diff options
author | Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> | 2018-06-26 13:44:17 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-06-28 09:22:35 +0100 |
commit | 1d2e5eed4095f0e1f458bfa1e086e39575cb3605 (patch) | |
tree | f7eda5f1b03305cda58070e447cd099e47abffb8 /meta/recipes-core/glibc | |
parent | ef143b3f16fea779422e5d4bd6213cb551aeaa8a (diff) | |
download | poky-1d2e5eed4095f0e1f458bfa1e086e39575cb3605.tar.gz |
glibc: fix CVE-2018-11237
glibc: fix CVE-2018-11237
(From OE-Core rev: b9b254da08c1db94ac9ded5f67d7e2e82e3b9be7)
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core/glibc')
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2018-11237.patch | 82 | ||||
-rw-r--r-- | meta/recipes-core/glibc/glibc_2.27.bb | 1 |
2 files changed, 83 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch b/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch new file mode 100644 index 0000000000..632aa565e4 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch | |||
@@ -0,0 +1,82 @@ | |||
1 | From 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e Mon Sep 17 00:00:00 2001 | ||
2 | From: Andreas Schwab <schwab@suse.de> | ||
3 | Date: Tue, 22 May 2018 10:37:59 +0200 | ||
4 | Subject: [PATCH] Don't write beyond destination in | ||
5 | __mempcpy_avx512_no_vzeroupper (bug 23196) | ||
6 | |||
7 | When compiled as mempcpy, the return value is the end of the destination | ||
8 | buffer, thus it cannot be used to refer to the start of it. | ||
9 | |||
10 | 2018-05-23 Andreas Schwab <schwab@suse.de> | ||
11 | |||
12 | [BZ #23196] | ||
13 | CVE-2018-11237 | ||
14 | * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | ||
15 | (L(preloop_large)): Save initial destination pointer in %r11 and | ||
16 | use it instead of %rax after the loop. | ||
17 | * string/test-mempcpy.c (MIN_PAGE_SIZE): Define. | ||
18 | |||
19 | CVE: CVE-2018-11237 | ||
20 | Upstream-Status: Backport | ||
21 | Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> | ||
22 | --- | ||
23 | ChangeLog | 9 +++++++++ | ||
24 | string/test-mempcpy.c | 1 + | ||
25 | sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | 5 +++-- | ||
26 | 3 files changed, 13 insertions(+), 2 deletions(-) | ||
27 | |||
28 | diff --git a/ChangeLog b/ChangeLog | ||
29 | index fa0a07c..bc09dec 100644 | ||
30 | --- a/ChangeLog | ||
31 | +++ b/ChangeLog | ||
32 | @@ -1,3 +1,12 @@ | ||
33 | +2018-05-23 Andreas Schwab <schwab@suse.de> | ||
34 | + | ||
35 | + [BZ #23196] | ||
36 | + CVE-2018-11237 | ||
37 | + * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | ||
38 | + (L(preloop_large)): Save initial destination pointer in %r11 and | ||
39 | + use it instead of %rax after the loop. | ||
40 | + * string/test-mempcpy.c (MIN_PAGE_SIZE): Define. | ||
41 | + | ||
42 | 2018-05-09 Paul Pluzhnikov <ppluzhnikov@google.com> | ||
43 | |||
44 | [BZ #22786] | ||
45 | diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c | ||
46 | index c08fba8..d98ecdd 100644 | ||
47 | --- a/string/test-mempcpy.c | ||
48 | +++ b/string/test-mempcpy.c | ||
49 | @@ -18,6 +18,7 @@ | ||
50 | <http://www.gnu.org/licenses/>. */ | ||
51 | |||
52 | #define MEMCPY_RESULT(dst, len) (dst) + (len) | ||
53 | +#define MIN_PAGE_SIZE 131072 | ||
54 | #define TEST_MAIN | ||
55 | #define TEST_NAME "mempcpy" | ||
56 | #include "test-string.h" | ||
57 | diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | ||
58 | index 23c0f7a..a55cf6f 100644 | ||
59 | --- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | ||
60 | +++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | ||
61 | @@ -335,6 +335,7 @@ L(preloop_large): | ||
62 | ja L(preloop_large_bkw) | ||
63 | vmovups (%rsi), %zmm4 | ||
64 | vmovups 0x40(%rsi), %zmm5 | ||
65 | + mov %rdi, %r11 | ||
66 | |||
67 | /* Align destination for access with non-temporal stores in the loop. */ | ||
68 | mov %rdi, %r8 | ||
69 | @@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop): | ||
70 | cmp $256, %rdx | ||
71 | ja L(gobble_256bytes_nt_loop) | ||
72 | sfence | ||
73 | - vmovups %zmm4, (%rax) | ||
74 | - vmovups %zmm5, 0x40(%rax) | ||
75 | + vmovups %zmm4, (%r11) | ||
76 | + vmovups %zmm5, 0x40(%r11) | ||
77 | jmp L(check) | ||
78 | |||
79 | L(preloop_large_bkw): | ||
80 | -- | ||
81 | 2.7.4 | ||
82 | |||
diff --git a/meta/recipes-core/glibc/glibc_2.27.bb b/meta/recipes-core/glibc/glibc_2.27.bb index fe23eb6653..b14c02cf2a 100644 --- a/meta/recipes-core/glibc/glibc_2.27.bb +++ b/meta/recipes-core/glibc/glibc_2.27.bb | |||
@@ -46,6 +46,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ | |||
46 | file://0030-plural_c_no_preprocessor_lines.patch \ | 46 | file://0030-plural_c_no_preprocessor_lines.patch \ |
47 | file://CVE-2017-18269.patch \ | 47 | file://CVE-2017-18269.patch \ |
48 | file://CVE-2018-11236.patch \ | 48 | file://CVE-2018-11236.patch \ |
49 | file://CVE-2018-11237.patch \ | ||
49 | " | 50 | " |
50 | 51 | ||
51 | NATIVESDKFIXES ?= "" | 52 | NATIVESDKFIXES ?= "" |