From 43169f4d3a87c814f2faa87b4ef3f51cd091100b22f230838f7ffa1954e8b88b Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@suse.de>
Date: Wed, 23 May 2018 13:22:23 +0000
Subject: [PATCH] Accepting request 611652 from home:Andreas_Schwab:Factory

- mempcpy-avx512.patch: Don't write beyond destination in
  __mempcpy_avx512_no_vzeroupper (CVE-2018-11237, bsc#1094154)
- realpath-ssize-max-overflow.patch: Fix overflow in path length
  computation (CVE-2018-11236, bsc#1094161, BZ #22786)
- Use %license also for COPYING, COPYING.LIB

OBS-URL: https://build.opensuse.org/request/show/611652
OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=505
---
 glibc.changes                     |  11 ++-
 glibc.spec                        |  11 ++-
 mempcpy-avx512.patch              |  42 ++++++++++
 realpath-ssize-max-overflow.patch | 129 ++++++++++++++++++++++++++++++
 4 files changed, 190 insertions(+), 3 deletions(-)
 create mode 100644 mempcpy-avx512.patch
 create mode 100644 realpath-ssize-max-overflow.patch

diff --git a/glibc.changes b/glibc.changes
index 723c6d2..e26d1a2 100644
--- a/glibc.changes
+++ b/glibc.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Wed May 23 08:18:00 UTC 2018 - schwab@suse.de
+
+- mempcpy-avx512.patch: Don't write beyond destination in
+  __mempcpy_avx512_no_vzeroupper (CVE-2018-11237, bsc#1094154)
+- realpath-ssize-max-overflow.patch: Fix overflow in path length
+  computation (CVE-2018-11236, bsc#1094161, BZ #22786)
+- Use %license also for COPYING, COPYING.LIB
+
 -------------------------------------------------------------------
 Thu Apr 12 08:12:30 UTC 2018 - schwab@suse.de
 
@@ -7,7 +16,7 @@ Thu Apr 12 08:12:30 UTC 2018 - schwab@suse.de
 Thu Mar 29 09:53:52 UTC 2018 - schwab@suse.de
 
 - i386-memmove-sse2-unaligned.patch: Fix SSE2 memmove issue when crossing
-  2GB boundary (BZ #22644)
+  2GB boundary (CVE-2017-18269, bnc#1094150, BZ #22644)
 
 -------------------------------------------------------------------
 Tue Mar 27 11:30:49 UTC 2018 - schwab@suse.de
diff --git a/glibc.spec b/glibc.spec
index f145d79..6e210aa 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -302,8 +302,12 @@ Patch1008:      riscv-tls-init.patch
 Patch1009:      riscv-fmax-fmin-nan.patch
 # PATCH-FIX-UPSTREAM Fix crash in resolver on memory allocation failure (BZ #23005)
 Patch1010:      res-send-enomem.patch
-# PATCH-FIX-UPSTREAM memmove-sse2-unaligned on 32bit x86 produces garbage when crossing 2GB threshold (BZ #22644)
+# PATCH-FIX-UPSTREAM memmove-sse2-unaligned on 32bit x86 produces garbage when crossing 2GB threshold (CVE-2017-18269, BZ #22644)
 Patch1011:      i386-memmove-sse2-unaligned.patch
+# PATCH-FIX-UPSTREAM __mempcpy_avx512_no_vzeroupper mishandles large copies (CVE-2018-11237, BZ #23196)
+Patch1012:      mempcpy-avx512.patch
+# PATCH-FIX-UPSTREAM realpath-ssize-max-overflow.patch: Fix overflow in path length computation (CVE-2018-11236, BZ #22786)
+Patch1013:      realpath-ssize-max-overflow.patch
 
 ### 
 # Patches awaiting upstream approval
@@ -525,6 +529,8 @@ mv crypt_blowfish-%crypt_bf_version/*.[chS] crypt/
 %patch1009 -p1
 %patch1010 -p1
 %patch1011 -p1
+%patch1012 -p1
+%patch1013 -p1
 
