!344 [sync] PR-338: Fix __cscncmp_avx2 in strcmp-avx2.S [BZ#28755]

Merge pull request !344 from openeuler-sync-bot/sync-pr338-2003-to-openEuler-20.03-LTS-SP3
2022-01-28 07:47:44 +00:00 · 2022-01-28 07:47:44 +00:00 · 6484e0bd10
commit 6484e0bd10
parent 605efddc34 ca8dc2c744
2 changed files with 45 additions and 1 deletions
--- a/glibc.spec
+++ b/glibc.spec
@ -59,7 +59,7 @@
 ##############################################################################
 Name: 	 	glibc
 Version: 	2.28
-Release: 	87
+Release: 	88
 Summary: 	The GNU libc libraries
 License:	%{all_license}
 URL: 		http://www.gnu.org/software/glibc/
@ -149,6 +149,7 @@ Patch65: CVE-2022-23219-Buffer-overflow-in-sunrpc-clnt_create.patch
 Patch66: sunrpc-Test-case-for-clnt_create-unix-buffer-overflo.patch
 Patch67: CVE-2022-23218-Buffer-overflow-in-sunrpc-svcunix_cre.patch
 Patch68: getcwd-Set-errno-to-ERANGE-for-size-1-CVE-2021-3999.patch
+Patch69: x86-Fix-__wcsncmp_avx2-in-strcmp-avx2.S-BZ-28755.patch

 Provides: ldconfig rtld(GNU_HASH) bundled(gnulib)

@ -1173,6 +1174,9 @@ fi
 %doc hesiod/README.hesiod

 %changelog
+* Fri Jan 28 2022 Qingqing Li <liqingqing3@huawei.com> - 2.28-88
+- Fix __cscncmp_avx2 in strcmp-avx2.S [BZ#28755]
+
 * Tue Jan 25 2022 Qingqing Li <liqingqing3@huawei.com> - 2.28-87
 - fix CVE-2021-3999

--- a/x86-Fix-__wcsncmp_avx2-in-strcmp-avx2.S-BZ-28755.patch
+++ b/x86-Fix-__wcsncmp_avx2-in-strcmp-avx2.S-BZ-28755.patch
@ -0,0 +1,40 @@
+From ddf0992cf57a93200e0c782e2a94d0733a5a0b87 Mon Sep 17 00:00:00 2001
+From: Noah Goldstein <goldstein.w.n@gmail.com>
+Date: Sun, 9 Jan 2022 16:02:21 -0600
+Subject: [PATCH] x86: Fix __wcsncmp_avx2 in strcmp-avx2.S [BZ# 28755]
+
+Fixes [BZ# 28755] for wcsncmp by redirecting length >= 2^56 to
+__wcscmp_avx2. For x86_64 this covers the entire address range so any
+length larger could not possibly be used to bound `s1` or `s2`.
+
+test-strcmp, test-strncmp, test-wcscmp, and test-wcsncmp all pass.
+
+Signed-off-by: Noah Goldstein <goldstein.w.n@gmail.com>
+---
+ sysdeps/x86_64/multiarch/strcmp-avx2.S | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/sysdeps/x86_64/multiarch/strcmp-avx2.S b/sysdeps/x86_64/multiarch/strcmp-avx2.S
+index a45f9d2..9c73b58 100644
+--- a/sysdeps/x86_64/multiarch/strcmp-avx2.S
+++ b/sysdeps/x86_64/multiarch/strcmp-avx2.S
+@@ -87,6 +87,16 @@ ENTRY (STRCMP)
+ 	je	L(char0)
+ 	jb	L(zero)
+ #  ifdef USE_AS_WCSCMP
+#  ifndef __ILP32__
+	movq	%rdx, %rcx
+	/* Check if length could overflow when multiplied by
+	   sizeof(wchar_t). Checking top 8 bits will cover all potential
+	   overflow cases as well as redirect cases where its impossible to
+	   length to bound a valid memory region. In these cases just use
+	   'wcscmp'.  */
+	shrq	$56, %rcx
+	jnz	__wcscmp_avx2
+#  endif
+ 	/* Convert units: from wide to byte char.  */
+ 	shl	$2, %RDX_LP
+ #  endif
+-- 
+1.8.3.1
+