summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorZhixiong Chi <zhixiong.chi@windriver.com>2020-07-13 05:52:13 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-08-04 22:17:38 (GMT)
commit9d15991cfae2bca00bafeff687d2bf2b45ce790f (patch)
tree830c6339136089bd4b4f4744fc6cc7ed72ebc4ad
parent20757f3bb4bdb2c90ddd9cf3433605a5007bb1b5 (diff)
downloadpoky-9d15991cfae2bca00bafeff687d2bf2b45ce790f.tar.gz
glibc: CVE-2020-6096
Backport the CVE patch from the upstream: git://sourceware.org/git/glibc.git commit 79a4fa341b8a89cb03f84564fd72abaa1a2db394 commit beea361050728138b82c57dda0c4810402d342b9 (From OE-Core rev: 9059f720f00f7b8dfac89d842ad19876eae201d5) Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2020-6096-1.patch193
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2020-6096-2.patch111
-rw-r--r--meta/recipes-core/glibc/glibc_2.30.bb2
3 files changed, 306 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-6096-1.patch b/meta/recipes-core/glibc/glibc/CVE-2020-6096-1.patch
new file mode 100644
index 0000000..01c0328
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2020-6096-1.patch
@@ -0,0 +1,193 @@
1From 79a4fa341b8a89cb03f84564fd72abaa1a2db394 Mon Sep 17 00:00:00 2001
2From: Evgeny Eremin <e.eremin@omprussia.ru>
3Date: Wed, 8 Jul 2020 14:18:19 +0200
4Subject: [PATCH 1/2] arm: CVE-2020-6096: fix memcpy and memmove for negative
5 length [BZ #25620]
6
7Unsigned branch instructions could be used for r2 to fix the wrong
8behavior when a negative length is passed to memcpy and memmove.
9This commit fixes the generic arm implementation of memcpy amd memmove.
10
11CVE: CVE-2020-6096
12Upstream-Status: Backport [git://sourceware.org/git/glibc.git]
13Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
14---
15 sysdeps/arm/memcpy.S | 24 ++++++++++--------------
16 sysdeps/arm/memmove.S | 24 ++++++++++--------------
17 2 files changed, 20 insertions(+), 28 deletions(-)
18
19diff --git a/sysdeps/arm/memcpy.S b/sysdeps/arm/memcpy.S
20index 510e8adaf2..bcfbc51d99 100644
21--- a/sysdeps/arm/memcpy.S
22+++ b/sysdeps/arm/memcpy.S
23@@ -68,7 +68,7 @@ ENTRY(memcpy)
24 cfi_remember_state
25
26 subs r2, r2, #4
27- blt 8f
28+ blo 8f
29 ands ip, r0, #3
30 PLD( pld [r1, #0] )
31 bne 9f
32@@ -82,7 +82,7 @@ ENTRY(memcpy)
33 cfi_rel_offset (r6, 4)
34 cfi_rel_offset (r7, 8)
35 cfi_rel_offset (r8, 12)
36- blt 5f
37+ blo 5f
38
39 CALGN( ands ip, r1, #31 )
40 CALGN( rsb r3, ip, #32 )
41@@ -98,9 +98,9 @@ ENTRY(memcpy)
42 #endif
43
44 PLD( pld [r1, #0] )
45-2: PLD( subs r2, r2, #96 )
46+2: PLD( cmp r2, #96 )
47 PLD( pld [r1, #28] )
48- PLD( blt 4f )
49+ PLD( blo 4f )
50 PLD( pld [r1, #60] )
51 PLD( pld [r1, #92] )
52
53@@ -108,9 +108,7 @@ ENTRY(memcpy)
54 4: ldmia r1!, {r3, r4, r5, r6, r7, r8, ip, lr}
55 subs r2, r2, #32
56 stmia r0!, {r3, r4, r5, r6, r7, r8, ip, lr}
57- bge 3b
58- PLD( cmn r2, #96 )
59- PLD( bge 4b )
60+ bhs 3b
61
62 5: ands ip, r2, #28
63 rsb ip, ip, #32
64@@ -222,7 +220,7 @@ ENTRY(memcpy)
65 strbge r4, [r0], #1
66 subs r2, r2, ip
67 strb lr, [r0], #1
68- blt 8b
69+ blo 8b
70 ands ip, r1, #3
71 beq 1b
72
73@@ -236,7 +234,7 @@ ENTRY(memcpy)
74 .macro forward_copy_shift pull push
75
76 subs r2, r2, #28
77- blt 14f
78+ blo 14f
79
80 CALGN( ands ip, r1, #31 )
