Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Merge branch 'jb49988' into 'master'
[glibc] Fix CVE-2020-6096. JB#49988

See merge request mer-core/glibc!39
  • Loading branch information
Matti Kosola committed Aug 3, 2020
2 parents c3be701 + 1ac9b1c commit e7b403c
Show file tree
Hide file tree
Showing 4 changed files with 304 additions and 1 deletion.
189 changes: 189 additions & 0 deletions 0002-arm-CVE-2020-6096-fix-memcpy-and-memmove-for-negativ.patch
@@ -0,0 +1,189 @@
From 79a4fa341b8a89cb03f84564fd72abaa1a2db394 Mon Sep 17 00:00:00 2001
From: Evgeny Eremin <e.eremin@omprussia.ru>
Date: Wed, 8 Jul 2020 14:18:19 +0200
Subject: [PATCH] arm: CVE-2020-6096: fix memcpy and memmove for negative
length [BZ #25620]

Unsigned branch instructions could be used for r2 to fix the wrong
behavior when a negative length is passed to memcpy and memmove.
This commit fixes the generic arm implementation of memcpy amd memmove.
---
sysdeps/arm/memcpy.S | 24 ++++++++++--------------
sysdeps/arm/memmove.S | 24 ++++++++++--------------
2 files changed, 20 insertions(+), 28 deletions(-)

diff --git a/sysdeps/arm/memcpy.S b/sysdeps/arm/memcpy.S
index 510e8adaf2..bcfbc51d99 100644
--- a/sysdeps/arm/memcpy.S
+++ b/sysdeps/arm/memcpy.S
@@ -68,7 +68,7 @@ ENTRY(memcpy)
cfi_remember_state

subs r2, r2, #4
- blt 8f
+ blo 8f
ands ip, r0, #3
PLD( pld [r1, #0] )
bne 9f
@@ -82,7 +82,7 @@ ENTRY(memcpy)
cfi_rel_offset (r6, 4)
cfi_rel_offset (r7, 8)
cfi_rel_offset (r8, 12)
- blt 5f
+ blo 5f

CALGN( ands ip, r1, #31 )
CALGN( rsb r3, ip, #32 )
@@ -98,9 +98,9 @@ ENTRY(memcpy)
#endif

PLD( pld [r1, #0] )
-2: PLD( subs r2, r2, #96 )
+2: PLD( cmp r2, #96 )
PLD( pld [r1, #28] )
- PLD( blt 4f )
+ PLD( blo 4f )
PLD( pld [r1, #60] )
PLD( pld [r1, #92] )

@@ -108,9 +108,7 @@ ENTRY(memcpy)
4: ldmia r1!, {r3, r4, r5, r6, r7, r8, ip, lr}
subs r2, r2, #32
stmia r0!, {r3, r4, r5, r6, r7, r8, ip, lr}
- bge 3b
- PLD( cmn r2, #96 )
- PLD( bge 4b )
+ bhs 3b

5: ands ip, r2, #28
rsb ip, ip, #32
@@ -222,7 +220,7 @@ ENTRY(memcpy)
strbge r4, [r0], #1
subs r2, r2, ip
strb lr, [r0], #1
- blt 8b
+ blo 8b
ands ip, r1, #3
beq 1b

@@ -236,7 +234,7 @@ ENTRY(memcpy)
.macro forward_copy_shift pull push

subs r2, r2, #28
- blt 14f
+ blo 14f

CALGN( ands ip, r1, #31 )
CALGN( rsb ip, ip, #32 )
@@ -253,9 +251,9 @@ ENTRY(memcpy)
cfi_rel_offset (r10, 16)

PLD( pld [r1, #0] )
- PLD( subs r2, r2, #96 )
+ PLD( cmp r2, #96 )
PLD( pld [r1, #28] )
- PLD( blt 13f )
+ PLD( blo 13f )
PLD( pld [r1, #60] )
PLD( pld [r1, #92] )

