glibc: fix CVE-2018-11237

glibc: fix CVE-2018-11237 (From OE-Core rev: b9b254da08c1db94ac9ded5f67d7e2e82e3b9be7) (From OE-Core rev: 361c40d4bea101875747eac9c8cc46e92ced173f) Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> 2018-06-26 13:44:17 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-09-27 12:17:46 +0100
commit: 3b8dc3a88e28546100a6b0b2f2cc37f44e619371 (patch)
tree: e1556289e4f9d1ae258a7e2337913185918176b6
parent: a36165011e5bbdef3a4e81ef33eeb57794678ebb (diff)
download: poky-3b8dc3a88e28546100a6b0b2f2cc37f44e619371.tar.gz
2 files changed, 83 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch b/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch
new file mode 100644
index 0000000000..632aa565e4
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch
@@ -0,0 +1,82 @@
+From 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@suse.de>
+Date: Tue, 22 May 2018 10:37:59 +0200
+Subject: [PATCH] Don't write beyond destination in
+ __mempcpy_avx512_no_vzeroupper (bug 23196)
+When compiled as mempcpy, the return value is the end of the destination
+buffer, thus it cannot be used to refer to the start of it.
+2018-05-23  Andreas Schwab  <schwab@suse.de>
+       [BZ #23196]
+       CVE-2018-11237
+       * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+       (L(preloop_large)): Save initial destination pointer in %r11 and
+       use it instead of %rax after the loop.
+       * string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
+CVE: CVE-2018-11237
+Upstream-Status: Backport
+Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
+---
+ ChangeLog                                               | 9 +++++++++
+ string/test-mempcpy.c                                   | 1 +
+ sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | 5 +++--
+ 3 files changed, 13 insertions(+), 2 deletions(-)
+diff --git a/ChangeLog b/ChangeLog
+index fa0a07c..bc09dec 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -1,3 +1,12 @@
+2018-05-23  Andreas Schwab  <schwab@suse.de>
+
+       [BZ #23196]
+       CVE-2018-11237
+       * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+       (L(preloop_large)): Save initial destination pointer in %r11 and
+       use it instead of %rax after the loop.
+       * string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
+
+ 2018-05-09  Paul Pluzhnikov  <ppluzhnikov@google.com>
+ 
+        [BZ #22786]
+diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c
+index c08fba8..d98ecdd 100644
+--- a/string/test-mempcpy.c
+++ b/string/test-mempcpy.c
+@@ -18,6 +18,7 @@
+    <http://www.gnu.org/licenses/>.  */
+ 
+ #define MEMCPY_RESULT(dst, len) (dst) + (len)
+#define MIN_PAGE_SIZE 131072
+ #define TEST_MAIN
+ #define TEST_NAME "mempcpy"
+ #include "test-string.h"
+diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+index 23c0f7a..a55cf6f 100644
+--- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+@@ -335,6 +335,7 @@ L(preloop_large):
+        ja      L(preloop_large_bkw)
+        vmovups (%rsi), %zmm4
+        vmovups 0x40(%rsi), %zmm5
+       mov     %rdi, %r11
+ 
+ /* Align destination for access with non-temporal stores in the loop.  */
+        mov     %rdi, %r8
+@@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop):
+        cmp     $256, %rdx
+        ja      L(gobble_256bytes_nt_loop)
+        sfence
+-       vmovups %zmm4, (%rax)
+-       vmovups %zmm5, 0x40(%rax)
+       vmovups %zmm4, (%r11)
+       vmovups %zmm5, 0x40(%r11)
+        jmp     L(check)
+ 
+ L(preloop_large_bkw):
+-- 
+2.7.4
diff --git a/meta/recipes-core/glibc/glibc_2.27.bb b/meta/recipes-core/glibc/glibc_2.27.bb
index 22a9881eaf..adee494c2e 100644
--- a/meta/recipes-core/glibc/glibc_2.27.bb
+++ b/meta/recipes-core/glibc/glibc_2.27.bb
@@ -47,6 +47,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://0030-plural_c_no_preprocessor_lines.patch \
           file://CVE-2017-18269.patch \
           file://CVE-2018-11236.patch \
+           file://CVE-2018-11237.patch \
 "
 NATIVESDKFIXES ?= ""
author	Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>	2018-06-26 13:44:17 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-09-27 12:17:46 +0100
commit	3b8dc3a88e28546100a6b0b2f2cc37f44e619371 (patch)
tree	e1556289e4f9d1ae258a7e2337913185918176b6
parent	a36165011e5bbdef3a4e81ef33eeb57794678ebb (diff)
download	poky-3b8dc3a88e28546100a6b0b2f2cc37f44e619371.tar.gz

