!18 Avoid ldbl-96 stack corruption from range reduction of pseudo-zero (bug 25487).
Merge pull request !18 from liqingqing/master
This commit is contained in:
openeuler-ci-bot
Gitee
commit
623f61a0a3
143
Avoid-ldbl-96-stack-corruption-from-range-reduction-.patch
Normal file
143
Avoid-ldbl-96-stack-corruption-from-range-reduction-.patch
Normal file
@ -0,0 +1,143 @@
|
||||
From 9333498794cde1d5cca518badf79533a24114b6f Mon Sep 17 00:00:00 2001
|
||||
From: Joseph Myers <joseph@codesourcery.com>
|
||||
Date: Wed, 12 Feb 2020 23:31:56 +0000
|
||||
Subject: [PATCH] Avoid ldbl-96 stack corruption from range reduction of
|
||||
pseudo-zero (bug 25487).
|
||||
|
||||
Bug 25487 reports stack corruption in ldbl-96 sinl on a pseudo-zero
|
||||
argument (an representation where all the significand bits, including
|
||||
the explicit high bit, are zero, but the exponent is not zero, which
|
||||
is not a valid representation for the long double type).
|
||||
|
||||
Although this is not a valid long double representation, existing
|
||||
practice in this area (see bug 4586, originally marked invalid but
|
||||
subsequently fixed) is that we still seek to avoid invalid memory
|
||||
accesses as a result, in case of programs that treat arbitrary binary
|
||||
data as long double representations, although the invalid
|
||||
representations of the ldbl-96 format do not need to be consistently
|
||||
handled the same as any particular valid representation.
|
||||
|
||||
This patch makes the range reduction detect pseudo-zero and unnormal
|
||||
representations that would otherwise go to __kernel_rem_pio2, and
|
||||
returns a NaN for them instead of continuing with the range reduction
|
||||
process. (Pseudo-zero and unnormal representations whose unbiased
|
||||
exponent is less than -1 have already been safely returned from the
|
||||
function before this point without going through the rest of range
|
||||
reduction.) Pseudo-zero representations would previously result in
|
||||
the value passed to __kernel_rem_pio2 being all-zero, which is
|
||||
definitely unsafe; unnormal representations would previously result in
|
||||
a value passed whose high bit is zero, which might well be unsafe
|
||||
since that is not a form of input expected by __kernel_rem_pio2.
|
||||
|
||||
Tested for x86_64.
|
||||
|
||||
backport to openeuler.
|
||||
|
||||
---
|
||||
NEWS | 4 +++
|
||||
sysdeps/ieee754/ldbl-96/Makefile | 3 +-
|
||||
sysdeps/ieee754/ldbl-96/e_rem_pio2l.c | 12 +++++++
|
||||
sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c | 41 ++++++++++++++++++++++
|
||||
4 files changed, 59 insertions(+), 1 deletion(-)
|
||||
create mode 100644 sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c
|
||||
|
||||
diff --git a/NEWS b/NEWS
|
||||
index 2b681ed7..eb31aca6 100644
|
||||
--- a/NEWS
|
||||
+++ b/NEWS
|
||||
@@ -246,6 +246,10 @@ Security related changes:
|
||||
addresses for loaded libraries and thus bypass ASLR for a setuid
|
||||
program. Reported by Marcin Kościelnicki.
|
||||
|
||||
+ CVE-2020-10029: Trigonometric functions on x86 targets suffered from stack
|
||||
+ corruption when they were passed a pseudo-zero argument. Reported by Guido
|
||||
+ Vranken / ForAllSecure Mayhem.
|
||||
+
|
||||
The following bugs are resolved with this release:
