diff options
author | Andreas Schwab <schwab@suse.de> | 2018-05-22 10:37:59 +0200 |
---|---|---|
committer | Andreas Schwab <schwab@suse.de> | 2018-05-23 09:50:57 +0200 |
commit | 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e (patch) | |
tree | 8ce316f806948a2b6f3c29335d39e861dc91df84 | |
parent | 8f145c77123a565b816f918969e0e35ee5b89153 (diff) | |
download | glibc-9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e.zip glibc-9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e.tar.gz glibc-9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e.tar.bz2 |
Don't write beyond destination in __mempcpy_avx512_no_vzeroupper (bug 23196)
When compiled as mempcpy, the return value is the end of the destination
buffer, thus it cannot be used to refer to the start of it.
-rw-r--r-- | ChangeLog | 9 | ||||
-rw-r--r-- | string/test-mempcpy.c | 1 | ||||
-rw-r--r-- | sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | 5 |
3 files changed, 13 insertions, 2 deletions
@@ -1,3 +1,12 @@ +2018-05-23 Andreas Schwab <schwab@suse.de> + + [BZ #23196] + CVE-2018-11237 + * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S + (L(preloop_large)): Save initial destination pointer in %r11 and + use it instead of %rax after the loop. + * string/test-mempcpy.c (MIN_PAGE_SIZE): Define. + 2018-05-22 Joseph Myers <joseph@codesourcery.com> * sysdeps/aarch64/Implies: Remove aarch64/soft-fp. diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c index c08fba8..d98ecdd 100644 --- a/string/test-mempcpy.c +++ b/string/test-mempcpy.c @@ -18,6 +18,7 @@ <http://www.gnu.org/licenses/>. */ #define MEMCPY_RESULT(dst, len) (dst) + (len) +#define MIN_PAGE_SIZE 131072 #define TEST_MAIN #define TEST_NAME "mempcpy" #include "test-string.h" diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S index 23c0f7a..effc3ac 100644 --- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S +++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S @@ -336,6 +336,7 @@ L(preloop_large): vmovups (%rsi), %zmm4 vmovups 0x40(%rsi), %zmm5 + mov %rdi, %r11 /* Align destination for access with non-temporal stores in the loop. */ mov %rdi, %r8 and $-0x80, %rdi @@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop): cmp $256, %rdx ja L(gobble_256bytes_nt_loop) sfence - vmovups %zmm4, (%rax) - vmovups %zmm5, 0x40(%rax) + vmovups %zmm4, (%r11) + vmovups %zmm5, 0x40(%r11) jmp L(check) L(preloop_large_bkw): |