aboutsummaryrefslogtreecommitdiff
path: root/NEWS
diff options
context:
space:
mode:
authorH.J. Lu <hjl.tools@gmail.com>2019-01-21 11:23:59 -0800
committerH.J. Lu <hjl.tools@gmail.com>2019-01-21 11:24:13 -0800
commit97700a34f36721b11a754cf37a1cc40695ece1fd (patch)
tree026802789792449adc9de3532ee8b10685086401 /NEWS
parent6ca53a2453598804a2559a548a08424fca96434a (diff)
downloadglibc-97700a34f36721b11a754cf37a1cc40695ece1fd.zip
glibc-97700a34f36721b11a754cf37a1cc40695ece1fd.tar.gz
glibc-97700a34f36721b11a754cf37a1cc40695ece1fd.tar.bz2
x86-64 memchr/wmemchr: Properly handle the length parameter [BZ# 24097]
On x32, the size_t parameter may be passed in the lower 32 bits of a 64-bit register with the non-zero upper 32 bits. The string/memory functions written in assembly can only use the lower 32 bits of a 64-bit register as length or must clear the upper 32 bits before using the full 64-bit register for length. This pach fixes memchr/wmemchr for x32. Tested on x86-64 and x32. On x86-64, libc.so is the same with and withou the fix. [BZ# 24097] CVE-2019-6488 * sysdeps/x86_64/memchr.S: Use RDX_LP for length. Clear the upper 32 bits of RDX register. * sysdeps/x86_64/multiarch/memchr-avx2.S: Likewise. * sysdeps/x86_64/x32/Makefile (tests): Add tst-size_t-memchr and tst-size_t-wmemchr. * sysdeps/x86_64/x32/test-size_t.h: New file. * sysdeps/x86_64/x32/tst-size_t-memchr.c: Likewise. * sysdeps/x86_64/x32/tst-size_t-wmemchr.c: Likewise.
Diffstat (limited to 'NEWS')
-rw-r--r--NEWS6
1 files changed, 6 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index cc20102..7b3af11 100644
--- a/NEWS
+++ b/NEWS
@@ -101,6 +101,12 @@ Security related changes:
denial of service due to resource exhaustion when processing getaddrinfo
calls with crafted host names. Reported by Guido Vranken.
+ CVE-2019-6488: On x32, the size_t parameter may be passed in the lower
+ 32 bits of a 64-bit register with with non-zero upper 32 bit. When it
+ happened, accessing the 32-bit size_t value as the full 64-bit register
+ in the assembly string/memory functions would cause a buffer overflow.
+ Reported by H.J. Lu.
+
The following bugs are resolved with this release:
[The release manager will add the list generated by