diff --git a/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch b/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch new file mode 100644 index 0000000000..632aa565e4 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch
@@ -0,0 +1,82 @@
		1	From 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e Mon Sep 17 00:00:00 2001
		2	From: Andreas Schwab <schwab@suse.de>
		3	Date: Tue, 22 May 2018 10:37:59 +0200
		4	Subject: [PATCH] Don't write beyond destination in
		5	__mempcpy_avx512_no_vzeroupper (bug 23196)
		6
		7	When compiled as mempcpy, the return value is the end of the destination
		8	buffer, thus it cannot be used to refer to the start of it.
		9
		10	2018-05-23 Andreas Schwab <schwab@suse.de>
		11
		12	[BZ #23196]
		13	CVE-2018-11237
		14	* sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
		15	(L(preloop_large)): Save initial destination pointer in %r11 and
		16	use it instead of %rax after the loop.
		17	* string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
		18
		19	CVE: CVE-2018-11237
		20	Upstream-Status: Backport
		21	Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
		22	---
		23	ChangeLog \| 9 +++++++++
		24	string/test-mempcpy.c \| 1 +
		25	sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S \| 5 +++--
		26	3 files changed, 13 insertions(+), 2 deletions(-)
		27
		28	diff --git a/ChangeLog b/ChangeLog
		29	index fa0a07c..bc09dec 100644
		30	--- a/ChangeLog
		31	+++ b/ChangeLog
		32	@@ -1,3 +1,12 @@
		33	+2018-05-23 Andreas Schwab <schwab@suse.de>
		34	+
		35	+ [BZ #23196]
		36	+ CVE-2018-11237
		37	+ * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
		38	+ (L(preloop_large)): Save initial destination pointer in %r11 and
		39	+ use it instead of %rax after the loop.
		40	+ * string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
		41	+
		42	2018-05-09 Paul Pluzhnikov <ppluzhnikov@google.com>
		43
		44	[BZ #22786]
		45	diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c
		46	index c08fba8..d98ecdd 100644
		47	--- a/string/test-mempcpy.c
		48	+++ b/string/test-mempcpy.c
		49	@@ -18,6 +18,7 @@
		50	<http://www.gnu.org/licenses/>. */
		51
		52	#define MEMCPY_RESULT(dst, len) (dst) + (len)
		53	+#define MIN_PAGE_SIZE 131072
		54	#define TEST_MAIN
		55	#define TEST_NAME "mempcpy"
		56	#include "test-string.h"
		57	diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
		58	index 23c0f7a..a55cf6f 100644
		59	--- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
		60	+++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
		61	@@ -335,6 +335,7 @@ L(preloop_large):
		62	ja L(preloop_large_bkw)
		63	vmovups (%rsi), %zmm4
		64	vmovups 0x40(%rsi), %zmm5
		65	+ mov %rdi, %r11
		66
		67	/* Align destination for access with non-temporal stores in the loop. */
		68	mov %rdi, %r8
		69	@@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop):
		70	cmp $256, %rdx
		71	ja L(gobble_256bytes_nt_loop)
		72	sfence
		73	- vmovups %zmm4, (%rax)
		74	- vmovups %zmm5, 0x40(%rax)
		75	+ vmovups %zmm4, (%r11)
		76	+ vmovups %zmm5, 0x40(%r11)
		77	jmp L(check)
		78
		79	L(preloop_large_bkw):
		80	--
		81	2.7.4
		82


diff --git a/meta/recipes-core/glibc/glibc_2.27.bb b/meta/recipes-core/glibc/glibc_2.27.bb index 22a9881eaf..adee494c2e 100644 --- a/meta/recipes-core/glibc/glibc_2.27.bb +++ b/meta/recipes-core/glibc/glibc_2.27.bb
@@ -47,6 +47,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
47	file://0030-plural_c_no_preprocessor_lines.patch \	47	file://0030-plural_c_no_preprocessor_lines.patch \
48	file://CVE-2017-18269.patch \	48	file://CVE-2017-18269.patch \
49	file://CVE-2018-11236.patch \	49	file://CVE-2018-11236.patch \
		50	file://CVE-2018-11237.patch \
50	"	51	"
51		52
52	NATIVESDKFIXES ?= ""	53	NATIVESDKFIXES ?= ""