/arm/memmove.S
+index 954037ef3a..0d07b76ee6 100644
+--- a/sysdeps/arm/memmove.S
+++ b/sysdeps/arm/memmove.S
+@@ -85,7 +85,7 @@ ENTRY(memmove)
+                add     r1, r1, r2
+                add     r0, r0, r2
+                subs    r2, r2, #4
+-               blt     8f
+               blo     8f
+                ands    ip, r0, #3
+        PLD(    pld     [r1, #-4]               )
+                bne     9f
+@@ -99,7 +99,7 @@ ENTRY(memmove)
+                cfi_rel_offset (r6, 4)
+                cfi_rel_offset (r7, 8)
+                cfi_rel_offset (r8, 12)
+-               blt     5f
+               blo     5f
+ 
+        CALGN(  ands    ip, r1, #31             )
+        CALGN(  sbcsne  r4, ip, r2              )  @ C is always set here
+@@ -114,9 +114,9 @@ ENTRY(memmove)
+ #endif
+ 
+        PLD(    pld     [r1, #-4]               )
+-2:     PLD(    subs    r2, r2, #96             )
+2:     PLD(    cmp     r2, #96                 )
+        PLD(    pld     [r1, #-32]              )
+-       PLD(    blt     4f                      )
+       PLD(    blo     4f                      )
+        PLD(    pld     [r1, #-64]              )
+        PLD(    pld     [r1, #-96]              )
+ 
+@@ -124,9 +124,7 @@ ENTRY(memmove)
+ 4:             ldmdb   r1!, {r3, r4, r5, r6, r7, r8, ip, lr}
+                subs    r2, r2, #32
+                stmdb   r0!, {r3, r4, r5, r6, r7, r8, ip, lr}
+-               bge     3b
+-       PLD(    cmn     r2, #96                 )
+-       PLD(    bge     4b                      )
+               bhs     3b
+ 
+ 5:             ands    ip, r2, #28
+                rsb     ip, ip, #32
+@@ -237,7 +235,7 @@ ENTRY(memmove)
+                strbge  r4, [r0, #-1]!
+                subs    r2, r2, ip
+                strb    lr, [r0, #-1]!
+-               blt     8b
+               blo     8b
+                ands    ip, r1, #3
+                beq     1b
+ 
+@@ -251,7 +249,7 @@ ENTRY(memmove)
+                .macro  backward_copy_shift push pull
+ 
+                subs    r2, r2, #28
+-               blt     14f
+               blo     14f
+ 
+        CALGN(  ands    ip, r1, #31             )
+        CALGN(  rsb     ip, ip, #32             )
+@@ -268,9 +266,9 @@ ENTRY(memmove)
+                cfi_rel_offset (r10, 16)
+ 
+        PLD(    pld     [r1, #-4]               )
+-       PLD(    subs    r2, r2, #96             )
+       PLD(    cmp     r2, #96                 )
+        PLD(    pld     [r1, #-32]              )
+-       PLD(    blt     13f                     )
+       PLD(    blo     13f                     )
+        PLD(    pld     [r1, #-64]              )
+        PLD(    pld     [r1, #-96]              )
+ 
+@@ -295,9 +293,7 @@ ENTRY(memmove)
+                mov     r4, r4, PUSH #\push
+                orr     r4, r4, r3, PULL #\pull
+                stmdb   r0!, {r4 - r8, r10, ip, lr}
+-               bge     12b
+-       PLD(    cmn     r2, #96                 )
+-       PLD(    bge     13b                     )
+               bhs     12b
+ 
+                pop     {r5 - r8, r10}
