From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-alpha-return-99429-e=80x24.org@sourceware.org>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net
X-Spam-Level: 
X-Spam-ASN: AS31976 209.132.180.0/23
X-Spam-Status: No, score=-3.3 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_GMAIL_RCVD,
	FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS
	shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2
Received: from sourceware.org (server1.sourceware.org [209.132.180.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by dcvr.yhbt.net (Postfix) with ESMTPS id CF2A21F453
	for <e@80x24.org>; Fri, 18 Jan 2019 20:16:21 +0000 (UTC)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:cc:content-type; q=dns; s=default; b=cT5n
	DVjU8u2iWT5uQjHFbvq04EhlqlOYJFQqTgIw7YE0talm7H49yujuIo3JAhwo4SX4
	11blM/j5J/2g4UKY6b95rOQvEpIQuvWklzNaR/fR09EjA44gk2f3bx6BvoRSOeWh
	vR/AttGK6AuUJCuncB0PRD0WKv1697Nd+9vUhi0=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:cc:content-type; s=default; bh=5zEKtL8Ju8
	Cv8zmKzCXfhaSdKXU=; b=Qu9nwcfJKPiEKQWx9DviRC5I8fykE997dCHXHj0mZy
	Hd4zQnnQ/FxNfO1RA6Ex3AdTxqHIDs9CDGohoOb8Mq8+7HIAcCw9KnFHesRJR2Xh
	kr/gAAar7pCfEtVKQqRBOHWoRx7vli6IhS69dV666sn9x7IlJsUU7Whddw9lsvtZ
	M=
Received: (qmail 105654 invoked by alias); 18 Jan 2019 20:16:19 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-e=80x24.org@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>, <http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Received: (qmail 105420 invoked by uid 89); 18 Jan 2019 20:15:56 -0000
Authentication-Results: sourceware.org; auth=none
X-HELO: mail-oi1-f195.google.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=e45W2Iund92jXKhGqlqvYV+slne0iDMB7cdqQ75zyR8=;
        b=lP4OqBG9CTF2/5KLqFnbfheAUHB3qEquKceJXZS9zb1e6tB6c+KIMnQQEooUTMBc0Q
         GkZsY5YgL126hpS1BYLIXV4brP/Ny10s4Vtnw2zens6xJFigsPGISQ2iHzeBHM79U9uG
         3TorCmQti4ehfevD7KQzUIrPHPaH0t/vvjyDhpCkekLpSL/nMeN4FbHpqNf1sG78CZiV
         ftgxzq5/pcOEMcKVehavVz1syyhRhnop6Kzzy3cKsxXUCwsDmBdyDe/xtvo95KofH8JW
         vTD1XB5Cp6aly8ekTND94/oOpnfPvM33URwQ2iT90VyZE8xhka6RdgH+/u5H1gz6etvU
         P1jw==
MIME-Version: 1.0
References: <20190117165351.25914-1-hjl.tools@gmail.com> <87bm4ep7df.fsf@oldenburg2.str.redhat.com>
 <CAMe9rOq0wYwkXB_po_3CqMu7T=vJxtxGkXsxUuq-L5mghEPQCw@mail.gmail.com> <87r2d9loy4.fsf@oldenburg2.str.redhat.com>
In-Reply-To: <87r2d9loy4.fsf@oldenburg2.str.redhat.com>
From: "H.J. Lu" <hjl.tools@gmail.com>
Date: Fri, 18 Jan 2019 12:15:16 -0800
Message-ID: <CAMe9rOq00c2-bgMqsinU88_Jfi8+-Fsirpy3MWS2UQgCcXFaWw@mail.gmail.com>
Subject: Re: [PATCH 0/8] x86-64: Properly handle the length parameter [BZ# 24097]
To: Florian Weimer <fweimer@redhat.com>
Cc: GNU C Library <libc-alpha@sourceware.org>
Content-Type: text/plain; charset="UTF-8"

On Fri, Jan 18, 2019 at 11:56 AM Florian Weimer <fweimer@redhat.com> wrote:
>
> * H. J. Lu:
>
> > On Fri, Jan 18, 2019 at 2:50 AM Florian Weimer <fweimer@redhat.com> wrote:
> >>
> >> * H. J. Lu:
> >>
> >> > On x32, the size_t parameter may be passed in the lower 32 bits of a
> >> > 64-bit register with the non-zero upper 32 bits.  The string/memory
> >> > functions written in assembly can only use the lower 32 bits of a
> >> > 64-bit register as length or must clear the upper 32 bits before using
> >> > the full 64-bit register for length.
> >> >
> >> > This pach fixes string/memory functions written in assembly for x32.
> >> > Tested on x86-64 and x32.  On x86-64, libc.so is the same with and
> >> > withou the fix.
> >>
> >> Can this bug result in buffer overflows?  Should we obtain a CVE
> >
> > Yes, definitely.
> >
> >> identifier?
> >>
> >
> > Yes, please.  Can you do that for me?
>
> Done, MITRE gave us CVE-2019-6488.  Please reference this in the
> ChangeLog and the commit message if you have not done so.  Please also

Done.  I just regenerated and submitted the new patch set.

> add short NEWS entry in the security section.  Thanks.
>

I added:

  CVE-2019-6488: On x32, the size_t parameter may be passed in the lower
  32 bits of a 64-bit register with the non-zero upper 32 bits.  When
  it happens, the string/memory functions written in assembly will cause
  buffer overflow if the full 64-bit register is used as the 32-bit
  size_t value.  Reported by Florian Weimer.

I will check in the new patch set. tomorrow if there are no objections.


-- 
H.J.