2 files changed, 224 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/0001-x86-64-memcmp-Use-unsigned-Jcc-instructions-on-size-.patch b/meta/recipes-core/glibc/glibc/0001-x86-64-memcmp-Use-unsigned-Jcc-instructions-on-size-.patch
new file mode 100644
index 0000000000..1c625f63c7
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0001-x86-64-memcmp-Use-unsigned-Jcc-instructions-on-size-.patch
@@ -0,0 +1,223 @@
+From 3f635fb43389b54f682fc9ed2acc0b2aaf4a923d Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Mon, 4 Feb 2019 06:31:01 -0800
+Subject: [PATCH] x86-64 memcmp: Use unsigned Jcc instructions on size [BZ
+ #24155]
+Since the size argument is unsigned. we should use unsigned Jcc
+instructions, instead of signed, to check size.
+Tested on x86-64 and x32, with and without --disable-multi-arch.
+        [BZ #24155]
+        CVE-2019-7309
+        * NEWS: Updated for CVE-2019-7309.
+        * sysdeps/x86_64/memcmp.S: Use RDX_LP for size.  Clear the
+        upper 32 bits of RDX register for x32.  Use unsigned Jcc
+        instructions, instead of signed.
+        * sysdeps/x86_64/x32/Makefile (tests): Add tst-size_t-memcmp-2.
+        * sysdeps/x86_64/x32/tst-size_t-memcmp-2.c: New test.
+CVE: CVE-2019-7309
+Upstream-Status: Backport
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ ChangeLog                                | 11 ++++
+ sysdeps/x86_64/memcmp.S                  | 20 +++---
+ sysdeps/x86_64/x32/Makefile              |  3 +-
+ sysdeps/x86_64/x32/tst-size_t-memcmp-2.c | 79 ++++++++++++++++++++++++
+ 5 files changed, 111 insertions(+), 10 deletions(-)
+ create mode 100644 sysdeps/x86_64/x32/tst-size_t-memcmp-2.c
+diff --git a/ChangeLog b/ChangeLog
+index 29bc4451ef..a0dcdac323 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -1,3 +1,14 @@
+2019-02-04  H.J. Lu  <hongjiu.lu@intel.com>
+
+       [BZ #24155]
+       CVE-2019-7309
+       * NEWS: Updated for CVE-2019-7309.
+       * sysdeps/x86_64/memcmp.S: Use RDX_LP for size.  Clear the
+       upper 32 bits of RDX register for x32.  Use unsigned Jcc
+       instructions, instead of signed.
+       * sysdeps/x86_64/x32/Makefile (tests): Add tst-size_t-memcmp-2.
+       * sysdeps/x86_64/x32/tst-size_t-memcmp-2.c: New test.
+
+ 2019-01-31  Carlos O'Donell  <carlos@redhat.com>
+            Torvald Riegel  <triegel@redhat.com>
+            Rik Prohaska  <prohaska7@gmail.com>
+diff --git a/sysdeps/x86_64/memcmp.S b/sysdeps/x86_64/memcmp.S
+index 1fc487caa5..1322bb3b92 100644
+--- a/sysdeps/x86_64/memcmp.S
+++ b/sysdeps/x86_64/memcmp.S
+@@ -21,14 +21,18 @@
+ 
+        .text
+ ENTRY (memcmp)
+-       test    %rdx, %rdx
+#ifdef __ILP32__
+       /* Clear the upper 32 bits.  */
+       movl    %edx, %edx
+#endif
+       test    %RDX_LP, %RDX_LP
+        jz      L(finz)
+        cmpq    $1, %rdx
+-       jle     L(finr1b)
+       jbe     L(finr1b)
+        subq    %rdi, %rsi
+        movq    %rdx, %r10
+        cmpq    $32, %r10
+-       jge     L(gt32)
+       jae     L(gt32)
+        /* Handle small chunks and last block of less than 32 bytes.  */
+ L(small):
+        testq   $1, %r10
+@@ -156,7 +160,7 @@ L(A32):
+        movq    %r11, %r10
+        andq    $-32, %r10
+        cmpq    %r10, %rdi
+-        jge    L(mt16)
+        jae    L(mt16)
+        /* Pre-unroll to be ready for unrolled 64B loop.  */
+        testq   $32, %rdi
+        jz      L(A64)
+@@ -178,7 +182,7 @@ L(A64):
+        movq    %r11, %r10
+        andq    $-64, %r10
+        cmpq    %r10, %rdi
+-        jge    L(mt32)
+        jae    L(mt32)
+ 
+ L(A64main):
+        movdqu    (%rdi,%rsi), %xmm0
+@@ -216,7 +220,7 @@ L(mt32):
+        movq    %r11, %r10
+        andq    $-32, %r10
+        cmpq    %r10, %rdi
+-        jge    L(mt16)
+        jae    L(mt16)
+ 
+ L(A32main):
+        movdqu    (%rdi,%rsi), %xmm0
+@@ -254,7 +258,7 @@ L(ATR):
+        movq    %r11, %r10
+        andq    $-32, %r10
+        cmpq    %r10, %rdi
+-        jge    L(mt16)
+        jae    L(mt16)
+        testq   $16, %rdi
+        jz      L(ATR32)
+ 
+@@ -325,7 +329,7 @@ L(ATR64main):
+        movq    %r11, %r10
+        andq    $-32, %r10
+        cmpq    %r10, %rdi
+-        jge    L(mt16)
+        jae    L(mt16)
+ 
+ L(ATR32res):
+        movdqa    (%rdi,%rsi), %xmm0
+diff --git a/sysdeps/x86_64/x32/Makefile b/sysdeps/x86_64/x32/Makefile
+index 1557724b0c..8748956563 100644
+--- a/sysdeps/x86_64/x32/Makefile
+++ b/sysdeps/x86_64/x32/Makefile
+@@ -8,7 +8,8 @@ endif
+ ifeq ($(subdir),string)
+ tests += tst-size_t-memchr tst-size_t-memcmp tst-size_t-memcpy \
+         tst-size_t-memrchr tst-size_t-memset tst-size_t-strncasecmp \
+-        tst-size_t-strncmp tst-size_t-strncpy tst-size_t-strnlen
+        tst-size_t-strncmp tst-size_t-strncpy tst-size_t-strnlen \
+        tst-size_t-memcmp-2
+ endif
+ 
+ ifeq ($(subdir),wcsmbs)
+diff --git a/sysdeps/x86_64/x32/tst-size_t-memcmp-2.c b/sysdeps/x86_64/x32/tst-size_t-memcmp-2.c
+new file mode 100644
+index 0000000000..d8ae1a0813
+--- /dev/null
+++ b/sysdeps/x86_64/x32/tst-size_t-memcmp-2.c
+@@ -0,0 +1,79 @@
+/* Test memcmp with size_t in the lower 32 bits of 64-bit register.
+   Copyright (C) 2019 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#define TEST_MAIN
+#ifdef WIDE
+# define TEST_NAME "wmemcmp"
+#else
+# define TEST_NAME "memcmp"
+#endif
+
+#include "test-size_t.h"
+
+#ifdef WIDE
+# include <inttypes.h>
+# include <wchar.h>
+
+# define MEMCMP wmemcmp
+# define CHAR wchar_t
+#else
+# define MEMCMP memcmp
+# define CHAR char
+#endif
+
+IMPL (MEMCMP, 1)
+
+typedef int (*proto_t) (const CHAR *, const CHAR *, size_t);
+
+static int
+__attribute__ ((noinline, noclone))
+do_memcmp (parameter_t a, parameter_t b)
+{
+  return CALL (&b, a.p, b.p, a.len);
+}
+
+static int
+test_main (void)
+{
+  test_init ();
+
+  parameter_t dest = { { page_size / sizeof (CHAR) }, buf1 };
+  parameter_t src = { { 0 }, buf2 };
+
+  memcpy (buf1, buf2, page_size);
+
+  CHAR *p = (CHAR *) buf1;
+  p[page_size / sizeof (CHAR) - 1] = (CHAR) 1;
+
+  int ret = 0;
+  FOR_EACH_IMPL (impl, 0)
+    {
+      src.fn = impl->fn;
+      int res = do_memcmp (dest, src);
+      if (res >= 0)
