diff options
Diffstat (limited to 'meta/recipes-core/glibc/glibc')
7 files changed, 632 insertions, 3 deletions
diff --git a/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch b/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch index 3aad603ada..5cd235f6ac 100644 --- a/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch +++ b/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch @@ -65,6 +65,35 @@ index 7c1cc3eecb..53cb8bfc59 100644 /* Load the locale data for CATEGORY from the file specified by *NAME. If *NAME is "", use environment variables as specified by POSIX, and --- -2.22.0 - +Index: git/locale/programs/locale.c +=================================================================== +--- git.orig/locale/programs/locale.c ++++ git/locale/programs/locale.c +@@ -632,6 +632,7 @@ nameentcmp (const void *a, const void *b + ((const struct nameent *) b)->name); + } + ++static char _write_archive_locales_path[4096] attribute_hidden __attribute__ ((section (".gccrelocprefix"))) = ARCHIVE_NAME; + + static int + write_archive_locales (void **all_datap, char *linebuf) +@@ -645,7 +646,7 @@ write_archive_locales (void **all_datap, + int fd, ret = 0; + uint32_t cnt; + +- fd = open64 (ARCHIVE_NAME, O_RDONLY); ++ fd = open64 (_write_archive_locales_path, O_RDONLY); + if (fd < 0) + return 0; + +@@ -700,8 +701,8 @@ write_archive_locales (void **all_datap, + if (cnt) + putchar_unlocked ('\n'); + +- printf ("locale: %-15.15s archive: " ARCHIVE_NAME "\n%s\n", +- names[cnt].name, linebuf); ++ printf ("locale: %-15.15s archive: %s\n%s\n", ++ names[cnt].name, _write_archive_locales_path, linebuf); + + locrec = (struct locrecent *) (addr + names[cnt].locrec_offset); + diff --git a/meta/recipes-core/glibc/glibc/CVE-2019-19126.patch b/meta/recipes-core/glibc/glibc/CVE-2019-19126.patch new file mode 100644 index 0000000000..aead04c485 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2019-19126.patch @@ -0,0 +1,32 @@ +From 37c90e117310728a4ad1eb998c0bbe7d79c4a398 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Marcin=20Ko=C5=9Bcielnicki?= <mwk@0x04.net> +Date: Thu, 21 Nov 2019 00:20:15 +0100 +Subject: [PATCH] rtld: Check __libc_enable_secure before honoring + LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204] + +The problem was introduced in glibc 2.23, in commit +b9eb92ab05204df772eb4929eccd018637c9f3e9 +("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT"). + +(cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e) + +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=37c90e117310728a4ad1eb998c0bbe7d79c4a398] +CVE: CVE-2019-19126 +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> +--- +diff --git a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h +index 975cbe2..df2cdfd 100644 +--- a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h ++++ b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h +@@ -31,7 +31,8 @@ + environment variable, LD_PREFER_MAP_32BIT_EXEC. */ + #define EXTRA_LD_ENVVARS \ + case 21: \ +- if (memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0) \ ++ if (!