1 files changed, 194 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-6096_2.patch b/meta/recipes-core/glibc/glibc/CVE-2020-6096_2.patch
new file mode 100644
index 0000000000..905e44c8e3
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2020-6096_2.patch
@@ -0,0 +1,194 @@
+From 79a4fa341b8a89cb03f84564fd72abaa1a2db394 Mon Sep 17 00:00:00 2001
+From: Evgeny Eremin <e.eremin@omprussia.ru>
+Date: Wed, 8 Jul 2020 14:18:19 +0200
+Subject: [PATCH] arm: CVE-2020-6096: fix memcpy and memmove for negative
+ length [BZ #25620]
+Unsigned branch instructions could be used for r2 to fix the wrong
+behavior when a negative length is passed to memcpy and memmove.
+This commit fixes the generic arm implementation of memcpy amd memmove.
+Upstream-Status: Backport
+CVE: CVE-2020-6096 patch #2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ sysdeps/arm/memcpy.S  | 24 ++++++++++--------------
+ sysdeps/arm/memmove.S | 24 ++++++++++--------------
+ 2 files changed, 20 insertions(+), 28 deletions(-)
+diff --git a/sysdeps/arm/memcpy.S b/sysdeps/arm/memcpy.S
+index 510e8adaf2..bcfbc51d99 100644
+--- a/sysdeps/arm/memcpy.S
+++ b/sysdeps/arm/memcpy.S
+@@ -68,7 +68,7 @@ ENTRY(memcpy)
+                cfi_remember_state
+ 
+                subs    r2, r2, #4
+-               blt     8f
+               blo     8f
+                ands    ip, r0, #3
+        PLD(    pld     [r1, #0]                )
+                bne     9f
+@@ -82,7 +82,7 @@ ENTRY(memcpy)
+                cfi_rel_offset (r6, 4)
+                cfi_rel_offset (r7, 8)
+                cfi_rel_offset (r8, 12)
+-               blt     5f
+               blo     5f
+ 
+        CALGN(  ands    ip, r1, #31             )
+        CALGN(  rsb     r3, ip, #32             )
+@@ -98,9 +98,9 @@ ENTRY(memcpy)
+ #endif
+ 
+        PLD(    pld     [r1, #0]                )
+-2:     PLD(    subs    r2, r2, #96             )
+2:     PLD(    cmp     r2, #96                 )
+        PLD(    pld     [r1, #28]               )
+-       PLD(    blt     4f                      )
+       PLD(    blo     4f                      )
+        PLD(    pld     [r1, #60]               )
+        PLD(    pld     [r1, #92]               )
+ 
+@@ -108,9 +108,7 @@ ENTRY(memcpy)
+ 4:             ldmia   r1!, {r3, r4, r5, r6, r7, r8, ip, lr}
+                subs    r2, r2, #32
+                stmia   r0!, {r3, r4, r5, r6, r7, r8, ip, lr}
+-               bge     3b
+-       PLD(    cmn     r2, #96                 )
+-       PLD(    bge     4b                      )
+               bhs     3b
+ 
+ 5:             ands    ip, r2, #28
+                rsb     ip, ip, #32
+@@ -222,7 +220,7 @@ ENTRY(memcpy)
+                strbge  r4, [r0], #1
+                subs    r2, r2, ip
+                strb    lr, [r0], #1
+-               blt     8b
+               blo     8b
+                ands    ip, r1, #3
+                beq     1b
+ 
+@@ -236,7 +234,7 @@ ENTRY(memcpy)
+                .macro  forward_copy_shift pull push
+ 
+                subs    r2, r2, #28
+-               blt     14f
+               blo     14f
+ 
+        CALGN(  ands    ip, r1, #31             )
+        CALGN(  rsb     ip, ip, #32             )
+@@ -253,9 +251,9 @@ ENTRY(memcpy)
+                cfi_rel_offset (r10, 16)
+ 
+        PLD(    pld     [r1, #0]                )
+-       PLD(    subs    r2, r2, #96             )
+       PLD(    cmp     r2, #96                 )
+        PLD(    pld     [r1, #28]               )
+-       PLD(    blt     13f                     )
+       PLD(    blo     13f                     )
+        PLD(    pld     [r1, #60]               )
+        PLD(    pld     [r1, #92]               )
+ 
+@@ -280,9 +278,7 @@ ENTRY(memcpy)
+                mov     ip, ip, PULL #\pull
+                orr     ip, ip, lr, PUSH #\push
+                stmia   r0!, {r3, r4, r5, r6, r7, r8, r10, ip}
+-               bge     12b
+-       PLD(    cmn     r2, #96                 )
+-       PLD(    bge     13b                     )