+       {
+         error (0, 0, "Wrong result in function %s: %i >= 0",
+                impl->name, res);
+         ret = 1;
+       }
+    }
+
+  return ret ? EXIT_FAILURE : EXIT_SUCCESS;
+}
+
+#include <support/test-driver.c>
+-- 
+2.17.1
diff --git a/meta/recipes-core/glibc/glibc_2.29.bb b/meta/recipes-core/glibc/glibc_2.29.bb
index 72db00cdb7..beddbffee2 100644
--- a/meta/recipes-core/glibc/glibc_2.29.bb
+++ b/meta/recipes-core/glibc/glibc_2.29.bb
@@ -56,6 +56,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://0028-intl-Emit-no-lines-in-bison-generated-files.patch \
           file://0029-inject-file-assembly-directives.patch \
           file://0030-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
+           file://0001-x86-64-memcmp-Use-unsigned-Jcc-instructions-on-size-.patch \
 "
 S = "${WORKDIR}/git"

diff --git a/meta/recipes-core/glibc/glibc/0001-x86-64-memcmp-Use-unsigned-Jcc-instructions-on-size-.patch b/meta/recipes-core/glibc/glibc/0001-x86-64-memcmp-Use-unsigned-Jcc-instructions-on-size-.patch new file mode 100644 index 0000000000..1c625f63c7 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0001-x86-64-memcmp-Use-unsigned-Jcc-instructions-on-size-.patch
@@ -0,0 +1,223 @@
		1	From 3f635fb43389b54f682fc9ed2acc0b2aaf4a923d Mon Sep 17 00:00:00 2001
		2	From: "H.J. Lu" <hjl.tools@gmail.com>
		3	Date: Mon, 4 Feb 2019 06:31:01 -0800
		4	Subject: [PATCH] x86-64 memcmp: Use unsigned Jcc instructions on size [BZ
		5	#24155]
		6
		7	Since the size argument is unsigned. we should use unsigned Jcc
		8	instructions, instead of signed, to check size.
		9
		10	Tested on x86-64 and x32, with and without --disable-multi-arch.
		11
		12	[BZ #24155]
		13	CVE-2019-7309
		14	* NEWS: Updated for CVE-2019-7309.
		15	* sysdeps/x86_64/memcmp.S: Use RDX_LP for size. Clear the
		16	upper 32 bits of RDX register for x32. Use unsigned Jcc
		17	instructions, instead of signed.
		18	* sysdeps/x86_64/x32/Makefile (tests): Add tst-size_t-memcmp-2.
		19	* sysdeps/x86_64/x32/tst-size_t-memcmp-2.c: New test.
		20
		21	CVE: CVE-2019-7309
		22	Upstream-Status: Backport
		23	Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
		24	---
		25	ChangeLog \| 11 ++++
		26	sysdeps/x86_64/memcmp.S \| 20 +++---
		27	sysdeps/x86_64/x32/Makefile \| 3 +-
		28	sysdeps/x86_64/x32/tst-size_t-memcmp-2.c \| 79 ++++++++++++++++++++++++
		29	5 files changed, 111 insertions(+), 10 deletions(-)
		30	create mode 100644 sysdeps/x86_64/x32/tst-size_t-memcmp-2.c
		31
		32	diff --git a/ChangeLog b/ChangeLog
		33	index 29bc4451ef..a0dcdac323 100644
		34	--- a/ChangeLog
		35	+++ b/ChangeLog
		36	@@ -1,3 +1,14 @@
		37	+2019-02-04 H.J. Lu <hongjiu.lu@intel.com>
		38	+
		39	+ [BZ #24155]
		40	+ CVE-2019-7309
		41	+ * NEWS: Updated for CVE-2019-7309.
		42	+ * sysdeps/x86_64/memcmp.S: Use RDX_LP for size. Clear the
		43	+ upper 32 bits of RDX register for x32. Use unsigned Jcc
		44	+ instructions, instead of signed.
		45	+ * sysdeps/x86_64/x32/Makefile (tests): Add tst-size_t-memcmp-2.
		46	+ * sysdeps/x86_64/x32/tst-size_t-memcmp-2.c: New test.