__libc_enable_secure \ ++ && memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0) \ + GLRO(dl_x86_cpu_features).feature[index_arch_Prefer_MAP_32BIT_EXEC] \ + |= bit_arch_Prefer_MAP_32BIT_EXEC; \ + break; +-- +2.9.3 diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-10029.patch b/meta/recipes-core/glibc/glibc/CVE-2020-10029.patch new file mode 100644 index 0000000000..606b691bcf --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2020-10029.patch @@ -0,0 +1,128 @@ +From ce265ec5bc25ec35fba53807abac1b0c8469895e Mon Sep 17 00:00:00 2001 +From: Joseph Myers <joseph@codesourcery.com> +Date: Wed, 12 Feb 2020 23:31:56 +0000 +Subject: [PATCH] Avoid ldbl-96 stack corruption from range reduction of + + pseudo-zero (bug 25487). + +Bug 25487 reports stack corruption in ldbl-96 sinl on a pseudo-zero +argument (an representation where all the significand bits, including +the explicit high bit, are zero, but the exponent is not zero, which +is not a valid representation for the long double type). + +Although this is not a valid long double representation, existing +practice in this area (see bug 4586, originally marked invalid but +subsequently fixed) is that we still seek to avoid invalid memory +accesses as a result, in case of programs that treat arbitrary binary +data as long double representations, although the invalid +representations of the ldbl-96 format do not need to be consistently +handled the same as any particular valid representation. + +This patch makes the range reduction detect pseudo-zero and unnormal +representations that would otherwise go to __kernel_rem_pio2, and +returns a NaN for them instead of continuing with the range reduction +process. (Pseudo-zero and unnormal representations whose unbiased +exponent is less than -1 have already been safely returned from the +function before this point without going through the rest of range +reduction.) Pseudo-zero representations would previously result in +the value passed to __kernel_rem_pio2 being all-zero, which is +definitely unsafe; unnormal representations would previously result in +a value passed whose high bit is zero, which might well be unsafe +since that is not a form of input expected by __kernel_rem_pio2. + +Tested for x86_64. + +CVE: CVE-2020-10029 +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=glibc.git; +a=patch;h=9333498794cde1d5cca518badf79533a24114b6f] +Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> + +--- + sysdeps/ieee754/ldbl-96/Makefile | 3 ++- + sysdeps/ieee754/ldbl-96/e_rem_pio2l.c | 12 +++++++++ + sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c | 41 ++++++++++++++++++++++++++++++ + 3 files changed, 55 insertions(+), 1 deletion(-) + create mode 100644 sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c + +diff --git a/sysdeps/ieee754/ldbl-96/Makefile b/sysdeps/ieee754/ldbl-96/Makefile +index b103254..052c1c7 100644 +--- a/sysdeps/ieee754/ldbl-96/Makefile ++++ b/sysdeps/ieee754/ldbl-96/Makefile +@@ -17,5 +17,6 @@ + # <http://www.gnu.org/licenses/>. + + ifeq ($(subdir),math) +-tests += test-canonical-ldbl-96 test-totalorderl-ldbl-96 ++tests += test-canonical-ldbl-96 test-totalorderl-ldbl-96 test-sinl-pseudo ++CFLAGS-test-sinl-pseudo.c += -fstack-protector-all + endif +diff --git a/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c b/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c +index 805de22..1aeccb4 100644 +--- a/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c ++++ b/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c +@@ -210,6 +210,18 @@ __ieee754_rem_pio2l (long double x, long double *y) + return 0; + } + ++ if ((i0 & 0x80000000) == 0) ++ { ++ /* Pseudo-zero and unnormal representations are not valid ++ representations of long double. We need to avoid stack ++ corruption in __kernel_rem_pio2, which expects input in a ++ particular normal form, but those representations do not need ++ to be consistently handled like any particular floating-point ++ value. */ ++ y[1] = y[0] = __builtin_nanl (""); ++ return 0; ++ } ++ + /* Split the 64 bits of the mantissa into three 24-bit integers + stored in a double array. */ + exp = j0 - 23; +diff --git a/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c b/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c +new file mode 100644 +index 0000000..f59b977 +--- /dev/null ++++ b/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c +@@ -0,0 +1,41 @@ ++/* Test sinl for pseudo-zeros and unnormals for ldbl-96 (bug 25487). ++ Copyright (C) 2020 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <https://www.gnu.org/licenses/>. */ ++ ++#include <math.h> ++#include <math_ldbl.h> ++#include <stdint.h> ++ ++static int ++do_test (void) ++{ ++ for (int i = 0; i < 64; i++) ++ { ++ uint64_t sig = i == 63 ? 0 : 1ULL << i; ++ long double ld; ++ SET_LDOUBLE_WORDS (ld, 0x4141, ++ sig >> 32, sig & 0xffffffffULL); ++ /* The requirement is that no stack overflow occurs when the ++ pseudo-zero or unnormal goes through range reduction. */ ++ volatile long double ldr; ++ ldr = sinl (ld); ++ (void) ldr; ++ } ++ return 0; ++} ++ ++#include <support/test-driver.c> diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-1751.patch b/meta/recipes-core/glibc/glibc/CVE-2020-1751.patch new file mode 100644 index 0000000000..0ed92d50e9 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2020-1751.patch @@ -0,0 +1,70 @@ +From d93769405996dfc11d216ddbe415946617b5a494 Mon Sep 17 00:00:00 2001 +From: Andreas Schwab <schwab@suse.de> +Date: Mon, 20 Jan 2020 17:01:50 +0100 +Subject: [PATCH] Fix array overflow in backtrace on PowerPC (bug 25423) + +When unwinding through a signal frame the backtrace function on PowerPC +didn't check array bounds when storing the frame address. Fixes commit +d400dcac5e ("PowerPC: fix backtrace to handle signal trampolines"). + +CVE: CVE-2020-1751 +Upstream-Status: Backport [git://sourceware.org/git/glibc.git] +Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> +--- + debug/tst-backtrace5.c | 12 ++++++++++++ + sysdeps/powerpc/powerpc32/backtrace.c | 2 ++ + sysdeps/powerpc/powerpc64/backtrace.c | 2 ++ + 3 files changed, 16 insertions(+) + +diff --git a/debug/tst-backtrace5.c b/debug/tst-backtrace5.c +index e7ce410845..b2f46160e7 100644 +--- a/debug/tst-backtrace5.c ++++ b/debug/tst-backtrace5.c +@@ -89,6 +89,18 @@ handle_signal (int signum) + } + /* Symbol names are not available for static functions, so we do not + check do_test. */ ++ ++ /* Check that backtrace does not return more than what fits in the array ++ (bug 25423). */ ++ for (int j = 0; j < NUM_FUNCTIONS; j++) ++ { ++ n = backtrace (addresses, j); ++ if (n > j) ++ { ++ FAIL (); ++ return; ++ } ++ } + } + + NO_INLINE int +diff --git a/sysdeps/powerpc/powerpc32/backtrace.c b/sysdeps/powerpc/powerpc32/backtrace.c +index 7c2d4726f8..d1456c8ae4 100644 +--- a/sysdeps/powerpc/powerpc32/backtrace.c ++++ b/sysdeps/powerpc/powerpc32/backtrace.c +@@ -114,6 +114,8 @@ __backtrace (void **array, int size) + } + if (gregset) + { ++ if (count + 1 == size) ++ break; + array[++count] = (void*)((*gregset)[PT_NIP]); + current = (void*)((*gregset)[PT_R1]); + } +diff --git a/sysdeps/powerpc/powerpc64/backtrace.c b/sysdeps/powerpc/powerpc64/backtrace.c +index 