@@ -280,9 +278,7 @@ ENTRY(memcpy)
mov ip, ip, PULL #\pull
orr ip, ip, lr, PUSH #\push
stmia r0!, {r3, r4, r5, r6, r7, r8, r10, ip}
- bge 12b
- PLD( cmn r2, #96 )
- PLD( bge 13b )
+ bhs 12b

pop {r5 - r8, r10}
cfi_adjust_cfa_offset (-20)
diff --git a/sysdeps/arm/memmove.S b/sysdeps/arm/memmove.S
index 954037ef3a..0d07b76ee6 100644
--- a/sysdeps/arm/memmove.S
+++ b/sysdeps/arm/memmove.S
@@ -85,7 +85,7 @@ ENTRY(memmove)
add r1, r1, r2
add r0, r0, r2
subs r2, r2, #4
- blt 8f
+ blo 8f
ands ip, r0, #3
PLD( pld [r1, #-4] )
bne 9f
@@ -99,7 +99,7 @@ ENTRY(memmove)
cfi_rel_offset (r6, 4)
cfi_rel_offset (r7, 8)
cfi_rel_offset (r8, 12)
- blt 5f
+ blo 5f

CALGN( ands ip, r1, #31 )
CALGN( sbcsne r4, ip, r2 ) @ C is always set here
@@ -114,9 +114,9 @@ ENTRY(memmove)
#endif

PLD( pld [r1, #-4] )
-2: PLD( subs r2, r2, #96 )
+2: PLD( cmp r2, #96 )
PLD( pld [r1, #-32] )
- PLD( blt 4f )
+ PLD( blo 4f )
PLD( pld [r1, #-64] )
PLD( pld [r1, #-96] )

@@ -124,9 +124,7 @@ ENTRY(memmove)
4: ldmdb r1!, {r3, r4, r5, r6, r7, r8, ip, lr}
subs r2, r2, #32
stmdb r0!, {r3, r4, r5, r6, r7, r8, ip, lr}
- bge 3b
- PLD( cmn r2, #96 )
- PLD( bge 4b )
+ bhs 3b

5: ands ip, r2, #28
rsb ip, ip, #32
@@ -237,7 +235,7 @@ ENTRY(memmove)
strbge r4, [r0, #-1]!
subs r2, r2, ip
strb lr, [r0, #-1]!
- blt 8b
+ blo 8b
ands ip, r1, #3
beq 1b

@@ -251,7 +249,7 @@ ENTRY(memmove)
.macro backward_copy_shift push pull

subs r2, r2, #28
- blt 14f
+ blo 14f

CALGN( ands ip, r1, #31 )
CALGN( rsb ip, ip, #32 )
@@ -268,9 +266,9 @@ ENTRY(memmove)
cfi_rel_offset (r10, 16)

PLD( pld [r1, #-4] )
- PLD( subs r2, r2, #96 )
+ PLD( cmp r2, #96 )
PLD( pld [r1, #-32] )
- PLD( blt 13f )
+ PLD( blo 13f )
PLD( pld [r1, #-64] )
PLD( pld [r1, #-96] )

@@ -295,9 +293,7 @@ ENTRY(memmove)
mov r4, r4, PUSH #\push
orr r4, r4, r3, PULL #\pull
stmdb r0!, {r4 - r8, r10, ip, lr}
- bge 12b
- PLD( cmn r2, #96 )
- PLD( bge 13b )
+ bhs 12b

pop {r5 - r8, r10}
cfi_adjust_cfa_offset (-20)
--
2.17.1

107 changes: 107 additions & 0 deletions 0003-arm-CVE-2020-6096-Fix-multiarch-memcpy-for-negative-.patch
@@ -0,0 +1,107 @@
From beea361050728138b82c57dda0c4810402d342b9 Mon Sep 17 00:00:00 2001
From: Alexander Anisimov <a.anisimov@omprussia.ru>
Date: Wed, 8 Jul 2020 14:18:31 +0200
Subject: [PATCH] arm: CVE-2020-6096: Fix multiarch memcpy for negative
length [BZ #25620]

Unsigned branch instructions could be used for r2 to fix the wrong
behavior when a negative length is passed to memcpy.
This commit fixes the armv7 version.
---
sysdeps/arm/armv7/multiarch/memcpy_impl.S | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/sysdeps/arm/armv7/multiarch/memcpy_impl.S b/sysdeps/arm/armv7/multiarch/memcpy_impl.S
index bf4ac7077f..379bb56fc9 100644
--- a/sysdeps/arm/armv7/multiarch/memcpy_impl.S
+++ b/sysdeps/arm/armv7/multiarch/memcpy_impl.S
@@ -268,7 +268,7 @@ ENTRY(memcpy)

mov dst, dstin /* Preserve dstin, we need to return it. */
cmp count, #64
- bge .Lcpy_not_short
+ bhs .Lcpy_not_short
/* Deal with small copies quickly by dropping straight into the
exit block. */

