diff options
Diffstat (limited to 'meta/recipes-core/glibc/glibc/CVE-2019-7309.patch')
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2019-7309.patch | 207 |
1 files changed, 207 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2019-7309.patch b/meta/recipes-core/glibc/glibc/CVE-2019-7309.patch new file mode 100644 index 0000000000..04963c29e4 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2019-7309.patch | |||
@@ -0,0 +1,207 @@ | |||
1 | From af7f46c45a60e6df754fb6258b546917e61ae6f1 Mon Sep 17 00:00:00 2001 | ||
2 | From: "H.J. Lu" <hjl.tools@gmail.com> | ||
3 | Date: Mon, 4 Feb 2019 08:55:52 -0800 | ||
4 | Subject: [PATCH] x86-64 memcmp: Use unsigned Jcc instructions on size [BZ | ||
5 | #24155] | ||
6 | Reply-To: muislam@microsoft.com | ||
7 | |||
8 | Since the size argument is unsigned. we should use unsigned Jcc | ||
9 | instructions, instead of signed, to check size. | ||
10 | |||
11 | Tested on x86-64 and x32, with and without --disable-multi-arch. | ||
12 | |||
13 | [BZ #24155] | ||
14 | CVE-2019-7309 | ||
15 | * NEWS: Updated for CVE-2019-7309. | ||
16 | * sysdeps/x86_64/memcmp.S: Use RDX_LP for size. Clear the | ||
17 | upper 32 bits of RDX register for x32. Use unsigned Jcc | ||
18 | instructions, instead of signed. | ||
19 | * sysdeps/x86_64/x32/Makefile (tests): Add tst-size_t-memcmp-2. | ||
20 | * sysdeps/x86_64/x32/tst-size_t-memcmp-2.c: New test. | ||
21 | |||
22 | (cherry picked from commit 3f635fb43389b54f682fc9ed2acc0b2aaf4a923d) | ||
23 | |||
24 | Signed-off-by: Muminul Islam <muislam@microsoft.com> | ||
25 | |||
26 | CVE: CVE-2019-7309 | ||
27 | |||
28 | Upstream-Status: Backport | ||
29 | --- | ||
30 | sysdeps/x86_64/memcmp.S | 20 +++--- | ||
31 | sysdeps/x86_64/x32/Makefile | 2 +- | ||
32 | sysdeps/x86_64/x32/tst-size_t-memcmp-2.c | 79 ++++++++++++++++++++++++ | ||
33 | 3 files changed, 92 insertions(+), 9 deletions(-) | ||
34 | create mode 100644 sysdeps/x86_64/x32/tst-size_t-memcmp-2.c | ||
35 | |||
36 | diff --git a/sysdeps/x86_64/memcmp.S b/sysdeps/x86_64/memcmp.S | ||
37 | index bcb4a2e88d..45918d375a 100644 | ||
38 | --- a/sysdeps/x86_64/memcmp.S | ||
39 | +++ b/sysdeps/x86_64/memcmp.S | ||
40 | @@ -21,14 +21,18 @@ | ||
41 | |||
42 | .text | ||
43 | ENTRY (memcmp) | ||
44 | - test %rdx, %rdx | ||
45 | +#ifdef __ILP32__ | ||
46 | + /* Clear the upper 32 bits. */ | ||
47 | + movl %edx, %edx | ||
48 | +#endif | ||
49 | + test %RDX_LP, %RDX_LP | ||
50 | jz L(finz) | ||
51 | cmpq $1, %rdx | ||
52 | - jle L(finr1b) | ||
53 | + jbe L(finr1b) | ||
54 | subq %rdi, %rsi | ||
55 | movq %rdx, %r10 | ||
56 | cmpq $32, %r10 | ||
57 | - jge L(gt32) | ||
58 | + jae L(gt32) | ||
59 | /* Handle small chunks and last block of less than 32 bytes. */ | ||
60 | L(small): | ||
61 | testq $1, %r10 | ||
62 | @@ -156,7 +160,7 @@ L(A32): | ||
63 | movq %r11, %r10 | ||
64 | andq $-32, %r10 | ||
65 | cmpq %r10, %rdi | ||
66 | - jge L(mt16) | ||
67 | + jae L(mt16) | ||
68 | /* Pre-unroll to be ready for unrolled 64B loop. */ | ||
69 | testq $32, %rdi | ||
70 | jz L(A64) | ||
71 | @@ -178,7 +182,7 @@ L(A64): | ||
72 | movq %r11, %r10 | ||
73 | andq $-64, %r10 | ||
74 | cmpq %r10, %rdi | ||
75 | - jge L(mt32) | ||
76 | + jae L(mt32) | ||
77 | |||
78 | L(A64main): | ||
79 | movdqu (%rdi,%rsi), %xmm0 | ||
80 | @@ -216,7 +220,7 @@ L(mt32): | ||
81 | movq %r11, %r10 | ||
82 | andq $-32, %r10 | ||
83 | cmpq %r10, %rdi | ||
84 | - jge L(mt16) | ||
85 | + jae L(mt16) | ||
86 | |||
87 | L(A32main): | ||
88 | movdqu (%rdi,%rsi), %xmm0 | ||
89 | @@ -254,7 +258,7 @@ L(ATR): | ||
90 | movq %r11, %r10 | ||
91 | andq $-32, %r10 | ||
92 | cmpq %r10, %rdi | ||
93 | - jge L(mt16) | ||
94 | + jae L(mt16) | ||
95 | testq $16, %rdi | ||
96 | jz L(ATR32) | ||
97 | |||
98 | @@ -325,7 +329,7 @@ L(ATR64main): | ||
99 | movq %r11, %r10 | ||