65c260ab76..8a53a1088f 100644 +--- a/sysdeps/powerpc/powerpc64/backtrace.c ++++ b/sysdeps/powerpc/powerpc64/backtrace.c +@@ -87,6 +87,8 @@ __backtrace (void **array, int size) + if (is_sigtramp_address (current->return_address)) + { + struct signal_frame_64 *sigframe = (struct signal_frame_64*) current; ++ if (count + 1 == size) ++ break; + array[++count] = (void*) sigframe->uc.uc_mcontext.gp_regs[PT_NIP]; + current = (void*) sigframe->uc.uc_mcontext.gp_regs[PT_R1]; + } +-- +2.23.0 + diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-1752.patch b/meta/recipes-core/glibc/glibc/CVE-2020-1752.patch new file mode 100644 index 0000000000..6c347cd414 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2020-1752.patch @@ -0,0 +1,66 @@ +From ddc650e9b3dc916eab417ce9f79e67337b05035c Mon Sep 17 00:00:00 2001 +From: Andreas Schwab <schwab@suse.de> +Date: Wed, 19 Feb 2020 17:21:46 +0100 +Subject: [PATCH] Fix use-after-free in glob when expanding ~user (bug 25414) + +The value of `end_name' points into the value of `dirname', thus don't +deallocate the latter before the last use of the former. + +CVE: CVE-2020-1752 +Upstream-Status: Backport [git://sourceware.org/git/glibc.git] +Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> +--- + posix/glob.c | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +diff --git a/posix/glob.c b/posix/glob.c +index cba9cd1819..4580cefb9f 100644 +--- a/posix/glob.c ++++ b/posix/glob.c +@@ -827,31 +827,32 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int), + { + size_t home_len = strlen (p->pw_dir); + size_t rest_len = end_name == NULL ? 0 : strlen (end_name); +- char *d; ++ char *d, *newp; ++ bool use_alloca = glob_use_alloca (alloca_used, ++ home_len + rest_len + 1); + +- if (__glibc_unlikely (malloc_dirname)) +- free (dirname); +- malloc_dirname = 0; +- +- if (glob_use_alloca (alloca_used, home_len + rest_len + 1)) +- dirname = alloca_account (home_len + rest_len + 1, +- alloca_used); ++ if (use_alloca) ++ newp = alloca_account (home_len + rest_len + 1, alloca_used); + else + { +- dirname = malloc (home_len + rest_len + 1); +- if (dirname == NULL) ++ newp = malloc (home_len + rest_len + 1); ++ if (newp == NULL) + { + scratch_buffer_free (&pwtmpbuf); + retval = GLOB_NOSPACE; + goto out; + } +- malloc_dirname = 1; + } +- d = mempcpy (dirname, p->pw_dir, home_len); ++ d = mempcpy (newp, p->pw_dir, home_len); + if (end_name != NULL) + d = mempcpy (d, end_name, rest_len); + *d = '\0'; + ++ if (__glibc_unlikely (malloc_dirname)) ++ free (dirname); ++ dirname = newp; ++ malloc_dirname = !use_alloca; ++ + dirlen = home_len + rest_len; + dirname_modified = 1; + } +-- +2.18.2 diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-6096-1.patch b/meta/recipes-core/glibc/glibc/CVE-2020-6096-1.patch new file mode 100644 index 0000000000..01c0328362 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2020-6096-1.patch @@ -0,0 +1,193 @@ +From 79a4fa341b8a89cb03f84564fd72abaa1a2db394 Mon Sep 17 00:00:00 2001 +From: Evgeny Eremin <e.eremin@omprussia.ru> +Date: Wed, 8 Jul 2020 14:18:19 +0200 +Subject: [PATCH 1/2] arm: CVE-2020-6096: fix memcpy and memmove for negative + length [BZ #25620] + +Unsigned branch instructions could be used for r2 to fix the wrong +behavior when a negative length is passed to memcpy and memmove. +This commit fixes the generic arm implementation of memcpy amd memmove. + +CVE: CVE-2020-6096 +Upstream-Status: Backport [git://sourceware.org/git/glibc.git] +Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> +--- + sysdeps/arm/memcpy.S | 24 ++++++++++-------------- + sysdeps/arm/memmove.S | 24 ++++++++++-------------- + 2 files changed, 20 insertions(+), 28 deletions(-) + +diff --git a/sysdeps/arm/memcpy.S b/sysdeps/arm/memcpy.S +index 510e8adaf2..bcfbc51d99 100644 +--- a/sysdeps/arm/memcpy.S ++++ b/sysdeps/arm/memcpy.S +@@ -68,7 +68,7 @@ ENTRY(memcpy) + cfi_remember_state + + subs r2, r2, #4 +- blt 8f ++ blo 8f + ands ip, r0, #3 + PLD( pld [r1, #0] ) + bne 9f +@@ -82,7 +82,7 @@ ENTRY(memcpy) + cfi_rel_offset (r6, 4) + cfi_rel_offset (r7, 8) + cfi_rel_offset (r8, 12) +- blt 5f ++ blo 5f + + CALGN( ands ip, r1, #31 ) + CALGN( rsb r3, ip, #32 ) +@@ -98,9 +98,9 @@ ENTRY(memcpy) + #endif + + PLD( pld [r1, #0] ) +-2: PLD( subs r2, r2, #96 ) ++2: PLD( cmp r2, #96 ) + PLD( pld [r1, #28] ) +- PLD( blt 4f ) ++ PLD( blo 4f ) + PLD( pld [r1, #60] ) + PLD( pld [r1, #92] ) + +@@ -108,9 +108,7 @@ ENTRY(memcpy) + 4: ldmia r1!, {r3, r4, r5, r6, r7, r8, ip, lr} + subs r2, r2, #32 + stmia r0!, {r3, r4, r5, r6, r7, r8, ip, lr} +- bge 3b +- PLD( cmn r2, #96 ) +- PLD( bge 4b ) ++ bhs 3b + + 5: ands ip, r2, #28 + rsb ip, ip, #32 +@@ -222,7 +220,7 @@ ENTRY(memcpy) + strbge r4, [r0], #1 + subs r2, r2, ip + strb lr, [r0], #1 +- blt 8b ++ blo 8b + ands ip, r1, #3 + beq 1b + +@@ -236,7 +234,7 @@ ENTRY(memcpy) + .macro forward_copy_shift pull push + + subs r2, r2, #28 +- blt 14f ++ blo 14f + + CALGN( ands ip, r1, #31 ) + CALGN( rsb ip, ip, #32 ) +@@ -253,9 +251,9 @@ ENTRY(memcpy) + cfi_rel_offset (r10, 16) + + PLD( pld [r1, #0] ) +- PLD( subs r2, r2, #96 ) ++ PLD( cmp r2, #96 ) + PLD( pld [r1, #28] ) +- PLD( blt 13f ) ++ PLD( blo 13f ) + PLD( pld [r1, #60] ) + PLD( pld [r1, #92] ) + +@@ -280,9 +278,7 @@ ENTRY(memcpy) + mov ip, ip, PULL #\pull + orr ip, ip, lr, PUSH #\push + stmia r0!, {r3, r4, r5, r6, r7, r8, r10, ip} +- bge 12b +- PLD( cmn r2, #96 ) +- PLD( bge 13b ) ++ bhs 12b + + pop {r5 - r8, r10} + cfi_adjust_cfa_offset (-20) +diff --git a/sysdeps/arm/memmove.S b/sysdeps/arm/memmove.S +index 954037ef3a..0d07b76ee6 100644 +--- a/sysdeps/arm/memmove.S ++++ b/sysdeps/arm/memmove.S +@@ -85,7 +85,7 @@ ENTRY(memmove) + add r1, r1, r2 + add r0, r0, r2 + subs r2, r2, #4 +- blt 8f ++ blo 8f + ands ip, r0, #3 + PLD( pld [r1, #-4] ) + bne 9f +@@ -99,7 +99,7 @@ ENTRY(memmove) + cfi_rel_offset (r6, 4) + cfi_rel_offset (r7, 8) + cfi_rel_offset (r8, 12) +- blt 5f ++ blo 5f + + CALGN( ands ip, r1, #31 ) + CALGN( sbcsne r4, ip, r2 ) @ C is always set here +@@ -114,9 +114,9 @@ ENTRY(memmove) + #endif + + PLD( pld [r1, #-4] ) +-2: PLD( subs r2, r2, #96 ) ++2: PLD( cmp r2, #96 ) + PLD( pld [r1, #-32] ) +- PLD( blt 4f ) ++ PLD( blo 4f ) + PLD( pld [r1, #-64] ) + PLD( pld [r1, #-96] ) + +@@ -124,9 +124,7 @@ ENTRY(memmove) + 4: ldmdb r1!, {r3, r4, r5, r6, r7, r8, ip, lr} + subs r2, r2, #32 + stmdb r0!, {r3, r4, r5, r6, r7, r8, ip, lr} +- bge 3b +- PLD( cmn r2, #96 ) +- PLD( bge 4b ) ++ bhs 3b + + 5: ands ip, r2, #28 + rsb ip, ip, #32 +@@ -237,7 +235,7 @@ ENTRY(memmove) + strbge r4, [r0, #-1]! + subs r2, r2, ip + strb lr, [r0, #-1]! +- blt 8b ++ blo 8b + ands ip, r1, #3 + beq 1b + +@@ -251,7 +249,7 @@ ENTRY(memmove) + .macro backward_copy_shift push pull + + subs r2, r2, #28 +- blt 14f ++ blo 14f + + CALGN( ands ip, r1, #31 ) + CALGN( rsb ip, ip, #32 ) +@@ -268,9 +266,9 @@ ENTRY(memmove) + cfi_rel_offset (r10, 16) + + PLD( pld [r1, #-4] ) +- PLD( subs r2, r2, #96 ) ++ PLD( cmp r2, #96 ) + PLD( pld [r1, #-32] ) +- PLD( blt 13f ) ++ PLD( blo 13f ) + PLD( pld [r1, #-64] ) + PLD( pld [r1, #-96] ) + +@@ -295,9 +293,7 @@ ENTRY(memmove) + mov r4, r4, PUSH #\push + orr r4, r4, r3, PULL #\pull + stmdb r0!, {r4 - r8, r10, ip, lr} +- bge 12b +- PLD( cmn r2, #96 ) +- PLD( bge 13b ) ++ bhs 12b + + pop {r5 - r8, r10} + cfi_adjust_cfa_offset (-20) +-- +2.17.0 + diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-6096-2.patch b/meta/recipes-core/glibc/glibc/CVE-2020-6096-2.patch new file mode 100644 index 0000000000..bfb2d7e7f5 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2020-6096-2.patch @@ -0,0 +1,111 @@ +From beea361050728138b82c57dda0c4810402d342b9 Mon Sep 17 00:00:00 2001 +From: Alexander Anisimov <a.anisimov@omprussia.ru> +Date: Wed, 8 Jul 2020 14:18:31 +0200 +Subject: [PATCH 2/2] arm: CVE-2020-6096: Fix multiarch memcpy for negative + length [BZ #25620] + +Unsigned branch instructions could be used for r2 to fix the wrong +behavior when a negative length is passed to memcpy. +This commit fixes the armv7 version. + +CVE: CVE-2020-6096 +Upstream-Status: Backport [git://sourceware.org/git/glibc.git] +Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> +--- + sysdeps/arm/armv7/multiarch/memcpy_impl.S | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/sysdeps/arm/armv7/multiarch/memcpy_impl.S b/sysdeps/arm/armv7/multiarch/memcpy_impl.S +index bf4ac7077f..379bb56fc9 100644 +--- a/sysdeps/arm/armv7/multiarch/memcpy_impl.S ++++ b/sysdeps/arm/armv7/multiarch/memcpy_impl.S +@@ -268,7 +268,7 @@ ENTRY(memcpy) + + mov dst, dstin /* Preserve dstin, we need to return it. */ + cmp count, #64 +- bge .Lcpy_not_short ++ bhs .Lcpy_not_short + /* Deal with small copies quickly by dropping straight into the + exit block. */ + +@@ -351,10 +351,10 @@ ENTRY(memcpy) + + 1: + subs tmp2, count, #64 /* Use tmp2 for count. */ +- blt .Ltail63aligned ++ blo .Ltail63aligned + + cmp tmp2, #512 +- bge .Lcpy_body_long ++ bhs .Lcpy_body_long + + .Lcpy_body_medium: /* Count in tmp2. */ + #ifdef USE_VFP +@@ -378,7 +378,7 @@ ENTRY(memcpy) + add src, src, #64 + vstr d1, [dst, #56] + add dst, dst, #64 +- bge 1b ++ bhs 1b + tst tmp2, #0x3f + beq .Ldone + +@@ -412,7 +412,7 @@ ENTRY(memcpy) + ldrd A_l, A_h, [src, #64]! + strd A_l, A_h, [dst, #64]! + subs tmp2, tmp2, #64 +- bge 1b ++ bhs 1b + tst tmp2, #0x3f + bne 1f + ldr tmp2,[sp], #FRAME_SIZE +@@ -482,7 +482,7 @@ ENTRY(memcpy) + add src, src, #32 + + subs tmp2, tmp2, #prefetch_lines * 64 * 2 +- blt 2f ++ blo 2f + 1: + cpy_line_vfp d3, 0 + cpy_line_vfp d4, 64 +@@ -494,7 +494,7 @@ ENTRY(memcpy) + add dst, dst, #2 * 64 + add src, src, #2 * 64 + subs tmp2, tmp2, #prefetch_lines * 64 +- bge 1b ++ bhs 1b + + 2: + cpy_tail_vfp d3, 0 +@@ -615,8 +615,8 @@ ENTRY(memcpy) + 1: + pld [src, #(3 * 64)] + subs count, count, #64 +- ldrmi tmp2, [sp], #FRAME_SIZE +- bmi .Ltail63unaligned ++ ldrlo tmp2, [sp], #FRAME_SIZE ++ blo .Ltail63unaligned + pld [src, #(4 * 64)] + + #ifdef USE_NEON +@@ -633,7 +633,7 @@ ENTRY(memcpy) + neon_load_multi d0-d3, src + neon_load_multi d4-d7, src + subs count, count, #64 +- bmi 2f ++ blo 2f + 1: + pld [src, #(4 * 64)] + neon_store_multi d0-d3, dst +@@ -641,7 +641,7 @@ ENTRY(memcpy) + neon_store_multi d4-d7, dst + neon_load_multi d4-d7, src + subs count, count, #64 +- bpl 1b ++ bhs 1b + 2: + neon_store_multi d0-d3, dst + neon_store_multi d4-d7, dst +-- +2.17.0 + |