 %patch2000 -p1
 %patch2004 -p1
@@ -1252,7 +1258,8 @@ exit 0
 
 %files devel
 %defattr(-,root,root)
-%doc COPYING COPYING.LIB NEWS README
+%license COPYING COPYING.LIB
+%doc NEWS README
 %doc %{_mandir}/man1/catchsegv.1.gz
 %doc %{_mandir}/man3/*
 %{_bindir}/catchsegv
diff --git a/mempcpy-avx512.patch b/mempcpy-avx512.patch
new file mode 100644
index 0000000..0fe123c
--- /dev/null
+++ b/mempcpy-avx512.patch
@@ -0,0 +1,42 @@
+	[BZ #23196]
+	CVE-2018-11237
+	* sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+	(L(preloop_large)): Save initial destination pointer in %r11 and
+	use it instead of %rax after the loop.
+	* string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
+
+Index: glibc-2.27/string/test-mempcpy.c
+===================================================================
+--- glibc-2.27.orig/string/test-mempcpy.c
++++ glibc-2.27/string/test-mempcpy.c
+@@ -18,6 +18,7 @@
+    <http://www.gnu.org/licenses/>.  */
+ 
+ #define MEMCPY_RESULT(dst, len) (dst) + (len)
++#define MIN_PAGE_SIZE 131072
+ #define TEST_MAIN
+ #define TEST_NAME "mempcpy"
+ #include "test-string.h"
+Index: glibc-2.27/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+===================================================================
+--- glibc-2.27.orig/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
++++ glibc-2.27/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+@@ -336,6 +336,7 @@ L(preloop_large):
+ 	vmovups	(%rsi), %zmm4
+ 	vmovups	0x40(%rsi), %zmm5
+ 
++	mov	%rdi, %r11
+ /* Align destination for access with non-temporal stores in the loop.  */
+ 	mov	%rdi, %r8
+ 	and	$-0x80, %rdi
+@@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop):
+ 	cmp	$256, %rdx
+ 	ja	L(gobble_256bytes_nt_loop)
+ 	sfence
+-	vmovups	%zmm4, (%rax)
+-	vmovups	%zmm5, 0x40(%rax)
++	vmovups	%zmm4, (%r11)
++	vmovups	%zmm5, 0x40(%r11)
+ 	jmp	L(check)
+ 
+ L(preloop_large_bkw):
diff --git a/realpath-ssize-max-overflow.patch b/realpath-ssize-max-overflow.patch
new file mode 100644
index 0000000..b9ddb09
--- /dev/null
+++ b/realpath-ssize-max-overflow.patch
@@ -0,0 +1,129 @@
+2018-05-09  Paul Pluzhnikov  <ppluzhnikov@google.com>
+
+	[BZ #22786]
+	* stdlib/canonicalize.c (__realpath): Fix overflow in path length
+	computation.
+	* stdlib/Makefile (test-bz22786): New test.
+	* stdlib/test-bz22786.c: New test.
+
+Index: glibc-2.27/stdlib/Makefile
+===================================================================
+--- glibc-2.27.orig/stdlib/Makefile
++++ glibc-2.27/stdlib/Makefile
+@@ -84,7 +84,7 @@ tests		:= tst-strtol tst-strtod testmb t
+ 		   tst-cxa_atexit tst-on_exit test-atexit-race 		    \
+ 		   test-at_quick_exit-race test-cxa_atexit-race             \
+ 		   test-on_exit-race test-dlclose-exit-race 		    \
+-		   tst-makecontext-align
++		   tst-makecontext-align test-bz22786
+ 
+ tests-internal	:= tst-strtod1i tst-strtod3 tst-strtod4 tst-strtod5i \
+ 		   tst-tls-atexit tst-tls-atexit-nodelete
+Index: glibc-2.27/stdlib/canonicalize.c
+===================================================================
+--- glibc-2.27.orig/stdlib/canonicalize.c
++++ glibc-2.27/stdlib/canonicalize.c
+@@ -181,7 +181,7 @@ __realpath (const char *name, char *reso
+ 		extra_buf = __alloca (path_max);
+ 
+ 	      len = strlen (end);
+-	      if ((long int) (n + len) >= path_max)
++	      if (path_max - n <= len)
+ 		{
+ 		  __set_errno (ENAMETOOLONG);
+ 		  goto error;
+Index: glibc-2.27/stdlib/test-bz22786.c
+===================================================================
+--- /dev/null
++++ glibc-2.27/stdlib/test-bz22786.c
+@@ -0,0 +1,90 @@
++/* Bug 22786: test for buffer overflow in realpath.
++   Copyright (C) 2018 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++/* This file must be run from within a directory called "stdlib".  */
++
++#include <errno.h>
++#include <limits.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <unistd.h>
++#include <sys/stat.h>
++#include <sys/types.h>
++#include <support/test-driver.h>
++#include <libc-diag.h>
++
++static int
++do_test (void)
++{
++  const char dir[] = "bz22786";
++  const char lnk[] = "bz22786/symlink";
++
++  rmdir (dir);
++  if (mkdir (dir, 0755) != 0 && errno != EEXIST)
++    {
++      printf ("mkdir %s: %m\n", dir);
++      return EXIT_FAILURE;
++    }
++  if (symlink (".", lnk) != 0 && errno != EEXIST)
++    {
++      printf ("symlink (%s, %s): %m\n", dir, lnk);
++      return EXIT_FAILURE;
++    }
++
++  const size_t path_len = (size_t) INT_MAX + 1;
++
++  DIAG_PUSH_NEEDS_COMMENT;
++#if __GNUC_PREREQ (7, 0)
++  /* GCC 7 warns about too-large allocations; here we need such
++     allocation to succeed for the test to work.  */
++  DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");
++#endif
++  char *path = malloc (path_len);
++  DIAG_POP_NEEDS_COMMENT;
++
++  if (path == NULL)
++    {
++      printf ("malloc (%zu): %m\n", path_len);
++      return EXIT_UNSUPPORTED;
++    }
++
++  /* Construct very long path = "bz22786/symlink/aaaa....."  */
++  char *p = mempcpy (path, lnk, sizeof (lnk) - 1);
++  *(p++) = '/';
++  memset (p, 'a', path_len - (path - p) - 2);
++  p[path_len - (path - p) - 1] = '\0';
++
++  /* This call crashes before the fix for bz22786 on 32-bit platforms.  */
++  p = realpath (path, NULL);
++
++  if (p != NULL || errno != ENAMETOOLONG)
++    {
++      printf ("realpath: %s (%m)", p);
++      return EXIT_FAILURE;
++    }
++
++  /* Cleanup.  */
++  unlink (lnk);
++  rmdir (dir);
++
++  return 0;
++}
++
++#define TEST_FUNCTION do_test
++#include <support/test-driver.c>