+                cfi_adjust_cfa_offset (-20)
+-- 
+2.17.1
diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb
index a7ffc8993e..e8e11f5438 100644
--- a/meta/recipes-core/glibc/glibc_2.31.bb
+++ b/meta/recipes-core/glibc/glibc_2.31.bb
@@ -42,6 +42,8 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://0027-intl-Emit-no-lines-in-bison-generated-files.patch \
           file://0028-inject-file-assembly-directives.patch \
           file://0029-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
+           file://CVE-2020-6096.patch \
+           file://CVE-2020-6096_2.patch \
           "
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build-${TARGET_SYS}"
author	Armin Kuster <akuster@mvista.com>	2020-07-20 14:49:36 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-07-31 22:02:52 +0100
commit	856d4e9e6126dd1da3d0878677bf4a47f6394735 (patch)
tree	d5574c070815b7ff2a9d1a2fde0ff23a08937355
parent	bb048311202b2de473ded6ac48b2264fec45c8f1 (diff)
download	poky-856d4e9e6126dd1da3d0878677bf4a47f6394735.tar.gz

diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-6096.patch b/meta/recipes-core/glibc/glibc/CVE-2020-6096.patch new file mode 100644 index 0000000000..9c26f76432 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2020-6096.patch
@@ -0,0 +1,112 @@
		1	From beea361050728138b82c57dda0c4810402d342b9 Mon Sep 17 00:00:00 2001
		2	From: Alexander Anisimov <a.anisimov@omprussia.ru>
		3	Date: Wed, 8 Jul 2020 14:18:31 +0200
		4	Subject: [PATCH] arm: CVE-2020-6096: Fix multiarch memcpy for negative length
		5	[BZ #25620]
		6
		7	Unsigned branch instructions could be used for r2 to fix the wrong
		8	behavior when a negative length is passed to memcpy.
		9	This commit fixes the armv7 version.
		10
		11	Upstream-Status: Backport
		12	CVE: CVE-2020-6096 patch #1
		13	Signed-off-by: Armin Kuster <akuster@mvista.com>
		14
		15	---
		16	sysdeps/arm/armv7/multiarch/memcpy_impl.S \| 22 +++++++++++-----------
		17	1 file changed, 11 insertions(+), 11 deletions(-)
		18
		19	diff --git a/sysdeps/arm/armv7/multiarch/memcpy_impl.S b/sysdeps/arm/armv7/multiarch/memcpy_impl.S
		20	index bf4ac7077f..379bb56fc9 100644
		21	--- a/sysdeps/arm/armv7/multiarch/memcpy_impl.S
		22	+++ b/sysdeps/arm/armv7/multiarch/memcpy_impl.S
		23	@@ -268,7 +268,7 @@ ENTRY(memcpy)
		24
		25	mov dst, dstin /* Preserve dstin, we need to return it. */
		26	cmp count, #64
		27	- bge .Lcpy_not_short
		28	+ bhs .Lcpy_not_short
		29	/* Deal with small copies quickly by dropping straight into the
		30	exit block. */
		31
		32	@@ -351,10 +351,10 @@ ENTRY(memcpy)
		33
		34	1:
		35	subs tmp2, count, #64 /* Use tmp2 for count. */
		36	- blt .Ltail63aligned
		37	+ blo .Ltail63aligned
		38
		39	cmp tmp2, #512
		40	- bge .Lcpy_body_long
		41	+ bhs .Lcpy_body_long
		42
		43	.Lcpy_body_medium: /* Count in tmp2. */
		44	#ifdef USE_VFP
		45	@@ -378,7 +378,7 @@ ENTRY(memcpy)
		46	add src, src, #64
		47	vstr d1, [dst, #56]
		48	add dst, dst, #64
		49	- bge 1b
		50	+ bhs 1b
		51	tst tmp2, #0x3f
		52	beq .Ldone
		53
		54	@@ -412,7 +412,7 @@ ENTRY(memcpy)
		55	ldrd A_l, A_h, [src, #64]!
		56	strd A_l, A_h, [dst, #64]!
