From ff44334a1fca5c4461b6dcab5147e355bb115ef4 Mon Sep 17 00:00:00 2001 From: liqingqing_1229 Date: Fri, 28 Jan 2022 10:36:41 +0800 Subject: [PATCH] Fix __cscncmp_avx2 in strcmp-avx2.S [BZ#28755] (cherry picked from commit f95f2fe02e913cbc3f9e2d102faf40ca13afc073) --- glibc.spec | 6 ++- ...sncmp_avx2-in-strcmp-avx2.S-BZ-28755.patch | 40 +++++++++++++++++++ 2 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 x86-Fix-__wcsncmp_avx2-in-strcmp-avx2.S-BZ-28755.patch diff --git a/glibc.spec b/glibc.spec index 1b36f7b..7ab7ec9 100644 --- a/glibc.spec +++ b/glibc.spec @@ -59,7 +59,7 @@ ############################################################################## Name: glibc Version: 2.28 -Release: 87 +Release: 88 Summary: The GNU libc libraries License: %{all_license} URL: http://www.gnu.org/software/glibc/ @@ -149,6 +149,7 @@ Patch65: CVE-2022-23219-Buffer-overflow-in-sunrpc-clnt_create.patch Patch66: sunrpc-Test-case-for-clnt_create-unix-buffer-overflo.patch Patch67: CVE-2022-23218-Buffer-overflow-in-sunrpc-svcunix_cre.patch Patch68: getcwd-Set-errno-to-ERANGE-for-size-1-CVE-2021-3999.patch +Patch69: x86-Fix-__wcsncmp_avx2-in-strcmp-avx2.S-BZ-28755.patch Provides: ldconfig rtld(GNU_HASH) bundled(gnulib) @@ -1173,6 +1174,9 @@ fi %doc hesiod/README.hesiod %changelog +* Fri Jan 28 2022 Qingqing Li - 2.28-88 +- Fix __cscncmp_avx2 in strcmp-avx2.S [BZ#28755] + * Tue Jan 25 2022 Qingqing Li - 2.28-87 - fix CVE-2021-3999 diff --git a/x86-Fix-__wcsncmp_avx2-in-strcmp-avx2.S-BZ-28755.patch b/x86-Fix-__wcsncmp_avx2-in-strcmp-avx2.S-BZ-28755.patch new file mode 100644 index 0000000..7b8597b --- /dev/null +++ b/x86-Fix-__wcsncmp_avx2-in-strcmp-avx2.S-BZ-28755.patch @@ -0,0 +1,40 @@ +From ddf0992cf57a93200e0c782e2a94d0733a5a0b87 Mon Sep 17 00:00:00 2001 +From: Noah Goldstein +Date: Sun, 9 Jan 2022 16:02:21 -0600 +Subject: [PATCH] x86: Fix __wcsncmp_avx2 in strcmp-avx2.S [BZ# 28755] + +Fixes [BZ# 28755] for wcsncmp by redirecting length >= 2^56 to +__wcscmp_avx2. For x86_64 this covers the entire address range so any +length larger could not possibly be used to bound `s1` or `s2`. + +test-strcmp, test-strncmp, test-wcscmp, and test-wcsncmp all pass. + +Signed-off-by: Noah Goldstein +--- + sysdeps/x86_64/multiarch/strcmp-avx2.S | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/sysdeps/x86_64/multiarch/strcmp-avx2.S b/sysdeps/x86_64/multiarch/strcmp-avx2.S +index a45f9d2..9c73b58 100644 +--- a/sysdeps/x86_64/multiarch/strcmp-avx2.S ++++ b/sysdeps/x86_64/multiarch/strcmp-avx2.S +@@ -87,6 +87,16 @@ ENTRY (STRCMP) + je L(char0) + jb L(zero) + # ifdef USE_AS_WCSCMP ++# ifndef __ILP32__ ++ movq %rdx, %rcx ++ /* Check if length could overflow when multiplied by ++ sizeof(wchar_t). Checking top 8 bits will cover all potential ++ overflow cases as well as redirect cases where its impossible to ++ length to bound a valid memory region. In these cases just use ++ 'wcscmp'. */ ++ shrq $56, %rcx ++ jnz __wcscmp_avx2 ++# endif + /* Convert units: from wide to byte char. */ + shl $2, %RDX_LP + # endif +-- +1.8.3.1 + -- Gitee