+               bhs     12b
+ 
+                pop     {r5 - r8, r10}
+                cfi_adjust_cfa_offset (-20)
+diff --git a/sysdeps/arm/memmove.S b/sysdeps/arm/memmove.S
+index 954037ef3a..0d07b76ee6 100644
+--- a/sysdeps/arm/memmove.S
+++ b/sysdeps/arm/memmove.S
+@@ -85,7 +85,7 @@ ENTRY(memmove)
+                add     r1, r1, r2
+                add     r0, r0, r2
+                subs    r2, r2, #4
+-               blt     8f
+               blo     8f
+                ands    ip, r0, #3
+        PLD(    pld     [r1, #-4]               )
+                bne     9f
+@@ -99,7 +99,7 @@ ENTRY(memmove)
+                cfi_rel_offset (r6, 4)
+                cfi_rel_offset (r7, 8)
+                cfi_rel_offset (r8, 12)
+-               blt     5f
+               blo     5f
+ 
+        CALGN(  ands    ip, r1, #31             )
+        CALGN(  sbcsne  r4, ip, r2              )  @ C is always set here
+@@ -114,9 +114,9 @@ ENTRY(memmove)
+ #endif
+ 
+        PLD(    pld     [r1, #-4]               )
+-2:     PLD(    subs    r2, r2, #96             )
+2:     PLD(    cmp     r2, #96                 )
+        PLD(    pld     [r1, #-32]              )
+-       PLD(    blt     4f                      )
+       PLD(    blo     4f                      )
+        PLD(    pld     [r1, #-64]              )
+        PLD(    pld     [r1, #-96]              )
+ 
+@@ -124,9 +124,7 @@ ENTRY(memmove)
+ 4:             ldmdb   r1!, {r3, r4, r5, r6, r7, r8, ip, lr}
+                subs    r2, r2, #32
+                stmdb   r0!, {r3, r4, r5, r6, r7, r8, ip, lr}
+-               bge     3b
+-       PLD(    cmn     r2, #96                 )
+-       PLD(    bge     4b                      )
+               bhs     3b
+ 
+ 5:             ands    ip, r2, #28
+                rsb     ip, ip, #32
+@@ -237,7 +235,7 @@ ENTRY(memmove)
+                strbge  r4, [r0, #-1]!
+                subs    r2, r2, ip
+                strb    lr, [r0, #-1]!
+-               blt     8b
+               blo     8b
+                ands    ip, r1, #3
+                beq     1b
+ 
+@@ -251,7 +249,7 @@ ENTRY(memmove)
+                .macro  backward_copy_shift push pull
+ 
+                subs    r2, r2, #28
+-               blt     14f
+               blo     14f
+ 
+        CALGN(  ands    ip, r1, #31             )
+        CALGN(  rsb     ip, ip, #32             )
+@@ -268,9 +266,9 @@ ENTRY(memmove)
+                cfi_rel_offset (r10, 16)
+ 
+        PLD(    pld     [r1, #-4]               )
+-       PLD(    subs    r2, r2, #96             )
+       PLD(    cmp     r2, #96                 )
+        PLD(    pld     [r1, #-32]              )
+-       PLD(    blt     13f                     )
+       PLD(    blo     13f                     )
+        PLD(    pld     [r1, #-64]              )
+        PLD(    pld     [r1, #-96]              )
+ 
+@@ -295,9 +293,7 @@ ENTRY(memmove)
+                mov     r4, r4, PUSH #\push
+                orr     r4, r4, r3, PULL #\pull
+                stmdb   r0!, {r4 - r8, r10, ip, lr}
+-               bge     12b
+-       PLD(    cmn     r2, #96                 )
+-       PLD(    bge     13b                     )
+               bhs     12b
+ 
+                pop     {r5 - r8, r10}
+                cfi_adjust_cfa_offset (-20)
+-- 
+2.17.1

diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-6096_2.patch b/meta/recipes-core/glibc/glibc/CVE-2020-6096_2.patch new file mode 100644 index 0000000000..905e44c8e3 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2020-6096_2.patch
@@ -0,0 +1,194 @@
	1	From 79a4fa341b8a89cb03f84564fd72abaa1a2db394 Mon Sep 17 00:00:00 2001
	2	From: Evgeny Eremin <e.eremin@omprussia.ru>
	3	Date: Wed, 8 Jul 2020 14:18:19 +0200
	4	Subject: [PATCH] arm: CVE-2020-6096: fix memcpy and memmove for negative
	5	length [BZ #25620]
	6
	7	Unsigned branch instructions could be used for r2 to fix the wrong
	8	behavior when a negative length is passed to memcpy and memmove.
