diff options
| author | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2018-08-23 16:11:46 +0800 |
|---|---|---|
| committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2018-09-27 07:47:44 -0400 |
| commit | bba38f38e7e41525c30116a2fe990d113b8157da (patch) | |
| tree | 14a0d015f4b144a97c51c896e7a3135b600760a6 /poky/meta/recipes-core/glibc | |
| parent | 36b84cde8facab568630eec811e483cf1fc50848 (diff) | |
| download | talos-openbmc-bba38f38e7e41525c30116a2fe990d113b8157da.tar.gz talos-openbmc-bba38f38e7e41525c30116a2fe990d113b8157da.zip | |
poky: sumo refresh 51872d3f99..3b8dc3a88e
Update poky to sumo HEAD.
Andrej Valek (1):
wpa-supplicant: fix CVE-2018-14526
Armin Kuster (2):
xserver-xorg: config: fix NULL value detection for ID_INPUT being unset
binutils: Change the ARM assembler's ADR and ADRl pseudo-ops so that they will only set the bottom bit of imported thumb function symbols if the -mthumb-interwork option is active.
Bruce Ashfield (3):
linux-yocto/4.12: update to v4.12.28
linux-yocto/4.14: update to v4.14.62
linux-yocto/4.14: update to v4.14.67
Changqing Li (6):
libexif: patch for CVE-2017-7544
squashfs-tools: patch for CVE-2015-4645(4646)
libcroco: patch for CVE-2017-7960
libid3tag: patch for CVE-2004-2779
libice: patch for CVE-2017-2626
apr-util: fix ptest fail problem
Chen Qi (2):
util-linux: upgrade 2.32 -> 2.32.1
busybox: move init related configs to init.cfg
Jagadeesh Krishnanjanappa (2):
libarchive: CVE-2017-14501
libcgroup: CVE-2018-14348
Jon Szymaniak (1):
cve-check.bbclass: detect CVE IDs listed on multiple lines
Joshua Lock (1):
os-release: fix to install in the expected location
Khem Raj (1):
serf: Fix Sconstruct build with python 3.7
Konstantin Shemyak (1):
cve-check.bbclass: do not download the CVE DB in package-specific tasks
Mike Looijmans (1):
busybox/mdev-mount.sh: Fix partition detect and cleanup mountpoint on fail
Ross Burton (1):
lrzsz: fix CVE-2018-10195
Sinan Kaya (3):
busybox: CVE-2017-15874
libpng: CVE-2018-13785
sqlite3: CVE-2018-8740
Yadi.hu (1):
busybox: handle syslog
Yi Zhao (2):
blktrace: Security fix CVE-2018-10689
taglib: Security fix CVE-2018-11439
Zheng Ruoqin (1):
glibc: fix CVE-2018-11237
Change-Id: I2eb1fe6574638de745e4bfc106b86fe797b977c8
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Diffstat (limited to 'poky/meta/recipes-core/glibc')
| -rw-r--r-- | poky/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch | 82 | ||||
| -rw-r--r-- | poky/meta/recipes-core/glibc/glibc_2.27.bb | 1 |
2 files changed, 83 insertions, 0 deletions
diff --git a/poky/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch b/poky/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch new file mode 100644 index 000000000..632aa565e --- /dev/null +++ b/poky/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch @@ -0,0 +1,82 @@ +From 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e Mon Sep 17 00:00:00 2001 +From: Andreas Schwab <schwab@suse.de> +Date: Tue, 22 May 2018 10:37:59 +0200 +Subject: [PATCH] Don't write beyond destination in + __mempcpy_avx512_no_vzeroupper (bug 23196) + +When compiled as mempcpy, the return value is the end of the destination +buffer, thus it cannot be used to refer to the start of it. + +2018-05-23 Andreas Schwab <schwab@suse.de> + + [BZ #23196] + CVE-2018-11237 + * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S + (L(preloop_large)): Save initial destination pointer in %r11 and + use it instead of %rax after the loop. + * string/test-mempcpy.c (MIN_PAGE_SIZE): Define. + +CVE: CVE-2018-11237 +Upstream-Status: Backport +Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> +--- + ChangeLog | 9 +++++++++ + string/test-mempcpy.c | 1 + + sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | 5 +++-- + 3 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index fa0a07c..bc09dec 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,12 @@ ++2018-05-23 Andreas Schwab <schwab@suse.de> ++ ++ [BZ #23196] ++ CVE-2018-11237 ++ * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S ++ (L(preloop_large)): Save initial destination pointer in %r11 and ++ use it instead of %rax after the loop. ++ * string/test-mempcpy.c (MIN_PAGE_SIZE): Define. ++ + 2018-05-09 Paul Pluzhnikov <ppluzhnikov@google.com> + + [BZ #22786] +diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c +index c08fba8..d98ecdd 100644 +--- a/string/test-mempcpy.c ++++ b/string/test-mempcpy.c +@@ -18,6 +18,7 @@ + <http://www.gnu.org/licenses/>. */ + + #define MEMCPY_RESULT(dst, len) (dst) + (len) ++#define MIN_PAGE_SIZE 131072 + #define TEST_MAIN + #define TEST_NAME "mempcpy" + #include "test-string.h" +diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S +index 23c0f7a..a55cf6f 100644 +--- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S ++++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S +@@ -335,6 +335,7 @@ L(preloop_large): + ja L(preloop_large_bkw) + vmovups (%rsi), %zmm4 + vmovups 0x40(%rsi), %zmm5 ++ mov %rdi, %r11 + + /* Align destination for access with non-temporal stores in the loop. */ + mov %rdi, %r8 +@@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop): + cmp $256, %rdx + ja L(gobble_256bytes_nt_loop) + sfence +- vmovups %zmm4, (%rax) +- vmovups %zmm5, 0x40(%rax) ++ vmovups %zmm4, (%r11) ++ vmovups %zmm5, 0x40(%r11) + jmp L(check) + + L(preloop_large_bkw): +-- +2.7.4 + diff --git a/poky/meta/recipes-core/glibc/glibc_2.27.bb b/poky/meta/recipes-core/glibc/glibc_2.27.bb index 22a9881ea..adee494c2 100644 --- a/poky/meta/recipes-core/glibc/glibc_2.27.bb +++ b/poky/meta/recipes-core/glibc/glibc_2.27.bb @@ -47,6 +47,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://0030-plural_c_no_preprocessor_lines.patch \ file://CVE-2017-18269.patch \ file://CVE-2018-11236.patch \ + file://CVE-2018-11237.patch \ " NATIVESDKFIXES ?= "" |
