* Re: [OE-core] [master][dunfell][PATCH] glibc: Secruity fix for CVE-2020-6096
[not found] <1623945384257296.5706@lists.openembedded.org>
@ 2020-07-23 0:05 ` Armin Kuster
0 siblings, 0 replies; only message in thread
From: Armin Kuster @ 2020-07-23 0:05 UTC (permalink / raw)
To: openembedded-core; +Cc: Armin Kuster
[-- Attachment #1: Type: text/plain, Size: 10432 bytes --]
On 7/20/20 2:49 PM, akuster via lists.openembedded.org wrote:
> From: Armin Kuster <akuster@mvista.com>
>
> Source: glibc.org
> MR: 104799
> Type: Security Fix
> Disposition: Backport from beea361050728138b82c57dda0c4810402d342b9
> ChangeID: 29df826fb697fdd2742c3bace33388bda962c5f1
> Description:
Any issues with this?
-armin
>
> Signed-off-by: Armin Kuster <akuster@gmvista.com>
> ---
> .../glibc/glibc/CVE-2020-6096.patch | 112 ++++++++++
> .../glibc/glibc/CVE-2020-6096_2.patch | 194 ++++++++++++++++++
> meta/recipes-core/glibc/glibc_2.31.bb | 2 +
> 3 files changed, 308 insertions(+)
> create mode 100644 meta/recipes-core/glibc/glibc/CVE-2020-6096.patch
> create mode 100644 meta/recipes-core/glibc/glibc/CVE-2020-6096_2.patch
>
> diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-6096.patch b/meta/recipes-core/glibc/glibc/CVE-2020-6096.patch
> new file mode 100644
> index 00000000000..9c26f76432d
> --- /dev/null
> +++ b/meta/recipes-core/glibc/glibc/CVE-2020-6096.patch
> @@ -0,0 +1,112 @@
> +From beea361050728138b82c57dda0c4810402d342b9 Mon Sep 17 00:00:00 2001
> +From: Alexander Anisimov <a.anisimov@omprussia.ru>
> +Date: Wed, 8 Jul 2020 14:18:31 +0200
> +Subject: [PATCH] arm: CVE-2020-6096: Fix multiarch memcpy for negative length
> + [BZ #25620]
> +
> +Unsigned branch instructions could be used for r2 to fix the wrong
> +behavior when a negative length is passed to memcpy.
> +This commit fixes the armv7 version.
> +
> +Upstream-Status: Backport
> +CVE: CVE-2020-6096 patch #1
> +Signed-off-by: Armin Kuster <akuster@mvista.com>
> +
> +---
> + sysdeps/arm/armv7/multiarch/memcpy_impl.S | 22 +++++++++++-----------
> + 1 file changed, 11 insertions(+), 11 deletions(-)
> +
> +diff --git a/sysdeps/arm/armv7/multiarch/memcpy_impl.S b/sysdeps/arm/armv7/multiarch/memcpy_impl.S
> +index bf4ac7077f..379bb56fc9 100644
> +--- a/sysdeps/arm/armv7/multiarch/memcpy_impl.S
> ++++ b/sysdeps/arm/armv7/multiarch/memcpy_impl.S
> +@@ -268,7 +268,7 @@ ENTRY(memcpy)
> +
> + mov dst, dstin /* Preserve dstin, we need to return it. */
> + cmp count, #64
> +- bge .Lcpy_not_short
> ++ bhs .Lcpy_not_short
> + /* Deal with small copies quickly by dropping straight into the
> + exit block. */
> +
> +@@ -351,10 +351,10 @@ ENTRY(memcpy)
> +
> + 1:
> + subs tmp2, count, #64 /* Use tmp2 for count. */
> +- blt .Ltail63aligned
> ++ blo .Ltail63aligned
> +
> + cmp tmp2, #512
> +- bge .Lcpy_body_long
> ++ bhs .Lcpy_body_long
> +
> + .Lcpy_body_medium: /* Count in tmp2. */
> + #ifdef USE_VFP
> +@@ -378,7 +378,7 @@ ENTRY(memcpy)
> + add src, src, #64
> + vstr d1, [dst, #56]
> + add dst, dst, #64
> +- bge 1b
> ++ bhs 1b
> + tst tmp2, #0x3f
> + beq .Ldone
> +
> +@@ -412,7 +412,7 @@ ENTRY(memcpy)
> + ldrd A_l, A_h, [src, #64]!