	9	This commit fixes the generic arm implementation of memcpy amd memmove.
	10
	11	Upstream-Status: Backport
	12	CVE: CVE-2020-6096 patch #2
	13	Signed-off-by: Armin Kuster <akuster@mvista.com>
	14
	15	---
	16	sysdeps/arm/memcpy.S \| 24 ++++++++++--------------
	17	sysdeps/arm/memmove.S \| 24 ++++++++++--------------
	18	2 files changed, 20 insertions(+), 28 deletions(-)
	19
	20	diff --git a/sysdeps/arm/memcpy.S b/sysdeps/arm/memcpy.S
	21	index 510e8adaf2..bcfbc51d99 100644
	22	--- a/sysdeps/arm/memcpy.S
	23	+++ b/sysdeps/arm/memcpy.S
	24	@@ -68,7 +68,7 @@ ENTRY(memcpy)
	25	cfi_remember_state
	26
	27	subs r2, r2, #4
	28	- blt 8f
	29	+ blo 8f
	30	ands ip, r0, #3
	31	PLD( pld [r1, #0] )
	32	bne 9f
	33	@@ -82,7 +82,7 @@ ENTRY(memcpy)
	34	cfi_rel_offset (r6, 4)
	35	cfi_rel_offset (r7, 8)
	36	cfi_rel_offset (r8, 12)
	37	- blt 5f
	38	+ blo 5f
	39
	40	CALGN( ands ip, r1, #31 )
	41	CALGN( rsb r3, ip, #32 )
	42	@@ -98,9 +98,9 @@ ENTRY(memcpy)
	43	#endif
	44
	45	PLD( pld [r1, #0] )
	46	-2: PLD( subs r2, r2, #96 )
	47	+2: PLD( cmp r2, #96 )
	48	PLD( pld [r1, #28] )
	49	- PLD( blt 4f )
	50	+ PLD( blo 4f )
	51	PLD( pld [r1, #60] )
	52	PLD( pld [r1, #92] )
	53
	54	@@ -108,9 +108,7 @@ ENTRY(memcpy)
	55	4: ldmia r1!, {r3, r4, r5, r6, r7, r8, ip, lr}
	56	subs r2, r2, #32
	57	stmia r0!, {r3, r4, r5, r6, r7, r8, ip, lr}
	58	- bge 3b
	59	- PLD( cmn r2, #96 )
	60	- PLD( bge 4b )
	61	+ bhs 3b
	62
	63	5: ands ip, r2, #28
	64	rsb ip, ip, #32
	65	@@ -222,7 +220,7 @@ ENTRY(memcpy)
	66	strbge r4, [r0], #1
	67	subs r2, r2, ip
	68	strb lr, [r0], #1
	69	- blt 8b
	70	+ blo 8b
	71	ands ip, r1, #3
	72	beq 1b
	73
	74	@@ -236,7 +234,7 @@ ENTRY(memcpy)
	75	.macro forward_copy_shift pull push
	76
	77	subs r2, r2, #28
	78	- blt 14f
	79	+ blo 14f
	80
	81	CALGN( ands ip, r1, #31 )
	82	CALGN( rsb ip, ip, #32 )
	83	@@ -253,9 +251,9 @@ ENTRY(memcpy)
	84	cfi_rel_offset (r10, 16)
	85
	86	PLD( pld [r1, #0] )
	87	- PLD( subs r2, r2, #96 )
	88	+ PLD( cmp r2, #96 )
	89	PLD( pld [r1, #28] )
	90	- PLD( blt 13f )
	91	+ PLD( blo 13f )
	92	PLD( pld [r1, #60] )
	93	PLD( pld [r1, #92] )
	94
	95	@@ -280,9 +278,7 @@ ENTRY(memcpy)
	96	mov ip, ip, PULL #\pull
	97	orr ip, ip, lr, PUSH #\push
	98	stmia r0!, {r3, r4, r5, r6, r7, r8, r10, ip}
	99	- bge 12b
	100	- PLD( cmn r2, #96 )