		47	+
		48	2019-01-31 Carlos O'Donell <carlos@redhat.com>
		49	Torvald Riegel <triegel@redhat.com>
		50	Rik Prohaska <prohaska7@gmail.com>
		51	diff --git a/sysdeps/x86_64/memcmp.S b/sysdeps/x86_64/memcmp.S
		52	index 1fc487caa5..1322bb3b92 100644
		53	--- a/sysdeps/x86_64/memcmp.S
		54	+++ b/sysdeps/x86_64/memcmp.S
		55	@@ -21,14 +21,18 @@
		56
		57	.text
		58	ENTRY (memcmp)
		59	- test %rdx, %rdx
		60	+#ifdef __ILP32__
		61	+ /* Clear the upper 32 bits. */
		62	+ movl %edx, %edx
		63	+#endif
		64	+ test %RDX_LP, %RDX_LP
		65	jz L(finz)
		66	cmpq $1, %rdx
		67	- jle L(finr1b)
		68	+ jbe L(finr1b)
		69	subq %rdi, %rsi
		70	movq %rdx, %r10
		71	cmpq $32, %r10
		72	- jge L(gt32)
		73	+ jae L(gt32)
		74	/* Handle small chunks and last block of less than 32 bytes. */
		75	L(small):
		76	testq $1, %r10
		77	@@ -156,7 +160,7 @@ L(A32):
		78	movq %r11, %r10
		79	andq $-32, %r10
		80	cmpq %r10, %rdi
		81	- jge L(mt16)
		82	+ jae L(mt16)
		83	/* Pre-unroll to be ready for unrolled 64B loop. */
		84	testq $32, %rdi
		85	jz L(A64)
		86	@@ -178,7 +182,7 @@ L(A64):
		87	movq %r11, %r10
		88	andq $-64, %r10
		89	cmpq %r10, %rdi
		90	- jge L(mt32)
		91	+ jae L(mt32)
		92
		93	L(A64main):
		94	movdqu (%rdi,%rsi), %xmm0
		95	@@ -216,7 +220,7 @@ L(mt32):
		96	movq %r11, %r10
		97	andq $-32, %r10
		98	cmpq %r10, %rdi
		99	- jge L(mt16)
		100	+ jae L(mt16)
		101
		102	L(A32main):
		103	movdqu (%rdi,%rsi), %xmm0
		104	@@ -254,7 +258,7 @@ L(ATR):
		105	movq %r11, %r10
		106	andq $-32, %r10
		107	cmpq %r10, %rdi
		108	- jge L(mt16)
		109	+ jae L(mt16)
		110	testq $16, %rdi
		111	jz L(ATR32)
		112
		113	@@ -325,7 +329,7 @@ L(ATR64main):
		114	movq %r11, %r10
		115	andq $-32, %r10
		116	cmpq %r10, %rdi
		117	- jge L(mt16)
		118	+ jae L(mt16)
		119
		120	L(ATR32res):
		121	movdqa (%rdi,%rsi), %xmm0
		122	diff --git a/sysdeps/x86_64/x32/Makefile b/sysdeps/x86_64/x32/Makefile
		123	index 1557724b0c..8748956563 100644
		124	--- a/sysdeps/x86_64/x32/Makefile
		125	+++ b/sysdeps/x86_64/x32/Makefile
		126	@@ -8,7 +8,8 @@ endif
		127	ifeq ($(subdir),string)
		128	tests += tst-size_t-memchr tst-size_t-memcmp tst-size_t-memcpy \
		129	tst-size_t-memrchr tst-size_t-memset tst-size_t-strncasecmp \
		130	- tst-size_t-strncmp tst-size_t-strncpy tst-size_t-strnlen
		131	+ tst-size_t-strncmp tst-size_t-strncpy tst-size_t-strnlen \
		132	+ tst-size_t-memcmp-2
		133	endif
		134
		135	ifeq ($(subdir),wcsmbs)
		136	diff --git a/sysdeps/x86_64/x32/tst-size_t-memcmp-2.c b/sysdeps/x86_64/x32/tst-size_t-memcmp-2.c
		137	new file mode 100644
		138	index 0000000000..d8ae1a0813
		139	--- /dev/null
		140	+++ b/sysdeps/x86_64/x32/tst-size_t-memcmp-2.c
		141	@@ -0,0 +1,79 @@
		142	+/* Test memcmp with size_t in the lower 32 bits of 64-bit register.
