glibc: Secruity fix for CVE-2020-6096

Source: glibc.org MR: 104799 Type: Security Fix Disposition: Backport from beea361050728138b82c57dda0c4810402d342b9 ChangeID: 29df826fb697fdd2742c3bace33388bda962c5f1 Description: (From OE-Core rev: 7ce425fa1295a9dca48f8474be58db3ac8aa540d) Signed-off-by: Armin Kuster <akuster@gmvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit ffa4fa35e1f6132b19788166a2b87517d9e17d95) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2020-07-20 14:49:36 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-07-31 22:02:52 +0100
commit: 856d4e9e6126dd1da3d0878677bf4a47f6394735 (patch)
tree: d5574c070815b7ff2a9d1a2fde0ff23a08937355 /meta/recipes-core/glibc/glibc/CVE-2020-6096.patch
parent: bb048311202b2de473ded6ac48b2264fec45c8f1 (diff)
download: poky-856d4e9e6126dd1da3d0878677bf4a47f6394735.tar.gz
1 files changed, 112 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-6096.patch b/meta/recipes-core/glibc/glibc/CVE-2020-6096.patch
new file mode 100644
index 0000000000..9c26f76432
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2020-6096.patch
@@ -0,0 +1,112 @@
+From beea361050728138b82c57dda0c4810402d342b9 Mon Sep 17 00:00:00 2001
+From: Alexander Anisimov <a.anisimov@omprussia.ru>
+Date: Wed, 8 Jul 2020 14:18:31 +0200
+Subject: [PATCH] arm: CVE-2020-6096: Fix multiarch memcpy for negative length
+ [BZ #25620]
+Unsigned branch instructions could be used for r2 to fix the wrong
+behavior when a negative length is passed to memcpy.
+This commit fixes the armv7 version.
+Upstream-Status: Backport
+CVE: CVE-2020-6096 patch #1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ sysdeps/arm/armv7/multiarch/memcpy_impl.S | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+diff --git a/sysdeps/arm/armv7/multiarch/memcpy_impl.S b/sysdeps/arm/armv7/multiarch/memcpy_impl.S
+index bf4ac7077f..379bb56fc9 100644
+--- a/sysdeps/arm/armv7/multiarch/memcpy_impl.S
+++ b/sysdeps/arm/armv7/multiarch/memcpy_impl.S
+@@ -268,7 +268,7 @@ ENTRY(memcpy)
+ 
+        mov     dst, dstin      /* Preserve dstin, we need to return it.  */
+        cmp     count, #64
+-       bge     .Lcpy_not_short
+       bhs     .Lcpy_not_short
+        /* Deal with small copies quickly by dropping straight into the
+           exit block.  */
+ 
+@@ -351,10 +351,10 @@ ENTRY(memcpy)
+ 
+ 1:
+        subs    tmp2, count, #64        /* Use tmp2 for count.  */
+-       blt     .Ltail63aligned
+       blo     .Ltail63aligned
+ 
+        cmp     tmp2, #512
+-       bge     .Lcpy_body_long
+       bhs     .Lcpy_body_long
+ 
+ .Lcpy_body_medium:                     /* Count in tmp2.  */
+ #ifdef USE_VFP
+@@ -378,7 +378,7 @@ ENTRY(memcpy)
+        add     src, src, #64
+        vstr    d1, [dst, #56]
+        add     dst, dst, #64
+-       bge     1b
+       bhs     1b
+        tst     tmp2, #0x3f
+        beq     .Ldone
+ 
+@@ -412,7 +412,7 @@ ENTRY(memcpy)
+        ldrd    A_l, A_h, [src, #64]!
+        strd    A_l, A_h, [dst, #64]!
+        subs    tmp2, tmp2, #64
+-       bge     1b
+       bhs     1b
+        tst     tmp2, #0x3f
+        bne     1f
+        ldr     tmp2,[sp], #FRAME_SIZE
+@@ -482,7 +482,7 @@ ENTRY(memcpy)
+        add     src, src, #32
+ 
+        subs    tmp2, tmp2, #prefetch_lines * 64 * 2
+-       blt     2f
+       blo     2f
+ 1:
+        cpy_line_vfp    d3, 0
+        cpy_line_vfp    d4, 64
+@@ -494,7 +494,7 @@ ENTRY(memcpy)
+        add     dst, dst, #2 * 64
+        add     src, src, #2 * 64
+        subs    tmp2, tmp2, #prefetch_lines * 64
+-       bge     1b
+       bhs     1b
+ 
+ 2:
+        cpy_tail_vfp    d3, 0
+@@ -615,8 +615,8 @@ ENTRY(memcpy)
+ 1:
+        pld     [src, #(3 * 64)]
+        subs    count, count, #64
+-       ldrmi   tmp2, [sp], #FRAME_SIZE
+-       bmi     .Ltail63unaligned
+       ldrlo   tmp2, [sp], #FRAME_SIZE
+       blo     .Ltail63unaligned
+        pld     [src, #(4 * 64)]
+ 
+ #ifdef USE_NEON
+@@ -633,7 +633,7 @@ ENTRY(memcpy)
+        neon_load_multi d0-d3, src
+        neon_load_multi d4-d7, src
+        subs    count, count, #64
+-       bmi     2f
+       blo     2f
+ 1:
+        pld     [src, #(4 * 64)]
+        neon_store_multi d0-d3, dst
+@@ -641,7 +641,7 @@ ENTRY(memcpy)
+        neon_store_multi d4-d7, dst
+        neon_load_multi d4-d7, src
+        subs    count, count, #64
+-       bpl     1b
+       bhs     1b
+ 2:
+        neon_store_multi d0-d3, dst
+        neon_store_multi d4-d7, dst
+-- 
+2.17.1
author	Armin Kuster <akuster@mvista.com>	2020-07-20 14:49:36 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-07-31 22:02:52 +0100
commit	856d4e9e6126dd1da3d0878677bf4a47f6394735 (patch)
tree	d5574c070815b7ff2a9d1a2fde0ff23a08937355 /meta/recipes-core/glibc/glibc/CVE-2020-6096.patch
parent	bb048311202b2de473ded6ac48b2264fec45c8f1 (diff)
download	poky-856d4e9e6126dd1da3d0878677bf4a47f6394735.tar.gz

diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-6096.patch b/meta/recipes-core/glibc/glibc/CVE-2020-6096.patch new file mode 100644 index 0000000000..9c26f76432 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2020-6096.patch
@@ -0,0 +1,112 @@
	1	From beea361050728138b82c57dda0c4810402d342b9 Mon Sep 17 00:00:00 2001
	2	From: Alexander Anisimov <a.anisimov@omprussia.ru>
	3	Date: Wed, 8 Jul 2020 14:18:31 +0200
	4	Subject: [PATCH] arm: CVE-2020-6096: Fix multiarch memcpy for negative length
	5	[BZ #25620]
	6
	7	Unsigned branch instructions could be used for r2 to fix the wrong
	8	behavior when a negative length is passed to memcpy.