	101	- PLD( bge 13b )
	102	+ bhs 12b
	103
	104	pop {r5 - r8, r10}
	105	cfi_adjust_cfa_offset (-20)
	106	diff --git a/sysdeps/arm/memmove.S b/sysdeps/arm/memmove.S
	107	index 954037ef3a..0d07b76ee6 100644
	108	--- a/sysdeps/arm/memmove.S
	109	+++ b/sysdeps/arm/memmove.S
	110	@@ -85,7 +85,7 @@ ENTRY(memmove)
	111	add r1, r1, r2
	112	add r0, r0, r2
	113	subs r2, r2, #4
	114	- blt 8f
	115	+ blo 8f
	116	ands ip, r0, #3
	117	PLD( pld [r1, #-4] )
	118	bne 9f
	119	@@ -99,7 +99,7 @@ ENTRY(memmove)
	120	cfi_rel_offset (r6, 4)
	121	cfi_rel_offset (r7, 8)
	122	cfi_rel_offset (r8, 12)
	123	- blt 5f
	124	+ blo 5f
	125
	126	CALGN( ands ip, r1, #31 )
	127	CALGN( sbcsne r4, ip, r2 ) @ C is always set here
	128	@@ -114,9 +114,9 @@ ENTRY(memmove)
	129	#endif
	130
	131	PLD( pld [r1, #-4] )
	132	-2: PLD( subs r2, r2, #96 )
	133	+2: PLD( cmp r2, #96 )
	134	PLD( pld [r1, #-32] )
	135	- PLD( blt 4f )
	136	+ PLD( blo 4f )
	137	PLD( pld [r1, #-64] )
	138	PLD( pld [r1, #-96] )
	139
	140	@@ -124,9 +124,7 @@ ENTRY(memmove)
	141	4: ldmdb r1!, {r3, r4, r5, r6, r7, r8, ip, lr}
	142	subs r2, r2, #32
	143	stmdb r0!, {r3, r4, r5, r6, r7, r8, ip, lr}
	144	- bge 3b
	145	- PLD( cmn r2, #96 )
	146	- PLD( bge 4b )
	147	+ bhs 3b
	148
	149	5: ands ip, r2, #28
	150	rsb ip, ip, #32
	151	@@ -237,7 +235,7 @@ ENTRY(memmove)
	152	strbge r4, [r0, #-1]!
	153	subs r2, r2, ip
	154	strb lr, [r0, #-1]!
	155	- blt 8b
	156	+ blo 8b
	157	ands ip, r1, #3
	158	beq 1b
	159
	160	@@ -251,7 +249,7 @@ ENTRY(memmove)
	161	.macro backward_copy_shift push pull
	162
	163	subs r2, r2, #28
	164	- blt 14f
	165	+ blo 14f
	166
	167	CALGN( ands ip, r1, #31 )
	168	CALGN( rsb ip, ip, #32 )
	169	@@ -268,9 +266,9 @@ ENTRY(memmove)
	170	cfi_rel_offset (r10, 16)
	171
	172	PLD( pld [r1, #-4] )
	173	- PLD( subs r2, r2, #96 )
	174	+ PLD( cmp r2, #96 )
	175	PLD( pld [r1, #-32] )
	176	- PLD( blt 13f )
	177	+ PLD( blo 13f )
	178	PLD( pld [r1, #-64] )
	179	PLD( pld [r1, #-96] )
	180
	181	@@ -295,9 +293,7 @@ ENTRY(memmove)
	182	mov r4, r4, PUSH #\push
	183	orr r4, r4, r3, PULL #\pull
	184	stmdb r0!, {r4 - r8, r10, ip, lr}
	185	- bge 12b
	186	- PLD( cmn r2, #96 )
	187	- PLD( bge 13b )
	188	+ bhs 12b
	189
	190	pop {r5 - r8, r10}
	191	cfi_adjust_cfa_offset (-20)
	192	--
	193	2.17.1
	194