Don't write beyond destination in __mempcpy_avx512_no_vzeroupper (bug 23196)

When compiled as mempcpy, the return value is the end of the destination buffer, thus it cannot be used to refer to the start of it.
2018-05-22 10:37:59 +02:00 · 2018-05-22 10:37:59 +02:00 · 9aaaab7c6e
parent 8f145c7712
commit 9aaaab7c6e
3 changed files with 13 additions and 2 deletions
--- a/9
+++ b/9
@ -1,3 +1,12 @@
+2018-05-23  Andreas Schwab  <schwab@suse.de>
+
+	[BZ #23196]
+	CVE-2018-11237
+	* sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+	(L(preloop_large)): Save initial destination pointer in %r11 and
+	use it instead of %rax after the loop.
+	* string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
+
 2018-05-22  Joseph Myers  <joseph@codesourcery.com>

 	* sysdeps/aarch64/Implies: Remove aarch64/soft-fp.
--- a/string/test-mempcpy.c
+++ b/string/test-mempcpy.c
@ -18,6 +18,7 @@
   <http://www.gnu.org/licenses/>.  */

 #define MEMCPY_RESULT(dst, len) (dst) + (len)
+#define MIN_PAGE_SIZE 131072
 #define TEST_MAIN
 #define TEST_NAME "mempcpy"
 #include "test-string.h"
--- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
@ -336,6 +336,7 @@ L(preloop_large):
 	vmovups	(%rsi), %zmm4
 	vmovups	0x40(%rsi), %zmm5

+	mov	%rdi, %r11
 /* Align destination for access with non-temporal stores in the loop.  */
 	mov	%rdi, %r8
 	and	$-0x80, %rdi
@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop):
 	cmp	$256, %rdx
 	ja	L(gobble_256bytes_nt_loop)
 	sfence
-	vmovups	%zmm4, (%rax)
-	vmovups	%zmm5, 0x40(%rax)
+	vmovups	%zmm4, (%r11)
+	vmovups	%zmm5, 0x40(%r11)
 	jmp	L(check)

 L(preloop_large_bkw):