		57	subs tmp2, tmp2, #64
		58	- bge 1b
		59	+ bhs 1b
		60	tst tmp2, #0x3f
		61	bne 1f
		62	ldr tmp2,[sp], #FRAME_SIZE
		63	@@ -482,7 +482,7 @@ ENTRY(memcpy)
		64	add src, src, #32
		65
		66	subs tmp2, tmp2, #prefetch_lines * 64 * 2
		67	- blt 2f
		68	+ blo 2f
		69	1:
		70	cpy_line_vfp d3, 0
		71	cpy_line_vfp d4, 64
		72	@@ -494,7 +494,7 @@ ENTRY(memcpy)
		73	add dst, dst, #2 * 64
		74	add src, src, #2 * 64
		75	subs tmp2, tmp2, #prefetch_lines * 64
		76	- bge 1b
		77	+ bhs 1b
		78
		79	2:
		80	cpy_tail_vfp d3, 0
		81	@@ -615,8 +615,8 @@ ENTRY(memcpy)
		82	1:
		83	pld [src, #(3 * 64)]
		84	subs count, count, #64
		85	- ldrmi tmp2, [sp], #FRAME_SIZE
		86	- bmi .Ltail63unaligned
		87	+ ldrlo tmp2, [sp], #FRAME_SIZE
		88	+ blo .Ltail63unaligned
		89	pld [src, #(4 * 64)]
		90
		91	#ifdef USE_NEON
		92	@@ -633,7 +633,7 @@ ENTRY(memcpy)
		93	neon_load_multi d0-d3, src
		94	neon_load_multi d4-d7, src
		95	subs count, count, #64
		96	- bmi 2f
		97	+ blo 2f
		98	1:
		99	pld [src, #(4 * 64)]
		100	neon_store_multi d0-d3, dst
		101	@@ -641,7 +641,7 @@ ENTRY(memcpy)
		102	neon_store_multi d4-d7, dst
		103	neon_load_multi d4-d7, src
		104	subs count, count, #64
		105	- bpl 1b
		106	+ bhs 1b
		107	2:
		108	neon_store_multi d0-d3, dst
		109	neon_store_multi d4-d7, dst
		110	--
		111	2.17.1
		112


diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-6096_2.patch b/meta/recipes-core/glibc/glibc/CVE-2020-6096_2.patch new file mode 100644 index 0000000000..905e44c8e3 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2020-6096_2.patch
@@ -0,0 +1,194 @@
		1	From 79a4fa341b8a89cb03f84564fd72abaa1a2db394 Mon Sep 17 00:00:00 2001
		2	From: Evgeny Eremin <e.eremin@omprussia.ru>
		3	Date: Wed, 8 Jul 2020 14:18:19 +0200
		4	Subject: [PATCH] arm: CVE-2020-6096: fix memcpy and memmove for negative
		5	length [BZ #25620]
		6
		7	Unsigned branch instructions could be used for r2 to fix the wrong
		8	behavior when a negative length is passed to memcpy and memmove.