> + strd A_l, A_h, [dst, #64]!
> + subs tmp2, tmp2, #64
> +- bge 1b
> ++ bhs 1b
> + tst tmp2, #0x3f
> + bne 1f
> + ldr tmp2,[sp], #FRAME_SIZE
> +@@ -482,7 +482,7 @@ ENTRY(memcpy)
> + add src, src, #32
> +
> + subs tmp2, tmp2, #prefetch_lines * 64 * 2
> +- blt 2f
> ++ blo 2f
> + 1:
> + cpy_line_vfp d3, 0
> + cpy_line_vfp d4, 64
> +@@ -494,7 +494,7 @@ ENTRY(memcpy)
> + add dst, dst, #2 * 64
> + add src, src, #2 * 64
> + subs tmp2, tmp2, #prefetch_lines * 64
> +- bge 1b
> ++ bhs 1b
> +
> + 2:
> + cpy_tail_vfp d3, 0
> +@@ -615,8 +615,8 @@ ENTRY(memcpy)
> + 1:
> + pld [src, #(3 * 64)]
> + subs count, count, #64
> +- ldrmi tmp2, [sp], #FRAME_SIZE
> +- bmi .Ltail63unaligned
> ++ ldrlo tmp2, [sp], #FRAME_SIZE
> ++ blo .Ltail63unaligned
> + pld [src, #(4 * 64)]
> +
> + #ifdef USE_NEON
> +@@ -633,7 +633,7 @@ ENTRY(memcpy)
> + neon_load_multi d0-d3, src
> + neon_load_multi d4-d7, src
> + subs count, count, #64
> +- bmi 2f
> ++ blo 2f
> + 1:
> + pld [src, #(4 * 64)]
> + neon_store_multi d0-d3, dst
> +@@ -641,7 +641,7 @@ ENTRY(memcpy)
> + neon_store_multi d4-d7, dst
> + neon_load_multi d4-d7, src
> + subs count, count, #64
> +- bpl 1b
> ++ bhs 1b
> + 2:
> + neon_store_multi d0-d3, dst
> + neon_store_multi d4-d7, dst
> +--
> +2.17.1
> +
> diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-6096_2.patch b/meta/recipes-core/glibc/glibc/CVE-2020-6096_2.patch
> new file mode 100644
> index 00000000000..905e44c8e33
> --- /dev/null
> +++ b/meta/recipes-core/glibc/glibc/CVE-2020-6096_2.patch
> @@ -0,0 +1,194 @@
> +From 79a4fa341b8a89cb03f84564fd72abaa1a2db394 Mon Sep 17 00:00:00 2001
> +From: Evgeny Eremin <e.eremin@omprussia.ru>
> +Date: Wed, 8 Jul 2020 14:18:19 +0200
> +Subject: [PATCH] arm: CVE-2020-6096: fix memcpy and memmove for negative
> + length [BZ #25620]
> +
> +Unsigned branch instructions could be used for r2 to fix the wrong
> +behavior when a negative length is passed to memcpy and memmove.
> +This commit fixes the generic arm implementation of memcpy amd memmove.
