diff options
| author | Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> | 2018-06-26 13:44:17 +0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-09-27 12:17:46 +0100 |
| commit | 3b8dc3a88e28546100a6b0b2f2cc37f44e619371 (patch) | |
| tree | e1556289e4f9d1ae258a7e2337913185918176b6 /meta/recipes-core | |
| parent | a36165011e5bbdef3a4e81ef33eeb57794678ebb (diff) | |
| download | poky-3b8dc3a88e28546100a6b0b2f2cc37f44e619371.tar.gz | |
glibc: fix CVE-2018-11237
glibc: fix CVE-2018-11237
(From OE-Core rev: b9b254da08c1db94ac9ded5f67d7e2e82e3b9be7)
(From OE-Core rev: 361c40d4bea101875747eac9c8cc46e92ced173f)
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core')
| -rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2018-11237.patch | 82 | ||||
| -rw-r--r-- | meta/recipes-core/glibc/glibc_2.27.bb | 1 |
2 files changed, 83 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch b/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch new file mode 100644 index 0000000000..632aa565e4 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch | |||
| @@ -0,0 +1,82 @@ | |||
| 1 | From 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Andreas Schwab <schwab@suse.de> | ||
| 3 | Date: Tue, 22 May 2018 10:37:59 +0200 | ||
| 4 | Subject: [PATCH] Don't write beyond destination in | ||
| 5 | __mempcpy_avx512_no_vzeroupper (bug 23196) | ||
| 6 | |||
| 7 | When compiled as mempcpy, the return value is the end of the destination | ||
| 8 | buffer, thus it cannot be used to refer to the start of it. | ||
| 9 | |||
| 10 | 2018-05-23 Andreas Schwab <schwab@suse.de> | ||
| 11 | |||
| 12 | [BZ #23196] | ||
| 13 | CVE-2018-11237 | ||
| 14 | * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | ||
| 15 | (L(preloop_large)): Save initial destination pointer in %r11 and | ||
| 16 | use it instead of %rax after the loop. | ||
| 17 | * string/test-mempcpy.c (MIN_PAGE_SIZE): Define. | ||
| 18 | |||
| 19 | CVE: CVE-2018-11237 | ||
| 20 | Upstream-Status: Backport | ||
| 21 | Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> | ||
| 22 | --- | ||
| 23 | ChangeLog | 9 +++++++++ | ||
| 24 | string/test-mempcpy.c | 1 + | ||
| 25 | sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | 5 +++-- | ||
| 26 | 3 files changed, 13 insertions(+), 2 deletions(-) | ||
| 27 | |||
| 28 | diff --git a/ChangeLog b/ChangeLog | ||
| 29 | index fa0a07c..bc09dec 100644 | ||
| 30 | --- a/ChangeLog | ||
| 31 | +++ b/ChangeLog | ||
| 32 | @@ -1,3 +1,12 @@ | ||
| 33 | +2018-05-23 Andreas Schwab <schwab@suse.de> | ||
| 34 | + | ||
| 35 | + [BZ #23196] | ||
| 36 | + CVE-2018-11237 | ||
| 37 | + * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | ||
| 38 | + (L(preloop_large)): Save initial destination pointer in %r11 and | ||
| 39 | + use it instead of %rax after the loop. | ||
| 40 | + * string/test-mempcpy.c (MIN_PAGE_SIZE): Define. | ||
| 41 | + | ||
| 42 | 2018-05-09 Paul Pluzhnikov <ppluzhnikov@google.com> | ||
| 43 | |||
| 44 | [BZ #22786] | ||
| 45 | diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c | ||
| 46 | index c08fba8..d98ecdd 100644 | ||
| 47 | --- a/string/test-mempcpy.c | ||
| 48 | +++ b/string/test-mempcpy.c | ||
| 49 | @@ -18,6 +18,7 @@ | ||
| 50 | <http://www.gnu.org/licenses/>. */ | ||
| 51 | |||
| 52 | #define MEMCPY_RESULT(dst, len) (dst) + (len) | ||
| 53 | +#define MIN_PAGE_SIZE 131072 | ||
| 54 | #define TEST_MAIN | ||
| 55 | #define TEST_NAME "mempcpy" | ||
| 56 | #include "test-string.h" | ||
| 57 | diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | ||
| 58 | index 23c0f7a..a55cf6f 100644 | ||
| 59 | --- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | ||
| 60 | +++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | ||
| 61 | @@ -335,6 +335,7 @@ L(preloop_large): | ||
| 62 | ja L(preloop_large_bkw) | ||
| 63 | vmovups (%rsi), %zmm4 | ||
| 64 | vmovups 0x40(%rsi), %zmm5 | ||
| 65 | + mov %rdi, %r11 | ||
| 66 | |||
| 67 | /* Align destination for access with non-temporal stores in the loop. */ | ||
| 68 | mov %rdi, %r8 | ||
| 69 | @@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop): | ||
| 70 | cmp $256, %rdx | ||
| 71 | ja L(gobble_256bytes_nt_loop) | ||
| 72 | sfence | ||
| 73 | - vmovups %zmm4, (%rax) | ||
| 74 | - vmovups %zmm5, 0x40(%rax) | ||
| 75 | + vmovups %zmm4, (%r11) | ||
| 76 | + vmovups %zmm5, 0x40(%r11) | ||
| 77 | jmp L(check) | ||
| 78 | |||
| 79 | L(preloop_large_bkw): | ||
| 80 | -- | ||
| 81 | 2.7.4 | ||
| 82 | |||
diff --git a/meta/recipes-core/glibc/glibc_2.27.bb b/meta/recipes-core/glibc/glibc_2.27.bb index 22a9881eaf..adee494c2e 100644 --- a/meta/recipes-core/glibc/glibc_2.27.bb +++ b/meta/recipes-core/glibc/glibc_2.27.bb | |||
| @@ -47,6 +47,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ | |||
| 47 | file://0030-plural_c_no_preprocessor_lines.patch \ | 47 | file://0030-plural_c_no_preprocessor_lines.patch \ |
| 48 | file://CVE-2017-18269.patch \ | 48 | file://CVE-2017-18269.patch \ |
| 49 | file://CVE-2018-11236.patch \ | 49 | file://CVE-2018-11236.patch \ |
| 50 | file://CVE-2018-11237.patch \ | ||
| 50 | " | 51 | " |
| 51 | 52 | ||
| 52 | NATIVESDKFIXES ?= "" | 53 | NATIVESDKFIXES ?= "" |