@@ -351,10 +351,10 @@ ENTRY(memcpy)

1:
subs tmp2, count, #64 /* Use tmp2 for count. */
- blt .Ltail63aligned
+ blo .Ltail63aligned

cmp tmp2, #512
- bge .Lcpy_body_long
+ bhs .Lcpy_body_long

.Lcpy_body_medium: /* Count in tmp2. */
#ifdef USE_VFP
@@ -378,7 +378,7 @@ ENTRY(memcpy)
add src, src, #64
vstr d1, [dst, #56]
add dst, dst, #64
- bge 1b
+ bhs 1b
tst tmp2, #0x3f
beq .Ldone

@@ -412,7 +412,7 @@ ENTRY(memcpy)
ldrd A_l, A_h, [src, #64]!
strd A_l, A_h, [dst, #64]!
subs tmp2, tmp2, #64
- bge 1b
+ bhs 1b
tst tmp2, #0x3f
bne 1f
ldr tmp2,[sp], #FRAME_SIZE
@@ -482,7 +482,7 @@ ENTRY(memcpy)
add src, src, #32

subs tmp2, tmp2, #prefetch_lines * 64 * 2
- blt 2f
+ blo 2f
1:
cpy_line_vfp d3, 0
cpy_line_vfp d4, 64
@@ -494,7 +494,7 @@ ENTRY(memcpy)
add dst, dst, #2 * 64
add src, src, #2 * 64
subs tmp2, tmp2, #prefetch_lines * 64
- bge 1b
+ bhs 1b

2:
cpy_tail_vfp d3, 0
@@ -615,8 +615,8 @@ ENTRY(memcpy)
1:
pld [src, #(3 * 64)]
subs count, count, #64
- ldrmi tmp2, [sp], #FRAME_SIZE
- bmi .Ltail63unaligned
+ ldrlo tmp2, [sp], #FRAME_SIZE
+ blo .Ltail63unaligned
pld [src, #(4 * 64)]

#ifdef USE_NEON
@@ -633,7 +633,7 @@ ENTRY(memcpy)
neon_load_multi d0-d3, src
neon_load_multi d4-d7, src
subs count, count, #64
- bmi 2f
+ blo 2f
1:
pld [src, #(4 * 64)]
neon_store_multi d0-d3, dst
@@ -641,7 +641,7 @@ ENTRY(memcpy)
neon_store_multi d4-d7, dst
neon_load_multi d4-d7, src
subs count, count, #64
- bpl 1b
+ bhs 1b
2:
neon_store_multi d0-d3, dst
neon_store_multi d4-d7, dst
--
2.17.1

3 changes: 3 additions & 0 deletions glibc.changes
@@ -1,3 +1,6 @@
* Wed Jul 22 2020 Evgeny Eremin <e.eremin@omprussia.ru> - 2.30+git4
- Fix CVE-2020-6096. JB#49988

* Thu Feb 06 2020 Niels Breet <niels.breet@jolla.com> - 2.30+git3
- Use global RPM_OPT_FLAGS for arm builds. Contributes to JB#48210

Expand Down
6 changes: 5 additions & 1 deletion glibc.spec
Expand Up @@ -5,7 +5,7 @@
Name: glibc

Summary: GNU C library shared libraries
Version: 2.30+git3
Version: 2.30+git4
Release: 0
License: LGPLv2+ and LGPLv2+ with exceptions and GPLv2+
URL: http://www.gnu.org/software/libc/
Expand All @@ -24,6 +24,8 @@ Patch10: eglibc-2.15-fix-neon-libdl.patch
Patch11: eglibc-2.19-shlib-make.patch
Patch12: glibc-2.27-bits.patch
Patch13: 0001-Revert-elf-Refuse-to-dlopen-PIE-objects-BZ-24323.patch
Patch14: 0002-arm-CVE-2020-6096-fix-memcpy-and-memmove-for-negativ.patch
Patch15: 0003-arm-CVE-2020-6096-Fix-multiarch-memcpy-for-negative-.patch

Provides: ldconfig
# The dynamic linker supports DT_GNU_HASH
Expand Down Expand Up @@ -223,6 +225,8 @@ cd %{glibcsrcdir}
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1

%build
GCC=gcc
Expand Down

0 comments on commit e7b403c

Please sign in to comment.