> +
> +Upstream-Status: Backport
> +CVE: CVE-2020-6096 patch #2
> +Signed-off-by: Armin Kuster <akuster@mvista.com>
> +
> +---
> + sysdeps/arm/memcpy.S | 24 ++++++++++--------------
> + sysdeps/arm/memmove.S | 24 ++++++++++--------------
> + 2 files changed, 20 insertions(+), 28 deletions(-)
> +
> +diff --git a/sysdeps/arm/memcpy.S b/sysdeps/arm/memcpy.S
> +index 510e8adaf2..bcfbc51d99 100644
> +--- a/sysdeps/arm/memcpy.S
> ++++ b/sysdeps/arm/memcpy.S
> +@@ -68,7 +68,7 @@ ENTRY(memcpy)
> + cfi_remember_state
> +
> + subs r2, r2, #4
> +- blt 8f
> ++ blo 8f
> + ands ip, r0, #3
> + PLD( pld [r1, #0] )
> + bne 9f
> +@@ -82,7 +82,7 @@ ENTRY(memcpy)
> + cfi_rel_offset (r6, 4)
> + cfi_rel_offset (r7, 8)
> + cfi_rel_offset (r8, 12)
> +- blt 5f
> ++ blo 5f
> +
> + CALGN( ands ip, r1, #31 )
> + CALGN( rsb r3, ip, #32 )
> +@@ -98,9 +98,9 @@ ENTRY(memcpy)
> + #endif
> +
> + PLD( pld [r1, #0] )
> +-2: PLD( subs r2, r2, #96 )
> ++2: PLD( cmp r2, #96 )
> + PLD( pld [r1, #28] )
> +- PLD( blt 4f )
> ++ PLD( blo 4f )
> + PLD( pld [r1, #60] )
> + PLD( pld [r1, #92] )
> +
> +@@ -108,9 +108,7 @@ ENTRY(memcpy)
> + 4: ldmia r1!, {r3, r4, r5, r6, r7, r8, ip, lr}
> + subs r2, r2, #32
> + stmia r0!, {r3, r4, r5, r6, r7, r8, ip, lr}
> +- bge 3b
> +- PLD( cmn r2, #96 )
> +- PLD( bge 4b )
> ++ bhs 3b
> +
> + 5: ands ip, r2, #28
> + rsb ip, ip, #32
> +@@ -222,7 +220,7 @@ ENTRY(memcpy)
> + strbge r4, [r0], #1
> + subs r2, r2, ip
> + strb lr, [r0], #1
> +- blt 8b
> ++ blo 8b
> + ands ip, r1, #3
> + beq 1b
> +
> +@@ -236,7 +234,7 @@ ENTRY(memcpy)
> + .macro forward_copy_shift pull push
> +
> + subs r2, r2, #28
> +- blt 14f
> ++ blo 14f
> +
> + CALGN( ands ip, r1, #31 )
> + CALGN( rsb ip, ip, #32 )
> +@@ -253,9 +251,9 @@ ENTRY(memcpy)
> + cfi_rel_offset (r10, 16)
> +
> + PLD( pld [r1, #0] )
> +- PLD( subs r2, r2, #96 )
> ++ PLD( cmp r2, #96 )
> + PLD( pld [r1, #28] )
> +- PLD( blt 13f )
> ++ PLD( blo 13f )
> + PLD( pld [r1, #60] )
> + PLD( pld [r1, #92] )
> +
> +@@ -280,9 +278,7 @@ ENTRY(memcpy)
> + mov ip, ip, PULL #\pull
> + orr ip, ip, lr, PUSH #\push
> + stmia r0!, {r3, r4, r5, r6, r7, r8, r10, ip}
> +- bge 12b
> +- PLD( cmn r2, #96 )
> +- PLD( bge 13b )
> ++ bhs 12b
> +
> + pop {r5 - r8, r10}
> + cfi_adjust_cfa_offset (-20)
> +diff --git a/sysdeps/arm/memmove.S b/sysdeps/arm/memmove.S
> +index 954037ef3a..0d07b76ee6 100644
> +--- a/sysdeps/arm/memmove.S
> ++++ b/sysdeps/arm/memmove.S
> +@@ -85,7 +85,7 @@ ENTRY(memmove)
> + add r1, r1, r2
> + add r0, r0, r2
> + subs r2, r2, #4
> +- blt 8f
> ++ blo 8f
> + ands ip, r0, #3
> + PLD( pld [r1, #-4] )
> + bne 9f
> +@@ -99,7 +99,7 @@ ENTRY(memmove)