		9	This commit fixes the generic arm implementation of memcpy amd memmove.
		10
		11	Upstream-Status: Backport
		12	CVE: CVE-2020-6096 patch #2
		13	Signed-off-by: Armin Kuster <akuster@mvista.com>
		14
		15	---
		16	sysdeps/arm/memcpy.S \| 24 ++++++++++--------------
		17	sysdeps/arm/memmove.S \| 24 ++++++++++--------------
		18	2 files changed, 20 insertions(+), 28 deletions(-)
		19
		20	diff --git a/sysdeps/arm/memcpy.S b/sysdeps/arm/memcpy.S
		21	index 510e8adaf2..bcfbc51d99 100644
		22	--- a/sysdeps/arm/memcpy.S
		23	+++ b/sysdeps/arm/memcpy.S
		24	@@ -68,7 +68,7 @@ ENTRY(memcpy)
		25	cfi_remember_state
		26
		27	subs r2, r2, #4
		28	- blt 8f
		29	+ blo 8f
		30	ands ip, r0, #3
		31	PLD( pld [r1, #0] )
		32	bne 9f
		33	@@ -82,7 +82,7 @@ ENTRY(memcpy)
		34	cfi_rel_offset (r6, 4)
		35	cfi_rel_offset (r7, 8)
		36	cfi_rel_offset (r8, 12)
		37	- blt 5f
		38	+ blo 5f
		39
		40	CALGN( ands ip, r1, #31 )
		41	CALGN( rsb r3, ip, #32 )
		42	@@ -98,9 +98,9 @@ ENTRY(memcpy)
		43	#endif
		44
		45	PLD( pld [r1, #0] )
		46	-2: PLD( subs r2, r2, #96 )
		47	+2: PLD( cmp r2, #96 )
		48	PLD( pld [r1, #28] )
		49	- PLD( blt 4f )
		50	+ PLD( blo 4f )
		51	PLD( pld [r1, #60] )
		52	PLD( pld [r1, #92] )
		53
		54	@@ -108,9 +108,7 @@ ENTRY(memcpy)
		55	4: ldmia r1!, {r3, r4, r5, r6, r7, r8, ip, lr}
		56	subs r2, r2, #32
		57	stmia r0!, {r3, r4, r5, r6, r7, r8, ip, lr}
		58	- bge 3b
		59	- PLD( cmn r2, #96 )
		60	- PLD( bge 4b )
		61	+ bhs 3b
		62
		63	5: ands ip, r2, #28
		64	rsb ip, ip, #32
		65	@@ -222,7 +220,7 @@ ENTRY(memcpy)
		66	strbge r4, [r0], #1
		67	subs r2, r2, ip
		68	strb lr, [r0], #1
		69	- blt 8b
		70	+ blo 8b
		71	ands ip, r1, #3
		72	beq 1b
		73
		74	@@ -236,7 +234,7 @@ ENTRY(memcpy)
		75	.macro forward_copy_shift pull push
		76
		77	subs r2, r2, #28
		78	- blt 14f
		79	+ blo 14f
		80
		81	CALGN( ands ip, r1, #31 )
		82	CALGN( rsb ip, ip, #32 )
		83	@@ -253,9 +251,9 @@ ENTRY(memcpy)
		84	cfi_rel_offset (r10, 16)
		85
		86	PLD( pld [r1, #0] )
		87	- PLD( subs r2, r2, #96 )
		88	+ PLD( cmp r2, #96 )
		89	PLD( pld [r1, #28] )
		90	- PLD( blt 13f )
		91	+ PLD( blo 13f )
		92	PLD( pld [r1, #60] )
		93	PLD( pld [r1, #92] )
		94
		95	@@ -280,9 +278,7 @@ ENTRY(memcpy)
		96	mov ip, ip, PULL #\pull
		97	orr ip, ip, lr, PUSH #\push
		98	stmia r0!, {r3, r4, r5, r6, r7, r8, r10, ip}
		99	- bge 12b
		100	- PLD( cmn r2, #96 )
		101	- PLD( bge 13b )
		102	+ bhs 12b
		103
		104	pop {r5 - r8, r10}
		105	cfi_adjust_cfa_offset (-20)
		106	diff --git a/sysdeps/arm/memmove.S b/sysdeps/arm/memmove.S
		107	index 954037ef3a..0d07b76ee6 100644
		108	--- a/sysdeps/arm/memmove.S
		109	+++ b/sysdeps/arm/memmove.S
		110	@@ -85,7 +85,7 @@ ENTRY(memmove)
		111	add r1, r1, r2
		112	add r0, r0, r2
		113	subs r2, r2, #4
		114	- blt 8f
		115	+ blo 8f