81 CALGN( rsb ip, ip, #32 )
82@@ -253,9 +251,9 @@ ENTRY(memcpy)
83 cfi_rel_offset (r10, 16)
84
85 PLD( pld [r1, #0] )
86- PLD( subs r2, r2, #96 )
87+ PLD( cmp r2, #96 )
88 PLD( pld [r1, #28] )
89- PLD( blt 13f )
90+ PLD( blo 13f )
91 PLD( pld [r1, #60] )
92 PLD( pld [r1, #92] )
93
94@@ -280,9 +278,7 @@ ENTRY(memcpy)
95 mov ip, ip, PULL #\pull
96 orr ip, ip, lr, PUSH #\push
97 stmia r0!, {r3, r4, r5, r6, r7, r8, r10, ip}
98- bge 12b
99- PLD( cmn r2, #96 )
100- PLD( bge 13b )
101+ bhs 12b
102
103 pop {r5 - r8, r10}
104 cfi_adjust_cfa_offset (-20)
105diff --git a/sysdeps/arm/memmove.S b/sysdeps/arm/memmove.S
106index 954037ef3a..0d07b76ee6 100644
107--- a/sysdeps/arm/memmove.S
108+++ b/sysdeps/arm/memmove.S
109@@ -85,7 +85,7 @@ ENTRY(memmove)
110 add r1, r1, r2
111 add r0, r0, r2
112 subs r2, r2, #4
113- blt 8f
114+ blo 8f
115 ands ip, r0, #3
116 PLD( pld [r1, #-4] )
117 bne 9f
118@@ -99,7 +99,7 @@ ENTRY(memmove)
119 cfi_rel_offset (r6, 4)
120 cfi_rel_offset (r7, 8)
121 cfi_rel_offset (r8, 12)
122- blt 5f
123+ blo 5f
124
125 CALGN( ands ip, r1, #31 )
126 CALGN( sbcsne r4, ip, r2 ) @ C is always set here
127@@ -114,9 +114,9 @@ ENTRY(memmove)
128 #endif
129
130 PLD( pld [r1, #-4] )
131-2: PLD( subs r2, r2, #96 )
132+2: PLD( cmp r2, #96 )
133 PLD( pld [r1, #-32] )
134- PLD( blt 4f )
135+ PLD( blo 4f )
136 PLD( pld [r1, #-64] )
137 PLD( pld [r1, #-96] )
138
139@@ -124,9 +124,7 @@ ENTRY(memmove)
140 4: ldmdb r1!, {r3, r4, r5, r6, r7, r8, ip, lr}
141 subs r2, r2, #32
142 stmdb r0!, {r3, r4, r5, r6, r7, r8, ip, lr}
143- bge 3b
144- PLD( cmn r2, #96 )
145- PLD( bge 4b )
146+ bhs 3b
147
148 5: ands ip, r2, #28
149 rsb ip, ip, #32
150@@ -237,7 +235,7 @@ ENTRY(memmove)
151 strbge r4, [r0, #-1]!
152 subs r2, r2, ip
153 strb lr, [r0, #-1]!
154- blt 8b
155+ blo 8b
156 ands ip, r1, #3
157 beq 1b
158
159@@ -251,7 +249,7 @@ ENTRY(memmove)
160 .macro backward_copy_shift push pull
161
162 subs r2, r2, #28
163- blt 14f
164+ blo 14f
165
166 CALGN( ands ip, r1, #31 )
167 CALGN( rsb ip, ip, #32 )
168@@ -268,9 +266,9 @@ ENTRY(memmove)
169 cfi_rel_offset (r10, 16)
170
171 PLD( pld [r1, #-4] )
172- PLD( subs r2, r2, #96 )
173+ PLD( cmp r2, #96 )
174 PLD( pld [r1, #-32] )
175- PLD( blt 13f )
176+ PLD( blo 13f )
177 PLD( pld [r1, #-64] )
178 PLD( pld [r1, #-96] )
179
180@@ -295,9 +293,7 @@ ENTRY(memmove)
181 mov r4, r4, PUSH #\push
182 orr r4, r4, r3, PULL #\pull
183 stmdb r0!, {r4 - r8, r10, ip, lr}
184- bge 12b
185- PLD( cmn r2, #96 )
186- PLD( bge 13b )
187+ bhs 12b
188
189 pop {r5 - r8, r10}
190 cfi_adjust_cfa_offset (-20)
191--
1922.17.0
193
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-6096-2.patch b/meta/recipes-core/glibc/glibc/CVE-2020-6096-2.patch
new file mode 100644
index 0000000..bfb2d7e
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2020-6096-2.patch
@@ -0,0 +1,111 @@
1From beea361050728138b82c57dda0c4810402d342b9 Mon Sep 17 00:00:00 2001
2From: Alexander Anisimov <a.anisimov@omprussia.ru>
3Date: Wed, 8 Jul 2020 14:18:31 +0200
4Subject: [PATCH 2/2] arm: CVE-2020-6096: Fix multiarch memcpy for negative
5 length [BZ #25620]
6
7Unsigned branch instructions could be used for r2 to fix the wrong
8behavior when a negative length is passed to memcpy.
9This commit fixes the armv7 version.