100 | andq $-32, %r10 | ||
101 | cmpq %r10, %rdi | ||
102 | - jge L(mt16) | ||
103 | + jae L(mt16) | ||
104 | |||
105 | L(ATR32res): | ||
106 | movdqa (%rdi,%rsi), %xmm0 | ||
107 | diff --git a/sysdeps/x86_64/x32/Makefile b/sysdeps/x86_64/x32/Makefile | ||
108 | index 7d528889c6..c9850beeb5 100644 | ||
109 | --- a/sysdeps/x86_64/x32/Makefile | ||
110 | +++ b/sysdeps/x86_64/x32/Makefile | ||
111 | @@ -6,7 +6,7 @@ CFLAGS-s_llround.c += -fno-builtin-lround | ||
112 | endif | ||
113 | |||
114 | ifeq ($(subdir),string) | ||
115 | -tests += tst-size_t-memchr | ||
116 | +tests += tst-size_t-memchr tst-size_t-memcmp-2 | ||
117 | endif | ||
118 | |||
119 | ifeq ($(subdir),wcsmbs) | ||
120 | diff --git a/sysdeps/x86_64/x32/tst-size_t-memcmp-2.c b/sysdeps/x86_64/x32/tst-size_t-memcmp-2.c | ||
121 | new file mode 100644 | ||
122 | index 0000000000..d8ae1a0813 | ||
123 | --- /dev/null | ||
124 | +++ b/sysdeps/x86_64/x32/tst-size_t-memcmp-2.c | ||
125 | @@ -0,0 +1,79 @@ | ||
126 | +/* Test memcmp with size_t in the lower 32 bits of 64-bit register. | ||
127 | + Copyright (C) 2019 Free Software Foundation, Inc. | ||
128 | + This file is part of the GNU C Library. | ||
129 | + | ||
130 | + The GNU C Library is free software; you can redistribute it and/or | ||
131 | + modify it under the terms of the GNU Lesser General Public | ||
132 | + License as published by the Free Software Foundation; either | ||
133 | + version 2.1 of the License, or (at your option) any later version. | ||
134 | + | ||
135 | + The GNU C Library is distributed in the hope that it will be useful, | ||
136 | + but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
137 | + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
138 | + Lesser General Public License for more details. | ||
139 | + | ||
140 | + You should have received a copy of the GNU Lesser General Public | ||
141 | + License along with the GNU C Library; if not, see | ||
142 | + <http://www.gnu.org/licenses/>. */ | ||
143 | + | ||
144 | +#define TEST_MAIN | ||
145 | +#ifdef WIDE | ||
146 | +# define TEST_NAME "wmemcmp" | ||
147 | +#else | ||
148 | +# define TEST_NAME "memcmp" | ||
149 | +#endif | ||
150 | + | ||
151 | +#include "test-size_t.h" | ||
152 | + | ||
153 | +#ifdef WIDE | ||
154 | +# include <inttypes.h> | ||
155 | +# include <wchar.h> | ||
156 | + | ||
157 | +# define MEMCMP wmemcmp | ||
158 | +# define CHAR wchar_t | ||
159 | +#else | ||
160 | +# define MEMCMP memcmp | ||
161 | +# define CHAR char | ||
162 | +#endif | ||
163 | + | ||
164 | +IMPL (MEMCMP, 1) | ||
165 | + | ||
166 | +typedef int (*proto_t) (const CHAR *, const CHAR *, size_t); | ||
167 | + | ||
168 | +static int | ||
169 | +__attribute__ ((noinline, noclone)) | ||
170 | +do_memcmp (parameter_t a, parameter_t b) | ||
171 | +{ | ||
172 | + return CALL (&b, a.p, b.p, a.len); | ||
173 | +} | ||
174 | + | ||
175 | +static int | ||
176 | +test_main (void) | ||
177 | +{ | ||
178 | + test_init (); | ||
179 | + | ||
180 | + parameter_t dest = { { page_size / sizeof (CHAR) }, buf1 }; | ||
181 | + parameter_t src = { { 0 }, buf2 }; | ||
182 | + | ||
183 | + memcpy (buf1, buf2, page_size); | ||
184 | + | ||
185 | + CHAR *p = (CHAR *) buf1; | ||
186 | + p[page_size / sizeof (CHAR) - 1] = (CHAR) 1; | ||
187 | + | ||
188 | + int ret = 0; | ||
189 | + FOR_EACH_IMPL (impl, 0) | ||
190 | + { | ||
191 | + src.fn = impl->fn; | ||
192 | + int res = do_memcmp (dest, src); | ||
193 | + if (res >= 0) | ||
194 | + { | ||
195 | + error (0, 0, "Wrong result in function %s: %i >= 0", | ||
196 | + impl->name, res); | ||
197 | + ret = 1; | ||
198 | + } | ||
199 | + } | ||
200 | + | ||
201 | + return ret ? EXIT_FAILURE : EXIT_SUCCESS; | ||
202 | +} | ||
203 | + | ||
204 | +#include <support/test-driver.c> | ||
205 | -- | ||
206 | 2.23.0 | ||
207 | |||