> + cfi_rel_offset (r6, 4)
> + cfi_rel_offset (r7, 8)
> + cfi_rel_offset (r8, 12)
> +- blt 5f
> ++ blo 5f
> +
> + CALGN( ands ip, r1, #31 )
> + CALGN( sbcsne r4, ip, r2 ) @ C is always set here
> +@@ -114,9 +114,9 @@ ENTRY(memmove)
> + #endif
> +
> + PLD( pld [r1, #-4] )
> +-2: PLD( subs r2, r2, #96 )
> ++2: PLD( cmp r2, #96 )
> + PLD( pld [r1, #-32] )
> +- PLD( blt 4f )
> ++ PLD( blo 4f )
> + PLD( pld [r1, #-64] )
> + PLD( pld [r1, #-96] )
> +
> +@@ -124,9 +124,7 @@ ENTRY(memmove)
> + 4: ldmdb r1!, {r3, r4, r5, r6, r7, r8, ip, lr}
> + subs r2, r2, #32
> + stmdb r0!, {r3, r4, r5, r6, r7, r8, ip, lr}
> +- bge 3b
> +- PLD( cmn r2, #96 )
> +- PLD( bge 4b )
> ++ bhs 3b
> +
> + 5: ands ip, r2, #28
> + rsb ip, ip, #32
> +@@ -237,7 +235,7 @@ ENTRY(memmove)
> + strbge r4, [r0, #-1]!
> + subs r2, r2, ip
> + strb lr, [r0, #-1]!
> +- blt 8b
> ++ blo 8b
> + ands ip, r1, #3
> + beq 1b
> +
> +@@ -251,7 +249,7 @@ ENTRY(memmove)
> + .macro backward_copy_shift push pull
> +
> + subs r2, r2, #28
> +- blt 14f
> ++ blo 14f
> +
> + CALGN( ands ip, r1, #31 )
> + CALGN( rsb ip, ip, #32 )
> +@@ -268,9 +266,9 @@ ENTRY(memmove)
> + cfi_rel_offset (r10, 16)
> +
> + PLD( pld [r1, #-4] )
> +- PLD( subs r2, r2, #96 )
> ++ PLD( cmp r2, #96 )
> + PLD( pld [r1, #-32] )
> +- PLD( blt 13f )
> ++ PLD( blo 13f )
> + PLD( pld [r1, #-64] )
> + PLD( pld [r1, #-96] )
> +
> +@@ -295,9 +293,7 @@ ENTRY(memmove)
> + mov r4, r4, PUSH #\push
> + orr r4, r4, r3, PULL #\pull
> + stmdb r0!, {r4 - r8, r10, ip, lr}
> +- bge 12b
> +- PLD( cmn r2, #96 )
> +- PLD( bge 13b )
> ++ bhs 12b
> +
> + pop {r5 - r8, r10}
> + cfi_adjust_cfa_offset (-20)
> +--
> +2.17.1
> +
> diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb
> index 9b2cf1bdeb4..38563b1a7b7 100644
> --- a/meta/recipes-core/glibc/glibc_2.31.bb
> +++ b/meta/recipes-core/glibc/glibc_2.31.bb
> @@ -43,6 +43,8 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
> file://0028-inject-file-assembly-directives.patch \
> file://0029-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
> file://0030-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch \
> + file://CVE-2020-6096.patch \
> + file://CVE-2020-6096_2.patch \
> "
> S = "${WORKDIR}/git"
> B = "${WORKDIR}/build-${TARGET_SYS}"
>
>
[-- Attachment #2: Type: text/html, Size: 11349 bytes --]
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-07-23 0:05 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <1623945384257296.5706@lists.openembedded.org>
2020-07-23 0:05 ` [OE-core] [master][dunfell][PATCH] glibc: Secruity fix for CVE-2020-6096 Armin Kuster
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.