10
11CVE: CVE-2020-6096
12Upstream-Status: Backport [git://sourceware.org/git/glibc.git]
13Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
14---
15 sysdeps/arm/armv7/multiarch/memcpy_impl.S | 22 +++++++++++-----------
16 1 file changed, 11 insertions(+), 11 deletions(-)
17
18diff --git a/sysdeps/arm/armv7/multiarch/memcpy_impl.S b/sysdeps/arm/armv7/multiarch/memcpy_impl.S
19index bf4ac7077f..379bb56fc9 100644
20--- a/sysdeps/arm/armv7/multiarch/memcpy_impl.S
21+++ b/sysdeps/arm/armv7/multiarch/memcpy_impl.S
22@@ -268,7 +268,7 @@ ENTRY(memcpy)
23
24 mov dst, dstin /* Preserve dstin, we need to return it. */
25 cmp count, #64
26- bge .Lcpy_not_short
27+ bhs .Lcpy_not_short
28 /* Deal with small copies quickly by dropping straight into the
29 exit block. */
30
31@@ -351,10 +351,10 @@ ENTRY(memcpy)
32
33 1:
34 subs tmp2, count, #64 /* Use tmp2 for count. */
35- blt .Ltail63aligned
36+ blo .Ltail63aligned
37
38 cmp tmp2, #512
39- bge .Lcpy_body_long
40+ bhs .Lcpy_body_long
41
42 .Lcpy_body_medium: /* Count in tmp2. */
43 #ifdef USE_VFP
44@@ -378,7 +378,7 @@ ENTRY(memcpy)
45 add src, src, #64
46 vstr d1, [dst, #56]
47 add dst, dst, #64
48- bge 1b
49+ bhs 1b
50 tst tmp2, #0x3f
51 beq .Ldone
52
53@@ -412,7 +412,7 @@ ENTRY(memcpy)
54 ldrd A_l, A_h, [src, #64]!
55 strd A_l, A_h, [dst, #64]!
56 subs tmp2, tmp2, #64
57- bge 1b
58+ bhs 1b
59 tst tmp2, #0x3f
60 bne 1f
61 ldr tmp2,[sp], #FRAME_SIZE
62@@ -482,7 +482,7 @@ ENTRY(memcpy)
63 add src, src, #32
64
65 subs tmp2, tmp2, #prefetch_lines * 64 * 2
66- blt 2f
67+ blo 2f
68 1:
69 cpy_line_vfp d3, 0
70 cpy_line_vfp d4, 64
71@@ -494,7 +494,7 @@ ENTRY(memcpy)
72 add dst, dst, #2 * 64
73 add src, src, #2 * 64
74 subs tmp2, tmp2, #prefetch_lines * 64
75- bge 1b
76+ bhs 1b
77
78 2:
79 cpy_tail_vfp d3, 0
80@@ -615,8 +615,8 @@ ENTRY(memcpy)
81 1:
82 pld [src, #(3 * 64)]
83 subs count, count, #64
84- ldrmi tmp2, [sp], #FRAME_SIZE
85- bmi .Ltail63unaligned
86+ ldrlo tmp2, [sp], #FRAME_SIZE
87+ blo .Ltail63unaligned
88 pld [src, #(4 * 64)]
89
90 #ifdef USE_NEON
91@@ -633,7 +633,7 @@ ENTRY(memcpy)
92 neon_load_multi d0-d3, src
93 neon_load_multi d4-d7, src
94 subs count, count, #64
95- bmi 2f
96+ blo 2f
97 1:
98 pld [src, #(4 * 64)]
99 neon_store_multi d0-d3, dst
100@@ -641,7 +641,7 @@ ENTRY(memcpy)
101 neon_store_multi d4-d7, dst
102 neon_load_multi d4-d7, src
103 subs count, count, #64
104- bpl 1b
105+ bhs 1b
106 2:
107 neon_store_multi d0-d3, dst
108 neon_store_multi d4-d7, dst
109--
1102.17.0
111
diff --git a/meta/recipes-core/glibc/glibc_2.30.bb b/meta/recipes-core/glibc/glibc_2.30.bb
index e9286b6..b674b02 100644
--- a/meta/recipes-core/glibc/glibc_2.30.bb
+++ b/meta/recipes-core/glibc/glibc_2.30.bb
@@ -45,6 +45,8 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
45 file://CVE-2020-10029.patch \ 45 file://CVE-2020-10029.patch \
46 file://CVE-2020-1751.patch \ 46 file://CVE-2020-1751.patch \
47 file://CVE-2020-1752.patch \ 47 file://CVE-2020-1752.patch \
48 file://CVE-2020-6096-1.patch \
49 file://CVE-2020-6096-2.patch \
48 " 50 "
49S = "${WORKDIR}/git" 51S = "${WORKDIR}/git"
50B = "${WORKDIR}/build-${TARGET_SYS}" 52B = "${WORKDIR}/build-${TARGET_SYS}"