mirror of
https://sourceware.org/git/glibc.git
synced 2025-01-05 09:01:07 +00:00
Don't write beyond destination in __mempcpy_avx512_no_vzeroupper (bug 23196)
When compiled as mempcpy, the return value is the end of the destination buffer, thus it cannot be used to refer to the start of it.
This commit is contained in:
parent
8f145c7712
commit
9aaaab7c6e
@ -1,3 +1,12 @@
|
|||||||
|
2018-05-23 Andreas Schwab <schwab@suse.de>
|
||||||
|
|
||||||
|
[BZ #23196]
|
||||||
|
CVE-2018-11237
|
||||||
|
* sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
|
||||||
|
(L(preloop_large)): Save initial destination pointer in %r11 and
|
||||||
|
use it instead of %rax after the loop.
|
||||||
|
* string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
|
||||||
|
|
||||||
2018-05-22 Joseph Myers <joseph@codesourcery.com>
|
2018-05-22 Joseph Myers <joseph@codesourcery.com>
|
||||||
|
|
||||||
* sysdeps/aarch64/Implies: Remove aarch64/soft-fp.
|
* sysdeps/aarch64/Implies: Remove aarch64/soft-fp.
|
||||||
|
@ -18,6 +18,7 @@
|
|||||||
<http://www.gnu.org/licenses/>. */
|
<http://www.gnu.org/licenses/>. */
|
||||||
|
|
||||||
#define MEMCPY_RESULT(dst, len) (dst) + (len)
|
#define MEMCPY_RESULT(dst, len) (dst) + (len)
|
||||||
|
#define MIN_PAGE_SIZE 131072
|
||||||
#define TEST_MAIN
|
#define TEST_MAIN
|
||||||
#define TEST_NAME "mempcpy"
|
#define TEST_NAME "mempcpy"
|
||||||
#include "test-string.h"
|
#include "test-string.h"
|
||||||
|
@ -336,6 +336,7 @@ L(preloop_large):
|
|||||||
vmovups (%rsi), %zmm4
|
vmovups (%rsi), %zmm4
|
||||||
vmovups 0x40(%rsi), %zmm5
|
vmovups 0x40(%rsi), %zmm5
|
||||||
|
|
||||||
|
mov %rdi, %r11
|
||||||
/* Align destination for access with non-temporal stores in the loop. */
|
/* Align destination for access with non-temporal stores in the loop. */
|
||||||
mov %rdi, %r8
|
mov %rdi, %r8
|
||||||
and $-0x80, %rdi
|
and $-0x80, %rdi
|
||||||
@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop):
|
|||||||
cmp $256, %rdx
|
cmp $256, %rdx
|
||||||
ja L(gobble_256bytes_nt_loop)
|
ja L(gobble_256bytes_nt_loop)
|
||||||
sfence
|
sfence
|
||||||
vmovups %zmm4, (%rax)
|
vmovups %zmm4, (%r11)
|
||||||
vmovups %zmm5, 0x40(%rax)
|
vmovups %zmm5, 0x40(%r11)
|
||||||
jmp L(check)
|
jmp L(check)
|
||||||
|
|
||||||
L(preloop_large_bkw):
|
L(preloop_large_bkw):
|
||||||
|
Loading…
Reference in New Issue
Block a user