	9	This commit fixes the armv7 version.
	10
	11	Upstream-Status: Backport
	12	CVE: CVE-2020-6096 patch #1
	13	Signed-off-by: Armin Kuster <akuster@mvista.com>
	14
	15	---
	16	sysdeps/arm/armv7/multiarch/memcpy_impl.S \| 22 +++++++++++-----------
	17	1 file changed, 11 insertions(+), 11 deletions(-)
	18
	19	diff --git a/sysdeps/arm/armv7/multiarch/memcpy_impl.S b/sysdeps/arm/armv7/multiarch/memcpy_impl.S
	20	index bf4ac7077f..379bb56fc9 100644
	21	--- a/sysdeps/arm/armv7/multiarch/memcpy_impl.S
	22	+++ b/sysdeps/arm/armv7/multiarch/memcpy_impl.S
	23	@@ -268,7 +268,7 @@ ENTRY(memcpy)
	24
	25	mov dst, dstin /* Preserve dstin, we need to return it. */
	26	cmp count, #64
	27	- bge .Lcpy_not_short
	28	+ bhs .Lcpy_not_short
	29	/* Deal with small copies quickly by dropping straight into the
	30	exit block. */
	31
	32	@@ -351,10 +351,10 @@ ENTRY(memcpy)
	33
	34	1:
	35	subs tmp2, count, #64 /* Use tmp2 for count. */
	36	- blt .Ltail63aligned
	37	+ blo .Ltail63aligned
	38
	39	cmp tmp2, #512
	40	- bge .Lcpy_body_long
	41	+ bhs .Lcpy_body_long
	42
	43	.Lcpy_body_medium: /* Count in tmp2. */
	44	#ifdef USE_VFP
	45	@@ -378,7 +378,7 @@ ENTRY(memcpy)
	46	add src, src, #64
	47	vstr d1, [dst, #56]
	48	add dst, dst, #64
	49	- bge 1b
	50	+ bhs 1b
	51	tst tmp2, #0x3f
	52	beq .Ldone
	53
	54	@@ -412,7 +412,7 @@ ENTRY(memcpy)
	55	ldrd A_l, A_h, [src, #64]!
	56	strd A_l, A_h, [dst, #64]!
	57	subs tmp2, tmp2, #64
	58	- bge 1b
	59	+ bhs 1b
	60	tst tmp2, #0x3f
	61	bne 1f
	62	ldr tmp2,[sp], #FRAME_SIZE
	63	@@ -482,7 +482,7 @@ ENTRY(memcpy)
	64	add src, src, #32
	65
	66	subs tmp2, tmp2, #prefetch_lines * 64 * 2
	67	- blt 2f
	68	+ blo 2f
	69	1:
	70	cpy_line_vfp d3, 0
	71	cpy_line_vfp d4, 64
	72	@@ -494,7 +494,7 @@ ENTRY(memcpy)
	73	add dst, dst, #2 * 64
	74	add src, src, #2 * 64
	75	subs tmp2, tmp2, #prefetch_lines * 64
	76	- bge 1b
	77	+ bhs 1b
	78
	79	2:
	80	cpy_tail_vfp d3, 0
	81	@@ -615,8 +615,8 @@ ENTRY(memcpy)
	82	1:
	83	pld [src, #(3 * 64)]
	84	subs count, count, #64
	85	- ldrmi tmp2, [sp], #FRAME_SIZE
	86	- bmi .Ltail63unaligned
	87	+ ldrlo tmp2, [sp], #FRAME_SIZE
	88	+ blo .Ltail63unaligned
	89	pld [src, #(4 * 64)]
	90
	91	#ifdef USE_NEON
	92	@@ -633,7 +633,7 @@ ENTRY(memcpy)
	93	neon_load_multi d0-d3, src
	94	neon_load_multi d4-d7, src
	95	subs count, count, #64
	96	- bmi 2f
	97	+ blo 2f
	98	1:
	99	pld [src, #(4 * 64)]
	100	neon_store_multi d0-d3, dst
	101	@@ -641,7 +641,7 @@ ENTRY(memcpy)
	102	neon_store_multi d4-d7, dst
	103	neon_load_multi d4-d7, src
	104	subs count, count, #64
	105	- bpl 1b
	106	+ bhs 1b
	107	2:
	108	neon_store_multi d0-d3, dst
	109	neon_store_multi d4-d7, dst
	110	--
	111	2.17.1
	112