		143	+ Copyright (C) 2019 Free Software Foundation, Inc.
		144	+ This file is part of the GNU C Library.
		145	+
		146	+ The GNU C Library is free software; you can redistribute it and/or
		147	+ modify it under the terms of the GNU Lesser General Public
		148	+ License as published by the Free Software Foundation; either
		149	+ version 2.1 of the License, or (at your option) any later version.
		150	+
		151	+ The GNU C Library is distributed in the hope that it will be useful,
		152	+ but WITHOUT ANY WARRANTY; without even the implied warranty of
		153	+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
		154	+ Lesser General Public License for more details.
		155	+
		156	+ You should have received a copy of the GNU Lesser General Public
		157	+ License along with the GNU C Library; if not, see
		158	+ <http://www.gnu.org/licenses/>. */
		159	+
		160	+#define TEST_MAIN
		161	+#ifdef WIDE
		162	+# define TEST_NAME "wmemcmp"
		163	+#else
		164	+# define TEST_NAME "memcmp"
		165	+#endif
		166	+
		167	+#include "test-size_t.h"
		168	+
		169	+#ifdef WIDE
		170	+# include <inttypes.h>
		171	+# include <wchar.h>
		172	+
		173	+# define MEMCMP wmemcmp
		174	+# define CHAR wchar_t
		175	+#else
		176	+# define MEMCMP memcmp
		177	+# define CHAR char
		178	+#endif
		179	+
		180	+IMPL (MEMCMP, 1)
		181	+
		182	+typedef int (proto_t) (const CHAR , const CHAR *, size_t);
		183	+
		184	+static int
		185	+__attribute__ ((noinline, noclone))
		186	+do_memcmp (parameter_t a, parameter_t b)
		187	+{
		188	+ return CALL (&b, a.p, b.p, a.len);
		189	+}
		190	+
		191	+static int
		192	+test_main (void)
		193	+{
		194	+ test_init ();
		195	+
		196	+ parameter_t dest = { { page_size / sizeof (CHAR) }, buf1 };
		197	+ parameter_t src = { { 0 }, buf2 };
		198	+
		199	+ memcpy (buf1, buf2, page_size);
		200	+
		201	+ CHAR p = (CHAR ) buf1;
		202	+ p[page_size / sizeof (CHAR) - 1] = (CHAR) 1;
		203	+
		204	+ int ret = 0;
		205	+ FOR_EACH_IMPL (impl, 0)
		206	+ {
		207	+ src.fn = impl->fn;
		208	+ int res = do_memcmp (dest, src);
		209	+ if (res >= 0)
		210	+ {
		211	+ error (0, 0, "Wrong result in function %s: %i >= 0",
		212	+ impl->name, res);
		213	+ ret = 1;
		214	+ }
		215	+ }
		216	+
		217	+ return ret ? EXIT_FAILURE : EXIT_SUCCESS;
		218	+}
		219	+
		220	+#include <support/test-driver.c>
		221	--
		222	2.17.1
		223


diff --git a/meta/recipes-core/glibc/glibc_2.29.bb b/meta/recipes-core/glibc/glibc_2.29.bb index 72db00cdb7..beddbffee2 100644 --- a/meta/recipes-core/glibc/glibc_2.29.bb +++ b/meta/recipes-core/glibc/glibc_2.29.bb
@@ -56,6 +56,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
56	file://0028-intl-Emit-no-lines-in-bison-generated-files.patch \	56	file://0028-intl-Emit-no-lines-in-bison-generated-files.patch \
57	file://0029-inject-file-assembly-directives.patch \	57	file://0029-inject-file-assembly-directives.patch \
58	file://0030-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \	58	file://0030-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
		59	file://0001-x86-64-memcmp-Use-unsigned-Jcc-instructions-on-size-.patch \
59	"	60	"
60		61
61	S = "${WORKDIR}/git"	62	S = "${WORKDIR}/git"