|
||||
|
||||
[1190] stdio: fgetc()/fread() behaviour is not POSIX compliant
|
||||
diff --git a/sysdeps/ieee754/ldbl-96/Makefile b/sysdeps/ieee754/ldbl-96/Makefile
|
||||
index 790f670e..99c596e3 100644
|
||||
--- a/sysdeps/ieee754/ldbl-96/Makefile
|
||||
+++ b/sysdeps/ieee754/ldbl-96/Makefile
|
||||
@@ -17,5 +17,6 @@
|
||||
# <http://www.gnu.org/licenses/>.
|
||||
|
||||
ifeq ($(subdir),math)
|
||||
-tests += test-canonical-ldbl-96 test-totalorderl-ldbl-96
|
||||
+tests += test-canonical-ldbl-96 test-totalorderl-ldbl-96 test-sinl-pseudo
|
||||
+CFLAGS-test-sinl-pseudo.c += -fstack-protector-all
|
||||
endif
|
||||
diff --git a/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c b/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c
|
||||
index f67805f2..b0b899bc 100644
|
||||
--- a/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c
|
||||
+++ b/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c
|
||||
@@ -210,6 +210,18 @@ __ieee754_rem_pio2l (long double x, long double *y)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ if ((i0 & 0x80000000) == 0)
|
||||
+ {
|
||||
+ /* Pseudo-zero and unnormal representations are not valid
|
||||
+ representations of long double. We need to avoid stack
|
||||
+ corruption in __kernel_rem_pio2, which expects input in a
|
||||
+ particular normal form, but those representations do not need
|
||||
+ to be consistently handled like any particular floating-point
|
||||
+ value. */
|
||||
+ y[1] = y[0] = __builtin_nanl ("");
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
/* Split the 64 bits of the mantissa into three 24-bit integers
|
||||
stored in a double array. */
|
||||
exp = j0 - 23;
|
||||
diff --git a/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c b/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c
|
||||
new file mode 100644
|
||||
index 00000000..abbce861
|
||||
--- /dev/null
|
||||
+++ b/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c
|
||||
@@ -0,0 +1,41 @@
|
||||
+/* Test sinl for pseudo-zeros and unnormals for ldbl-96 (bug 25487).
|
||||
+ Copyright (C) 2020 Free Software Foundation, Inc.
|
||||
+ This file is part of the GNU C Library.
|
||||
+
|
||||
+ The GNU C Library is free software; you can redistribute it and/or
|
||||
+ modify it under the terms of the GNU Lesser General Public
|
||||
+ License as published by the Free Software Foundation; either
|
||||
+ version 2.1 of the License, or (at your option) any later version.
|
||||
+
|
||||
+ The GNU C Library is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+ Lesser General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU Lesser General Public
|
||||
+ License along with the GNU C Library; if not, see
|
||||
+ <https://www.gnu.org/licenses/>. */
|
||||
+
|
||||
+#include <math.h>
|
||||
+#include <math_ldbl.h>
|
||||
+#include <stdint.h>
|
||||
+
|
||||
+static int
|
||||
+do_test (void)
|
||||
+{
|
||||
+ for (int i = 0; i < 64; i++)
|
||||
+ {
|
||||
+ uint64_t sig = i == 63 ? 0 : 1ULL << i;
|
||||
+ long double ld;
|
||||
+ SET_LDOUBLE_WORDS (ld, 0x4141,
|
||||
+ sig >> 32, sig & 0xffffffffULL);
|
||||
+ /* The requirement is that no stack overflow occurs when the
|
||||
+ pseudo-zero or unnormal goes through range reduction. */
|
||||
+ volatile long double ldr;
|
||||
+ ldr = sinl (ld);
|
||||
+ (void) ldr;
|
||||
+ }
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+#include <support/test-driver.c>
|
||||
--
|
||||
2.19.1
|
||||
|
||||
@ -59,7 +59,7 @@
|
||||
##############################################################################
|
||||
Name: glibc
|
||||
Version: 2.28
|
||||
Release: 37
|
||||
Release: 38
|
||||
Summary: The GNU libc libraries
|
||||
License: %{all_license}
|
||||
URL: http://www.gnu.org/software/glibc/
|
||||
@ -75,6 +75,7 @@ Source7: LanguageList
|
||||
|
||||
Patch0: Fix-use-after-free-in-glob-when-expanding-user-bug-2.patch
|
||||
Patch1: backport-Kunpeng-patches.patch
|
||||
Patch2: Avoid-ldbl-96-stack-corruption-from-range-reduction-.patch
|
||||
|
||||
Provides: ldconfig rtld(GNU_HASH) bundled(gnulib)
|
||||
|
||||
@ -919,6 +920,9 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Apr 28 2020 liqingqing<liqignqing3@huawei.com> - 2.28-38
|
||||
- Avoid ldbl-96 stack corruption from range reduction of pseudo-zero (bug 25487)
|
||||
|
||||
* Thu Apr 16 2020 wangbin<wangbin224@huawei.com> - 2.28-37
|
||||
- backport Kunpeng patches
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user