		116	ands ip, r0, #3
		117	PLD( pld [r1, #-4] )
		118	bne 9f
		119	@@ -99,7 +99,7 @@ ENTRY(memmove)
		120	cfi_rel_offset (r6, 4)
		121	cfi_rel_offset (r7, 8)
		122	cfi_rel_offset (r8, 12)
		123	- blt 5f
		124	+ blo 5f
		125
		126	CALGN( ands ip, r1, #31 )
		127	CALGN( sbcsne r4, ip, r2 ) @ C is always set here
		128	@@ -114,9 +114,9 @@ ENTRY(memmove)
		129	#endif
		130
		131	PLD( pld [r1, #-4] )
		132	-2: PLD( subs r2, r2, #96 )
		133	+2: PLD( cmp r2, #96 )
		134	PLD( pld [r1, #-32] )
		135	- PLD( blt 4f )
		136	+ PLD( blo 4f )
		137	PLD( pld [r1, #-64] )
		138	PLD( pld [r1, #-96] )
		139
		140	@@ -124,9 +124,7 @@ ENTRY(memmove)
		141	4: ldmdb r1!, {r3, r4, r5, r6, r7, r8, ip, lr}
		142	subs r2, r2, #32
		143	stmdb r0!, {r3, r4, r5, r6, r7, r8, ip, lr}
		144	- bge 3b
		145	- PLD( cmn r2, #96 )
		146	- PLD( bge 4b )
		147	+ bhs 3b
		148
		149	5: ands ip, r2, #28
		150	rsb ip, ip, #32
		151	@@ -237,7 +235,7 @@ ENTRY(memmove)
		152	strbge r4, [r0, #-1]!
		153	subs r2, r2, ip
		154	strb lr, [r0, #-1]!
		155	- blt 8b
		156	+ blo 8b
		157	ands ip, r1, #3
		158	beq 1b
		159
		160	@@ -251,7 +249,7 @@ ENTRY(memmove)
		161	.macro backward_copy_shift push pull
		162
		163	subs r2, r2, #28
		164	- blt 14f
		165	+ blo 14f
		166
		167	CALGN( ands ip, r1, #31 )
		168	CALGN( rsb ip, ip, #32 )
		169	@@ -268,9 +266,9 @@ ENTRY(memmove)
		170	cfi_rel_offset (r10, 16)
		171
		172	PLD( pld [r1, #-4] )
		173	- PLD( subs r2, r2, #96 )
		174	+ PLD( cmp r2, #96 )
		175	PLD( pld [r1, #-32] )
		176	- PLD( blt 13f )
		177	+ PLD( blo 13f )
		178	PLD( pld [r1, #-64] )
		179	PLD( pld [r1, #-96] )
		180
		181	@@ -295,9 +293,7 @@ ENTRY(memmove)
		182	mov r4, r4, PUSH #\push
		183	orr r4, r4, r3, PULL #\pull
		184	stmdb r0!, {r4 - r8, r10, ip, lr}
		185	- bge 12b
		186	- PLD( cmn r2, #96 )
		187	- PLD( bge 13b )
		188	+ bhs 12b
		189
		190	pop {r5 - r8, r10}
		191	cfi_adjust_cfa_offset (-20)
		192	--
		193	2.17.1
		194


diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb index a7ffc8993e..e8e11f5438 100644 --- a/meta/recipes-core/glibc/glibc_2.31.bb +++ b/meta/recipes-core/glibc/glibc_2.31.bb
@@ -42,6 +42,8 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
42	file://0027-intl-Emit-no-lines-in-bison-generated-files.patch \	42	file://0027-intl-Emit-no-lines-in-bison-generated-files.patch \
43	file://0028-inject-file-assembly-directives.patch \	43	file://0028-inject-file-assembly-directives.patch \
44	file://0029-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \	44	file://0029-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
		45	file://CVE-2020-6096.patch \
		46	file://CVE-2020-6096_2.patch \
45	"	47	"
46	S = "${WORKDIR}/git"	48	S = "${WORKDIR}/git"
47	B = "${WORKDIR}/build-${TARGET_SYS}"	49	B = "${WORKDIR}/build-${TARGET_SYS}"