From patchwork Thu Apr  9 14:05:10 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "zhuyan (M)" <zhuyan34@huawei.com>
X-Patchwork-Id: 38792
Return-Path: <zhuyan34@huawei.com>
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from huawei.com (szxga01-in.huawei.com [45.249.212.187])
 by sourceware.org (Postfix) with ESMTPS id 28FDC385B835
 for <libc-alpha@sourceware.org>; Thu,  9 Apr 2020 14:05:15 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 28FDC385B835
Authentication-Results: sourceware.org;
 dmarc=none (p=none dis=none) header.from=huawei.com
Authentication-Results: sourceware.org;
 spf=pass smtp.mailfrom=zhuyan34@huawei.com
Received: from DGGEMM401-HUB.china.huawei.com (unknown [172.30.72.53])
 by Forcepoint Email with ESMTP id E2E593D4F4EFE3925376
 for <libc-alpha@sourceware.org>; Thu,  9 Apr 2020 22:05:10 +0800 (CST)
Received: from dggeme760-chm.china.huawei.com (10.3.19.106) by
 DGGEMM401-HUB.china.huawei.com (10.3.20.209) with Microsoft SMTP Server (TLS)
 id 14.3.487.0; Thu, 9 Apr 2020 22:05:10 +0800
Received: from dggeme762-chm.china.huawei.com (10.3.19.108) by
 dggeme760-chm.china.huawei.com (10.3.19.106) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.1713.5; Thu, 9 Apr 2020 22:05:10 +0800
Received: from dggeme762-chm.china.huawei.com ([10.8.68.53]) by
 dggeme762-chm.china.huawei.com ([10.8.68.53]) with mapi id 15.01.1713.004;
 Thu, 9 Apr 2020 22:05:10 +0800
From: "zhuyan (M)" <zhuyan34@huawei.com>
To: "libc-alpha@sourceware.org" <libc-alpha@sourceware.org>
Subject: [PATCH] memcpy: use bhs/bls instead of bge/blt  (CVE-2020-6096) [BZ
 #25620]
Thread-Topic: [PATCH] memcpy: use bhs/bls instead of bge/blt (CVE-2020-6096)
 [BZ #25620]
Thread-Index: AdYOd0+TemjcuhcBTp+alQNR3reGWw==
Date: Thu, 9 Apr 2020 14:05:10 +0000
Message-ID: <d6117f7c4c194a3da1482c379b28fddc@huawei.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.67.102.217]
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-25.3 required=5.0 tests=BAYES_00, GIT_PATCH_0,
 GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, HTML_MESSAGE, KAM_DMARC_STATUS,
 SPF_HELO_PASS, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <http://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <http://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Apr 2020 14:05:18 -0000

An exploitable signed comparison vulnerability exists in the ARMv7
memcpy() implementation of GNU glibc. Calling memcpy() (on ARMv7
targets that utilize the GNU glibc implementation) with a negative
value for the 'num' parameter results in a signed comparison
vulnerability.

If an attacker underflows the 'num' parameter to memcpy(), this
vulnerability could lead to undefined behavior such as writing to
out-of-bounds memory and potentially remote code execution.
Furthermore, this memcpy() implementation allows for program
execution to continue in scenarios where a segmentation fault or
crash should have occurred. The dangers occur in that subsequent
execution and iterations of this code will be executed with this
corrupted data.

Reference URL: https://sourceware.org/bugzilla/attachment.cgi?id=12334&action=edit

Signed-off-by: Yan Zhu <zhuyan34@huawei.com>
---
sysdeps/arm/armv7/multiarch/memcpy_impl.S | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)

       subs tmp2, count, #64     /* Use tmp2 for count.  */
-        blt    .Ltail63aligned
+       bls    .Ltail63aligned
        cmp tmp2, #512
-        bge  .Lcpy_body_long
+       bhs   .Lcpy_body_long
 .Lcpy_body_medium:                       /* Count in tmp2.  */
#ifdef USE_VFP
@@ -378,7 +378,7 @@ ENTRY(memcpy)
       add  src, src, #64
       vstr  d1, [dst, #56]
       add  dst, dst, #64
-        bge  1b
+       bhs   1b
       tst    tmp2, #0x3f
       beq  .Ldone
@@ -412,7 +412,7 @@ ENTRY(memcpy)
       ldrd  A_l, A_h, [src, #64]!
       strd  A_l, A_h, [dst, #64]!
       subs tmp2, tmp2, #64
-        bge  1b
+       bhs   1b
       tst    tmp2, #0x3f
       bne  1f
       ldr    tmp2,[sp], #FRAME_SIZE
@@ -482,7 +482,7 @@ ENTRY(memcpy)
       add  src, src, #32
        subs tmp2, tmp2, #prefetch_lines * 64 * 2
-        blt    2f
+       bls    2f
1:
       cpy_line_vfp     d3, 0
       cpy_line_vfp     d4, 64
@@ -494,7 +494,7 @@ ENTRY(memcpy)
       add  dst, dst, #2 * 64
       add  src, src, #2 * 64
       subs tmp2, tmp2, #prefetch_lines * 64
-        bge  1b
+       bhs   1b
 2:
       cpy_tail_vfp     d3, 0
--
2.12.3

diff --git a/sysdeps/arm/armv7/multiarch/memcpy_impl.S b/sysdeps/arm/armv7/multiarch/memcpy_impl.S
index bf4ac7077f..7455bdc6c7 100644
--- a/sysdeps/arm/armv7/multiarch/memcpy_impl.S
+++ b/sysdeps/arm/armv7/multiarch/memcpy_impl.S
@@ -268,7 +268,7 @@ ENTRY(memcpy)
        mov dst, dstin /* Preserve dstin, we need to return it.  */
       cmp count, #64
-        bge  .Lcpy_not_short
+       bhs   .Lcpy_not_short
       /* Deal with small copies quickly by dropping straight into the
          exit block.  */
@@ -351,10 +351,10 @@ ENTRY(memcpy)
 1: